<br />

When you call an API directly from a mobile or web app (for example, the APIs that allow access to generative AI models), the API is vulnerable to abuse by unauthorized clients. To help protect these APIs, you can use[Firebase App Check](https://firebase.google.com/docs/app-check)to verify that all incoming API calls are from your actual app.

Firebase AI Logicprovides a proxy gateway that lets you integrate withFirebase App Checkand protect the generative AI model APIs called by your mobile and web apps. UsingApp Checkwith theFirebase AI LogicSDKs supports all our configurations:

- Protects both "Gemini API" providers:Gemini Developer APIandVertex AIGemini API.

- Protects all supported models, bothGeminimodels andImagenmodels.

| We**strongly recommend implementingFirebase App Checkinto your app as early as possible**, even during development, so that every version of your app is protected from API abuse.

## High-level summary of howApp Checkworks

WithApp Check, devices running your app use an app or device attestation provider that verifies one or both of the following:

- Requests originate from your authentic app
- Requests originate from an authentic, untampered device

This attestation is attached to every request your app makes using aFirebase AI LogicSDK. When you enableApp Checkenforcement, requests from clients without a valid attestation will be rejected, as will any request originating from an app or platform you haven't authorized.

We recommend that when you set upApp Check, make sure to[prepare for upcoming enhanced protection](https://firebase.google.com/docs/ai-logic/app-check#enhanced-protection)(known as*replay protection*).

You can find[detailed information aboutApp Check](https://firebase.google.com/docs/app-check)in its documentation, including its[quotas and limits](https://firebase.google.com/docs/app-check#quotas_limits).

## Available providers and implementation instructions

TheApp Checkdocumentation provides descriptions of attestation providers as well as implementation instructions.

1. Choose a default provider, and follow the implementation instructions at the following links:

   - **Apple platforms** :[DeviceCheck](https://firebase.google.com/docs/app-check/ios/devicecheck-provider)or[App Attest](https://firebase.google.com/docs/app-check/ios/app-attest-provider)
   - **Android** :[Play Integrity](https://firebase.google.com/docs/app-check/android/play-integrity-provider)
   - **Web** :[reCAPTCHA Enterprise](https://firebase.google.com/docs/app-check/web/recaptcha-enterprise-provider)
   - **Flutter** : Supports[all the default providers above](https://firebase.google.com/docs/app-check/flutter/default-providers)  
     Also, make sure to follow[special instantiation requirements](https://firebase.google.com/docs/ai-logic/app-check#instantiation-flutter)for Flutter andApp Check.
   - **Unity** : Supports[all the default providers above](https://firebase.google.com/docs/app-check/unity/default-providers)

   Note that if none of the default providers are sufficient for your needs, then you can[implement a custom provider](https://firebase.google.com/docs/app-check/custom-provider)that uses either a third-party attestation provider or your own attestation techniques.
2. *(Recommended)* [Prepare for upcoming enhanced protection fromApp Check](https://firebase.google.com/docs/ai-logic/app-check#enhanced-protection)(known as*replay protection*).

3. *(Required)* Before you release your app to real users,[**enable enforcement ofApp Check**](https://firebase.google.com/docs/app-check/enable-enforcement).

### Special instantiation required for Flutter

|----------------------------------------------------------------------------------------------------------------------------------|
| *Click yourGemini APIprovider to view provider-specific content and code on this page.* Gemini Developer APIVertex AI Gemini API |

When usingApp CheckwithFirebase AI Logicin Flutter apps, you need to explicitly pass inApp Checkduring instantiation, like so:  

    // ...

    final ai = await FirebaseAI.googleAI(
      appCheck: FirebaseAppCheck.instance, // for Flutter, pass in App Check explicitly
    );

    // ...

## Prepare for upcoming enhanced protection

|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| ***Enabling the usage of limited-use tokens is supported for Apple platforms (v12.2.0+), Android (v17.2.0+, BoM v34.2.0+), Web (v12.3.0+), and Flutter (v3.2.0+, BoM v4.2.0+).**Support for Unity is coming soon.* |

By default,App Checkuses*session tokens* which have a configurable time to live (TTL) between30 minutesand7 days. These session tokens are cached by theApp CheckSDK and sent along with requests from your app.

