type: glossary
timestamp: 2026-06-20
tags: [glossary, firebase, security]

App Check

Firebase bot-defence layer, gates Firestore calls to verified clients

App Check

Definition

Firebase App Check is the bot-defence layer that issues an attestation token to verified client apps and lets Firestore security rules require request.app != null on every read and write — gating the database to legitimate clients only.

Expanded

The family enforces App Check on every Firestore call, with reCAPTCHA Enterprise as the underlying provider (10K assessments/month free; 7-day token TTL minimises consumption). Default-deny on match /{document=**}; the only allow rules also assert appChecked().

App Check is free; it is the cheapest way to defend the Spark plan from automated abuse that would otherwise burn the 50K/day read quota. Combined with Cloudflare WAF in front of *.oriz.in, it gives a two-layer rate-limit and bot-fight defense.

See also


Edit on GitHub · Back to index