Stay organized with collectionsSave and categorize content based on your preferences.
Creating custom tokens
This document shows you how to use Identity Platform to create custom JSON Web
Tokens (JWTs).
Custom tokens give you complete control over the authentication process. You
generate these tokens on your server, pass them back to a client device, and
then callsignInWithCustomToken()to sign in users.
You can create custom tokens with the Identity Platform Admin SDK,
or use a third-party JWT library.
Before you begin
Install the Admin SDK.
If you are using service account auto-discovery or an explicitly specified service account ID, make sure the service account you are using has at least the Service Account
Token Creator (roles/iam.serviceAccountTokenCreator) role.
Create and deploy a server endpoint that accepts sign-in credentials from
users.
Creating custom tokens using the Admin SDK
The Admin SDK has a built-in method for creating custom tokens. At a
minimum, you need to provide auid. This can be any string that uniquely
identifies the user or device. These tokens expire after one hour.
The following example shows how to create a custom token:
Node.js
constuid='some-uid';getAuth().createCustomToken(uid).then((customToken)=>{// Send token back to client}).catch((error)=>{console.log('Error creating custom token:',error);});
After you create a custom token, your app can use it tosign in a user.
Optionally, you can include additional claims on the custom token. These are
propagated to the user's ID token as top-level claims.
The following example shows how to add apremiumAccountclaim:
Node.js
constuserId='some-uid';constadditionalClaims={premiumAccount:true,};getAuth().createCustomToken(userId,additionalClaims).then((customToken)=>{// Send token back to client}).catch((error)=>{console.log('Error creating custom token:',error);});
Stringuid="some-uid";Map<String,Object>additionalClaims=newHashMap<String,Object>();additionalClaims.put("premiumAccount",true);StringcustomToken=FirebaseAuth.getInstance().createCustomToken(uid,additionalClaims);// Send token back to client
varuid="some-uid";varadditionalClaims=newDictionary<string,object>(){{"premiumAccount",true},};stringcustomToken=awaitFirebaseAuth.DefaultInstance.CreateCustomTokenAsync(uid,additionalClaims);// Send token back to client
Identity Platform complies with theOpenID Connect JWT specification.
This means the following claims are reserved and cannot be specified:
acr
amr
at_hash
aud
auth_time
azp
cnf
c_hash
exp
firebase
iat
iss
jti
nbf
nonce
sub
Creating custom tokens using a third-party JWT library
If your backend is written in a language that the Admin SDK doesn't support,
you can still manually create custom tokens. First,find a third-party JWT libraryfor your language. Then, use that library to mint a JWT which includes the
following claims:
The current time, in seconds, since the UNIX epoch.
exp
Expiration time
The time, in seconds since the UNIX epoch, at which the token expires. It
can be amaximum of 3600 seconds laterthan theiat. Note that this only controls the time when the custom token itself
expires. Once you sign in a user withsignInWithCustomToken(), they will remain signed in until
they sign out or their session is invalidated.
uid
The unique identifier of the signed-in user. Must be a string between
1-36 characters long.
claims(optional)
Additional custom claims to include.
The following examples demonstrate how to create custom tokens in languages
the Admin SDK does not support:
require"jwt"# Get your service account's email address and private key from the JSON key file$service_account_email="service-account@my-project-abc123.iam.gserviceaccount.com"$private_key=OpenSSL::PKey::RSA.new"-----BEGIN PRIVATE KEY-----\n..."defcreate_custom_token(uid,is_premium_account)now_seconds=Time.now.to_ipayload={:iss=>$service_account_email,:sub=>$service_account_email,:aud=>"https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit",:iat=>now_seconds,:exp=>now_seconds+(60*60),# Maximum expiration time is one hour:uid=>uid,:claims=>{:premium_account=>is_premium_account}}JWT.encodepayload,$private_key,"RS256"end
After you create a custom token, your app can use it tosign in a user.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eCustom tokens allow complete control over the authentication process by generating tokens on your server and then using \u003ccode\u003esignInWithCustomToken()\u003c/code\u003e to sign in users.\u003c/p\u003e\n"],["\u003cp\u003eYou can create custom tokens using the Identity Platform Admin SDK by providing a unique \u003ccode\u003euid\u003c/code\u003e and optionally adding custom claims, with the created token expiring after one hour.\u003c/p\u003e\n"],["\u003cp\u003eAnyone with the \u003ccode\u003eiam.serviceAccounts.signBlob\u003c/code\u003e permission on the signing service account can mint custom tokens, necessitating the adherence to service account best practices and restrictions.\u003c/p\u003e\n"],["\u003cp\u003eIf the Admin SDK isn't available for your language, you can use a third-party JWT library to create tokens, including specific claims like \u003ccode\u003eiss\u003c/code\u003e, \u003ccode\u003esub\u003c/code\u003e, \u003ccode\u003eaud\u003c/code\u003e, \u003ccode\u003eiat\u003c/code\u003e, \u003ccode\u003eexp\u003c/code\u003e, \u003ccode\u003euid\u003c/code\u003e, and optional custom claims.\u003c/p\u003e\n"],["\u003cp\u003eCustom Tokens created using third party JWT libraries have a maximum expiration time of one hour and are signed with the \u003ccode\u003eRS256\u003c/code\u003e algorithm, allowing you to control the \u003ccode\u003euid\u003c/code\u003e and any additional custom \u003ccode\u003eclaims\u003c/code\u003e you may add.\u003c/p\u003e\n"]]],[],null,[]]