In the future,App Checkwill add the option to enable*replay protection* forFirebase AI Logic(similar to the support thatApp Checkalready offers for some other resources). When replay protection is enabled, it enhances protection in the following ways:

- App Checkwill only allow requests if they're accompanied by a special kind of token called a*limited-use token*.

- After the limited-use token is verified, the token is consumed so that it can be used only once, preventing replay attacks.

**To prepare for replay protection, we recommend that you[enable the usage of limited-use tokens](https://firebase.google.com/docs/ai-logic/app-check#enable-limited-use-tokens)** as part of setting upApp Check. That way, when replay protection becomes available, then you can enable it sooner because more of your users will be on versions of your app that send limited-use tokens.

Note the following if you enable usage of limited-use tokens in your app now (while replay protection is unavailable):

- App Checkdoes*not* block the usage of*valid session tokens*.

- Just like session tokens, limited-use tokens are cached by theApp CheckSDK and sent along with requests. These limited-use tokens provide a*small* amount of additional protection than the default session tokens because limited-use tokens have a shorter TTL (only5 minutesand not adjustable) compared to session tokens.

- Even though limited-use tokens are valid for5 minutes, the SDK will still generate a new token for*each*request. This process can add some latency to your request.

However, when replay protection is available forFirebase AI Logicin the future (and you enable it), the use of session tokens and the reuse of limited-use tokens won't be possible. Note that the additional latency for generating a new token for each request will still happen.

### Enable usage of limited-use tokens

|----------------------------------------------------------------------------------------------------------------------------------|
| *Click yourGemini APIprovider to view provider-specific content and code on this page.* Gemini Developer APIVertex AI Gemini API |

| **Note:** Consider setting up limited-use tokens to be aFirebase Remote Configparameter so that you can control its setting remotely rather than having it hard-coded in your app. Learn more about[usingRemote Config](https://firebase.google.com/docs/ai-logic/solutions/remote-config).

Here's how to enable usage of limited-use tokens:

1. [ImplementApp Check](https://firebase.google.com/docs/ai-logic/app-check#available-providers), and make sure that you've[enabledApp Checkenforcement](https://firebase.google.com/docs/app-check/enable-enforcement)for your app.

2. In your app during instantiation, enable the usage of limited-use tokens by setting the`useLimitedUseAppCheckTokens`parameter to`true`:

   ### Swift


       // ...

       // During instantiation, enable usage of limited-use tokens
       let ai = FirebaseAI.firebaseAI(
         backend: .googleAI(),
         useLimitedUseAppCheckTokens: true
       )

       // ...

   ### Kotlin


       // ...

       // During instantiation, enable usage of limited-use tokens
       val ai = Firebase.ai(
         backend = GenerativeBackend.googleAI(),
         useLimitedUseAppCheckTokens = true
       )

       // ...

   ### Java


       // ...

       // During instantiation, enable usage of limited-use tokens
       FirebaseAI ai = FirebaseAI.getInstance(
         /* backend: */ GenerativeBackend.googleAI(),
         /* useLimitedUseAppCheckTokens: */ true
       );

       // ...

   ### Web


       // ...

       // During instantiation, enable usage of limited-use tokens
       const ai = getAI(firebaseApp, {
         backend: new GoogleAIBackend(),
         useLimitedUseAppCheckTokens: true
       });

       // ...

   ### Dart


       // ...

       // During instantiation, enable usage of limited-use tokens
       final ai = await FirebaseAI.googleAI(
         appCheck: FirebaseAppCheck.instance, // for Flutter, pass in App Check explicitly
         useLimitedUseAppCheckTokens: true,
       );

       // ...

   ### Unity

   Using limited-use tokens with Unity games will be supported in a future release. Check back soon!

## Understand howFirebase AI Logicintegrates withApp Check

To use theFirebase AI LogicSDKs, the[Firebase AI LogicAPI (`firebasevertexai.googleapis.com`)](https://console.cloud.google.com/apis/library/firebasevertexai.googleapis.com?project=_)must be enabled in your Firebase project. This is because requests made by theFirebase AI LogicSDKs are first sent to theFirebase AI Logicserver, which acts as a proxy gateway whereFirebase App Checkverification takes place*before* the request is allowed to proceed to your chosen "Gemini API" provider's backend and the APIs to access theGeminiandImagenmodels.