Private Readonly app_Private Readonly projectPrivate Readonly tenantCreates a new Firebase custom token (JWT) that can be sent back to a client
device to use to sign in with the client SDKs' signInWithCustomToken()
methods. (Tenant-aware instances will also embed the tenant ID in the
token.)
See Create Custom Tokens for code samples and detailed documentation.
The uid to use as the custom token's subject.
Optional developerClaims: objectOptional additional claims to include in the custom token's payload.
A promise fulfilled with a custom token for the
provided uid and payload.
Returns a promise that resolves with the newly created AuthProviderConfig
when the new provider configuration is created.
SAML and OIDC provider support requires Google Cloud's Identity Platform (GCIP). To learn more about GCIP, including pricing and features, see the GCIP documentation.
The provider configuration to create.
A promise that resolves with the created provider configuration.
Creates a new Firebase session cookie with the specified options. The created JWT string can be set as a server-side session cookie with a custom cookie policy, and be used for session management. The session cookie JWT will have the same payload claims as the provided ID token.
See Manage Session Cookies for code samples and detailed documentation.
The Firebase ID token to exchange for a session cookie.
The session cookie options which includes custom session duration.
A promise that resolves on success with the created session cookie.
Creates a new user.
See Create a user for code samples and detailed documentation.
The properties to set on the new user record to be created.
A promise fulfilled with the user data corresponding to the newly created user.
Deletes the provider configuration corresponding to the provider ID passed.
If the specified ID does not exist, an auth/configuration-not-found error
is thrown.
SAML and OIDC provider support requires Google Cloud's Identity Platform (GCIP). To learn more about GCIP, including pricing and features, see the GCIP documentation.
The provider ID corresponding to the provider config to delete.
A promise that resolves on completion.
Deletes an existing user.
See Delete a user for code samples and detailed documentation.
The uid corresponding to the user to delete.
An empty promise fulfilled once the user has been deleted.
Deletes the users specified by the given uids.
Deleting a non-existing user won't generate an error (i.e. this method
is idempotent.) Non-existing users are considered to be successfully
deleted, and are therefore counted in the
DeleteUsersResult.successCount value.
Only a maximum of 1000 identifiers may be supplied. If more than 1000 identifiers are supplied, this method throws a FirebaseAuthError.
This API is currently rate limited at the server to 1 QPS. If you exceed this, you may get a quota exceeded error. Therefore, if you want to delete more than 1000 users, you may need to add a delay to ensure you don't go over this limit.
The uids corresponding to the users to delete.
A Promise that resolves to the total number of successful/failed deletions, as well as the array of errors that corresponds to the failed deletions.
Generates the out of band email action link to verify the user's ownership of the specified email. The ActionCodeSettings object provided as an argument to this method defines whether the link is to be handled by a mobile app or browser along with additional state information to be passed in the deep link, etc.
The email account to verify.
Optional actionCodeSettings: ActionCodeSettingsThe action code settings. If specified, the state/continue URL is set as the "continueUrl" parameter in the email verification link. The default email verification landing page will use this to display a link to go back to the app if it is installed. If the actionCodeSettings is not specified, no URL is appended to the action URL. The state URL provided must belong to a domain that is whitelisted by the developer in the console. Otherwise an error is thrown. Mobile app redirects are only applicable if the developer configures and accepts the Firebase Dynamic Links terms of service. The Android package name and iOS bundle ID are respected only if they are configured in the same Firebase Auth project.
A promise that resolves with the generated link.
var actionCodeSettings = {
url: 'https://www.example.com/cart?email=user@example.com&cartId=123',
iOS: {
bundleId: 'com.example.ios'
},
android: {
packageName: 'com.example.android',
installApp: true,
minimumVersion: '12'
},
handleCodeInApp: true,
dynamicLinkDomain: 'custom.page.link'
};
admin.auth()
.generateEmailVerificationLink('user@example.com', actionCodeSettings)
.then(function(link) {
// The link was successfully generated.
})
.catch(function(error) {
// Some error occurred, you can inspect the code: error.code
});
Generates the out of band email action link to reset a user's password. The link is generated for the user with the specified email address. The optional ActionCodeSettings object defines whether the link is to be handled by a mobile app or browser and the additional state information to be passed in the deep link, etc.
The email address of the user whose password is to be reset.
Optional actionCodeSettings: ActionCodeSettingsThe action code settings. If specified, the state/continue URL is set as the "continueUrl" parameter in the password reset link. The default password reset landing page will use this to display a link to go back to the app if it is installed. If the actionCodeSettings is not specified, no URL is appended to the action URL. The state URL provided must belong to a domain that is whitelisted by the developer in the console. Otherwise an error is thrown. Mobile app redirects are only applicable if the developer configures and accepts the Firebase Dynamic Links terms of service. The Android package name and iOS bundle ID are respected only if they are configured in the same Firebase Auth project.
