Blog Go to console

    Verify Firebase PNV tokens

    When the Firebase PNV library successfully verifies the phone number of a device, it returns the verified phone number and a signed token containing it. If you use the verified phone number outside the app client, you should pass around the token instead of the phone number itself so you can verify its integrity when you use it. To verify the token, you can use any JWT verification library. Use the library to verify all of the following:

    • The typ header is set to JWT .

    • The token is signed using one of the keys published at the Firebase PNV JWKS endpoint with ES256 algorithm:

       https://fpnv.googleapis.com/v1beta/jwks

    • The issuer claims contains your Firebase project number and is in the following format:

       https://fpnv.googleapis.com/projects/ FIREBASE_PROJECT_NUMBER

      You can find your Firebase project number on the Project settings page of the Firebase console.

    • The audience claim is a list that contains your Firebase project number and project ID and is in the following format:

       [
  https://fpnv.googleapis.com/projects/ FIREBASE_PROJECT_NUMBER 
,
  https://fpnv.googleapis.com/projects/ FIREBASE_PROJECT_ID 
,
]

    • The token has not expired.

    Example

    As a brief example, the following Express.js app receives an Firebase PNV token from an HTTP POST request and uses a JWT verification library to check the signature and claims of the token:

    Node.js

      import 
  
 express 
  
 from 
  
 "express" 
 ; 
 import 
  
 { 
  
 JwtVerifier 
  
 } 
  
 from 
  
 "aws-jwt-verify" 
 ; 
 // Find your Firebase project number in the Firebase console. 
 const 
  
 FIREBASE_PROJECT_NUMBER 
  
 = 
  
 "123456789" 
 ; 
 // The issuer and audience claims of the FPNV token are specific to your 
 // project. 
 const 
  
 issuer 
  
 = 
  
 `https://fpnv.googleapis.com/projects/ 
 ${ 
 FIREBASE_PROJECT_NUMBER 
 } 
 ` 
 ; 
 const 
  
 audience 
  
 = 
  
 `https://fpnv.googleapis.com/projects/ 
 ${ 
 FIREBASE_PROJECT_NUMBER 
 } 
 ` 
 ; 
 // The JWKS URL contains the current public signing keys for FPNV tokens. 
 const 
  
 jwksUri 
  
 = 
  
 "https://fpnv.googleapis.com/v1beta/jwks" 
 ; 
 // Configure a JWT verifier to check the following: 
 // - The token is signed by Google 
 // - The issuer and audience claims match your project 
 // - The token has not yet expired (default behavior) 
 const 
  
 fpnvVerifier 
  
 = 
  
 JwtVerifier 
 . 
 create 
 ({ 
  
 issuer 
 , 
  
 audience 
 , 
  
 jwksUri 
  
 }); 
 const 
  
 app 
  
 = 
  
 express 
 (); 
 app 
 . 
 post 
 ( 
 '/verifiedPhoneNumber' 
 , 
  
 async 
  
 ( 
 req 
 , 
  
 res 
 ) 
  
 = 
>  
 { 
  
 if 
  
 ( 
 ! 
 req 
 . 
 body 
 ) 
  
 return 
  
 res 
 . 
 sendStatus 
 ( 
 400 
 ); 
  
 // Get the token from the body of the request. 
  
 const 
  
 fpnvToken 
  
 = 
  
 req 
 . 
 body 
 ; 
  
 try 
  
 { 
  
 // Attempt to verify the token using the verifier configured 
  
 previously 
 . 
  
 const 
  
 verifiedPayload 
  
 = 
  
 await 
  
 fpnvVerifier 
 . 
 verify 
 ( 
 fpnvToken 
 ); 
  
 // If verification succeeds, the subject claim of the token contains the 
  
 // verified phone number. You can use this value however it's needed by 
  
 // your app. 
  
 const 
  
 verifiedPhoneNumber 
  
 = 
  
 verifiedPayload 
 . 
 sub 
 ; 
  
 // (Do something with it...) 
  
 return 
  
 res 
 . 
 sendStatus 
 ( 
 200 
 ); 
  
 } 
  
 catch 
  
 { 
  
 // If verification fails, reject the token. 
  
 return 
  
 res 
 . 
 sendStatus 
 ( 
 400 
 ); 
  
 } 
 }); 
 app 
 . 
 listen 
 ( 
 3000 
 );
    Create a Mobile Website
    View Site in Mobile | Classic
    Share by: