Blog

Firebase App Check with CORS: reCAPTCHA, device attestation, and protecting callable HTTPS endpoints

App Check tokens ride alongside Firebase Auth; your Cloud Functions must still emit CORS headers for browser preflights.

Published: 2027-02-06Updated: 2027-02-081 min read

firebaseapp-checkcors

Web vs mobile

reCAPTCHA v3 scores differ from Play Integrity signals—tune thresholds per platform.

Debug tokens expire quickly; never commit them to public repos.

request.auth alone is insufficient when App Check is required—combine checks explicitly.

Misconfigured rules often surface as permission-denied, not CORS, but SPAs may conflate the two.