A promise that resolves with the generated link.
var actionCodeSettings = {
url: 'https://www.example.com/?email=user@example.com',
iOS: {
bundleId: 'com.example.ios'
},
android: {
packageName: 'com.example.android',
installApp: true,
minimumVersion: '12'
},
handleCodeInApp: true,
dynamicLinkDomain: 'custom.page.link'
};
admin.auth()
.generatePasswordResetLink('user@example.com', actionCodeSettings)
.then(function(link) {
// The link was successfully generated.
})
.catch(function(error) {
// Some error occurred, you can inspect the code: error.code
});
Generates the out of band email action link to verify the user's ownership of the specified email. The ActionCodeSettings object provided as an argument to this method defines whether the link is to be handled by a mobile app or browser along with additional state information to be passed in the deep link, etc.
The email account to verify.
The action code settings. If specified, the state/continue URL is set as the "continueUrl" parameter in the email verification link. The default email verification landing page will use this to display a link to go back to the app if it is installed. If the actionCodeSettings is not specified, no URL is appended to the action URL. The state URL provided must belong to a domain that is whitelisted by the developer in the console. Otherwise an error is thrown. Mobile app redirects are only applicable if the developer configures and accepts the Firebase Dynamic Links terms of service. The Android package name and iOS bundle ID are respected only if they are configured in the same Firebase Auth project.
A promise that resolves with the generated link.
var actionCodeSettings = {
url: 'https://www.example.com/cart?email=user@example.com&cartId=123',
iOS: {
bundleId: 'com.example.ios'
},
android: {
packageName: 'com.example.android',
installApp: true,
minimumVersion: '12'
},
handleCodeInApp: true,
dynamicLinkDomain: 'custom.page.link'
};
admin.auth()
.generateEmailVerificationLink('user@example.com', actionCodeSettings)
.then(function(link) {
// The link was successfully generated.
})
.catch(function(error) {
// Some error occurred, you can inspect the code: error.code
});
Generates an out-of-band email action link to verify the user's ownership of the specified email. The ActionCodeSettings object provided as an argument to this method defines whether the link is to be handled by a mobile app or browser along with additional state information to be passed in the deep link, etc.
The current email account.
The email address the account is being updated to.
Optional actionCodeSettings: ActionCodeSettingsThe action code settings. If specified, the state/continue URL is set as the "continueUrl" parameter in the email verification link. The default email verification landing page will use this to display a link to go back to the app if it is installed. If the actionCodeSettings is not specified, no URL is appended to the action URL. The state URL provided must belong to a domain that is authorized in the console, or an error will be thrown. Mobile app redirects are only applicable if the developer configures and accepts the Firebase Dynamic Links terms of service. The Android package name and iOS bundle ID are respected only if they are configured in the same Firebase Auth project.
A promise that resolves with the generated link.
Looks up an Auth provider configuration by the provided ID.
Returns a promise that resolves with the provider configuration
corresponding to the provider ID specified. If the specified ID does not
exist, an auth/configuration-not-found error is thrown.
SAML and OIDC provider support requires Google Cloud's Identity Platform (GCIP). To learn more about GCIP, including pricing and features, see the GCIP documentation.
The provider ID corresponding to the provider config to return.
A promise that resolves with the configuration corresponding to the provided ID.
Gets the user data for the user corresponding to a given uid.
See Retrieve user data for code samples and detailed documentation.
The uid corresponding to the user whose data to fetch.
A promise fulfilled with the user
data corresponding to the provided uid.
Gets the user data for the user corresponding to a given email.
See Retrieve user data for code samples and detailed documentation.
The email corresponding to the user whose data to fetch.
A promise fulfilled with the user data corresponding to the provided email.
Gets the user data for the user corresponding to a given phone number. The phone number has to conform to the E.164 specification.
See Retrieve user data for code samples and detailed documentation.
The phone number corresponding to the user whose data to fetch.
A promise fulfilled with the user data corresponding to the provided phone number.
Gets the user data for the user corresponding to a given provider id.
See Retrieve user data for code samples and detailed documentation.
The provider ID, for example, "google.com" for the Google provider.
The user identifier for the given provider.
A promise fulfilled with the user data corresponding to the given provider id.
Gets the user data corresponding to the specified identifiers.
There are no ordering guarantees; in particular, the nth entry in the result list is not guaranteed to correspond to the nth entry in the input parameters list.
Only a maximum of 100 identifiers may be supplied. If more than 100 identifiers are supplied, this method throws a FirebaseAuthError.
The identifiers used to indicate which user records should be returned. Must not have more than 100 entries.
A promise that resolves to the corresponding user records.
FirebaseAuthError If any of the identifiers are invalid or if more than 100 identifiers are specified.
Imports the provided list of users into Firebase Auth.
A maximum of 1000 users are allowed to be imported one at a time.
When importing users with passwords,
UserImportOptions are required to be
specified.
This operation is optimized for bulk imports and will ignore checks on uid,
email and other identifier uniqueness which could result in duplications.
The list of user records to import to Firebase Auth.
Optional options: UserImportOptionsThe user import options, required when the users provided include password credentials.
A promise that resolves when the operation completes with the result of the import. This includes the number of successful imports, the number of failed imports and their corresponding errors.
Returns the list of existing provider configurations matching the filter provided. At most, 100 provider configs can be listed at a time.
SAML and OIDC provider support requires Google Cloud's Identity Platform (GCIP). To learn more about GCIP, including pricing and features, see the GCIP documentation.
The provider config filter to apply.
A promise that resolves with the list of provider configs meeting the filter requirements.
Retrieves a list of users (single batch only) with a size of maxResults
starting from the offset as specified by pageToken. This is used to
retrieve all the users of a specified project in batches.
See List all users for code samples and detailed documentation.
Optional maxResults: numberThe page size, 1000 if undefined. This is also the maximum allowed limit.
Optional pageToken: stringThe next page token. If not specified, returns users starting without any offset.
A promise that resolves with the current batch of downloaded users and the next page token.
Revokes all refresh tokens for an existing user.
This API will update the user's UserRecord.tokensValidAfterTime to the current UTC. It is important that the server on which this is called has its clock set correctly and synchronized.
While this will revoke all sessions for a specified user and disable any
new ID tokens for existing sessions from getting minted, existing ID tokens
may remain active until their natural expiration (one hour). To verify that
ID tokens are revoked, use BaseAuth.verifyIdToken
where checkRevoked is set to true.
The uid corresponding to the user whose refresh tokens
are to be revoked.
An empty promise fulfilled once the user's refresh tokens have been revoked.
Sets additional developer claims on an existing user identified by the
provided uid, typically used to define user roles and levels of
access. These claims should propagate to all devices where the user is
already signed in (after token expiration or when token refresh is forced)
and the next time the user signs in. If a reserved OIDC claim name
is used (sub, iat, iss, etc), an error is thrown. They are set on the
authenticated user's ID token JWT.
See Defining user roles and access levels for code samples and detailed documentation.
The uid of the user to edit.
The developer claims to set. If null is passed, existing custom claims are deleted. Passing a custom claims payload larger than 1000 bytes will throw an error. Custom claims are added to the user's ID token which is transmitted on every authenticated request. For profile non-access related user attributes, use database or other separate storage systems.
A promise that resolves when the operation completes successfully.
Returns a promise that resolves with the updated AuthProviderConfig
corresponding to the provider ID specified.
If the specified ID does not exist, an auth/configuration-not-found error
is thrown.
SAML and OIDC provider support requires Google Cloud's Identity Platform (GCIP). To learn more about GCIP, including pricing and features, see the GCIP documentation.
The provider ID corresponding to the provider config to update.
The updated configuration.
A promise that resolves with the updated provider configuration.
Updates an existing user.
See Update a user for code samples and detailed documentation.
The uid corresponding to the user to update.
The properties to update on the provided user.
A promise fulfilled with the updated user data.
Verifies a Firebase ID token (JWT). If the token is valid, the promise is fulfilled with the token's decoded claims; otherwise, the promise is rejected.
If checkRevoked is set to true, first verifies whether the corresponding
user is disabled. If yes, an auth/user-disabled error is thrown. If no,
verifies if the session corresponding to the ID token was revoked. If the
corresponding user's session was invalidated, an auth/id-token-revoked
error is thrown. If not specified the check is not applied.
See Verify ID Tokens for code samples and detailed documentation.
The ID token to verify.
Optional checkRevoked: booleanWhether to check if the ID token was revoked.
This requires an extra request to the Firebase Auth backend to check
the tokensValidAfterTime time for the corresponding user.
When not specified, this additional check is not applied.
A promise fulfilled with the token's decoded claims if the ID token is valid; otherwise, a rejected promise.
Verifies a Firebase session cookie. Returns a Promise with the cookie claims. Rejects the promise if the cookie could not be verified.
If checkRevoked is set to true, first verifies whether the corresponding
user is disabled: If yes, an auth/user-disabled error is thrown. If no,
verifies if the session corresponding to the session cookie was revoked.
If the corresponding user's session was invalidated, an
auth/session-cookie-revoked error is thrown. If not specified the check
is not performed.
See Verify Session Cookies for code samples and detailed documentation
The session cookie to verify.
Optional checkRevoked: booleanA promise fulfilled with the session cookie's decoded claims if the session cookie is valid; otherwise, a rejected promise.
Auth service bound to the provided app. An Auth instance can have multiple tenants.