Get started using App Check with reCAPTCHA Enterprise in web appsStay organized with collectionsSave and categorize content based on your preferences.
This page shows you how to enableApp Checkin a web app, using the
reCAPTCHA Enterprise provider. When you enableApp Check, you help ensure
that only your app can access your project's backend resources. See anOverviewof this feature.
Note thatApp Checkuses reCAPTCHA Enterprise score-based site keys, which
make it invisible to users. The reCAPTCHA Enterprise provider will not require
users to solve a challenge at any time.
If your use case requires reCAPTCHA Enterprise features not implemented byApp Check, or if you want to useApp Checkwith your own custom
provider, seeImplement a customApp Checkprovider.
If you're prompted to enable the reCAPTCHA Enterprise API, do so.
Create aWebsite-type key. You will need to specify domains on which
you host your web app. Leave the "Use checkbox challenge" optionunselected.
Register your apps to useApp Checkwith the reCAPTCHA Enterprise
provider in theApp Checksection of theFirebaseconsole. You will need to provide the site key you got in the
previous step.
You usually need to register all of your project's apps, because once you
enable enforcement for a Firebase product, only registered apps will be able
to access the product's backend resources.
Optional: In the app registration settings, set a custom time-to-live
(TTL) forApp Checktokens issued by the provider. You can set the TTL
to any value between 30 minutes and 7 days. When changing this value, be
aware of the following tradeoffs:
Security: Shorter TTLs provide stronger security, because it reduces the
window in which a leaked or intercepted token can be abused by an
attacker.
Performance: Shorter TTLs mean your app will perform attestation more
frequently. Because the app attestation process adds latency to network
requests every time it's performed, a short TTL can impact the performance
of your app.
Quota and cost: Shorter TTLs and frequent re-attestation deplete your
quota faster, and for paid services, potentially cost more.
SeeQuotas & limits.
The default TTL of1 houris reasonable for most apps. Note that theApp Checklibrary refreshes
tokens at approximately half the TTL duration.
Configure advanced settings (optional)
When a user visits your web app, reCAPTCHA Enterprise evaluates the level of
risk the user interaction poses, and returns a score between 0.0 and 1.0, in
increments of 0.1. The score 1.0 indicates that the interaction poses low risk
and is very likely legitimate, whereas 0.0 indicates that the interaction poses
high risk and might be fraudulent.App Checklets you configure anapp
riskthreshold so you can adjust your tolerance for this risk.
For most use cases, the default threshold value of0.5is recommended. If
your use case requires adjustment, it can be configured in theApp Checksection of theFirebaseconsole for each of your web apps.
Details
App Checkuses your configured app risk threshold as the minimum reCAPTCHA
Enterprise score required for a user interaction to be deemed legitimate. All
reCAPTCHA Enterprise scores strictly less than your configured threshold will be
rejected. When adjusting your app risk threshold, be aware of the following:
Out of the 11 possible reCAPTCHA Enterprise score levels, only the following
four score levels are available before you add aGoogle Cloud Billing accountto your project: 0.1, 0.3, 0.7, and 0.9. During this time,App Checkwill
correspondingly only allow app risk threshold values of 0.1, 0.3, 0.5, 0.7,
and 0.9. An app risk threshold value of 0.5 is still recommended for most use
cases.
To enable all 11 reCAPTCHA Enterprise score levels, add a Google Cloud
Billing account to your project. One way to do so is toupgrade to the Blaze pricing plan.
Once you have done so,App Checkwill allow you to configure any app
risk threshold values between 0.0 and 1.0, in increments of 0.1.
To monitor the distribution of high and low reCAPTCHA Enterprise scores for
your web app, visit the reCAPTCHA Enterprise page in theGoogle Cloudconsoleand select the site key used by your web app.
If you havelowapp risk tolerance,move the slider to the leftto
increase the app risk threshold.
A value of 1.0 is not recommended, as this setting can also potentially
deny access for legitimate users who do not meet this high trust
threshold.
If you havehighapp risk tolerance,move the slider to the rightto
decrease the app risk threshold.
A value of 0.0 is not recommended, as this setting disables abuse
protection.
Add the following initialization code to your application, before you access any
Firebase services. You will need to pass your reCAPTCHA Enterprise site key,
which you created in the Cloud console, toactivate().
Once theApp Checklibrary is installed in your app, deploy it.
The updated client app will begin sendingApp Checktokens along with every
request it makes to Firebase, but Firebase products will not require the tokens
to be valid until you enable enforcement in theApp Checksection of the
Firebase console.
Monitor metrics and enable enforcement
Before you enable enforcement, however, you should make sure that doing so won't
disrupt your existing legitimate users. On the other hand, if you're seeing
suspicious use of your app resources, you might want to enable enforcement
sooner.
To help make this decision, you can look atApp Checkmetrics for the
services you use:
MonitorApp Checkrequest metricsforFirebase AI Logic,Data Connect,Realtime Database,Cloud Firestore,Cloud Storage,Authentication, Google Identity for iOS, Maps JavaScript API, and Places API (New).
When you understand howApp Checkwill affect your users and you're ready to
proceed, you can enableApp Checkenforcement:
EnableApp CheckenforcementforFirebase AI Logic,Data Connect,Realtime Database,Cloud Firestore,Cloud Storage,Authentication, Google Identity for iOS, Maps JavaScript API, and Places API (New).
If, after you have registered your app forApp Check, you want to run your
app in an environment thatApp Checkwould normally not classify as valid,
such as locally during development, or from a continuous integration (CI)
environment, you can create a debug build of your app that uses theApp Checkdebug provider instead of a real attestation provider.
App Checkcreates an assessment on your behalf to validate the user's
response token each time a browser running your web app refreshes itsApp Checktoken. Your project will be charged for each assessment created
above the no-cost quota. SeereCAPTCHA pricingfor details.
By default, your web app will refresh this token twice every1 hour. To
control how frequently your app refreshesApp Checktokens (and thus how
frequently new assessments are created),configure their TTL.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-10-30 UTC."],[],[]]
