firebase · lahirumaramba · Nov 28, 2025 · Nov 28, 2025 · Nov 28, 2025 · gemini-code-assist
diff --git a/etc/firebase-admin.app-check.api.md b/etc/firebase-admin.app-check.api.md
@@ -24,6 +24,7 @@ export interface AppCheckToken {
 
 // @public
 export interface AppCheckTokenOptions {
+    limitedUse?: boolean;
     ttlMillis?: number;
 }
 

diff --git a/src/app-check/app-check-api-client-internal.ts b/src/app-check/app-check-api-client-internal.ts
@@ -58,7 +58,11 @@ export class AppCheckApiClient {
    * @param appId - The mobile App ID.
    * @returns A promise that fulfills with a `AppCheckToken`.
    */
-  public exchangeToken(customToken: string, appId: string): Promise<AppCheckToken> {
+  public exchangeToken(
+    customToken: string,
+    appId: string,
+    limitedUse?: boolean
+  ): Promise<AppCheckToken> {
     if (!validator.isNonEmptyString(appId)) {
       throw new FirebaseAppCheckError(
         'invalid-argument',
@@ -75,7 +79,10 @@ export class AppCheckApiClient {
           method: 'POST',
           url,
           headers: FIREBASE_APP_CHECK_CONFIG_HEADERS,
-          data: { customToken }
+          data: {
+            customToken,
+            limitedUse,
+          }
         };
         return this.httpClient.send(request);
       })

diff --git a/src/app-check/app-check-api.ts b/src/app-check/app-check-api.ts
@@ -39,6 +39,13 @@ export interface AppCheckTokenOptions {
    * be valid. This value must be between 30 minutes and 7 days, inclusive.
    */
   ttlMillis?: number;
+
+  /**
+   * Specifies whether this token is for a limited use context.
+   * To enable this token to be used with the replay protection feature, set this to `true`.
+   * The default value is `false`.
+   */
+  limitedUse?: boolean;
 }
 
 /**

diff --git a/src/app-check/app-check.ts b/src/app-check/app-check.ts
@@ -68,7 +68,7 @@ export class AppCheck {
   public createToken(appId: string, options?: AppCheckTokenOptions): Promise<AppCheckToken> {
     return this.tokenGenerator.createCustomToken(appId, options)
       .then((customToken) => {
-        return this.client.exchangeToken(customToken, appId);
+        return this.client.exchangeToken(customToken, appId, options?.limitedUse);
       });
   }
 

diff --git a/test/integration/app-check.spec.ts b/test/integration/app-check.spec.ts
@@ -53,7 +53,20 @@ describe('admin.appCheck', () => {
           expect(token).to.have.keys(['token', 'ttlMillis']);
           expect(token.token).to.be.a('string').and.to.not.be.empty;
           expect(token.ttlMillis).to.be.a('number');
-          expect(token.ttlMillis).to.equals(3600000);
+          expect(token.ttlMillis).to.equals(3600000); // 1 hour
+        });
+    });
+
+    it('should succeed with a vaild limited use token', function () {
+      if (!appId) {
+        this.skip();
+      }
+      return admin.appCheck().createToken(appId as string, { limitedUse: true })
+        .then((token) => {
+          expect(token).to.have.keys(['token', 'ttlMillis']);
+          expect(token.token).to.be.a('string').and.to.not.be.empty;
+          expect(token.ttlMillis).to.be.a('number');
+          expect(token.ttlMillis).to.equals(300000); // 5 minutes
         });
     });
 

diff --git a/test/unit/app-check/app-check-api-client-internal.spec.ts b/test/unit/app-check/app-check-api-client-internal.spec.ts
@@ -210,7 +210,31 @@ describe('AppCheckApiClient', () => {
             method: 'POST',
             url: `https://firebaseappcheck.googleapis.com/v1/projects/test-project/apps/${APP_ID}:exchangeCustomToken`,
             headers: EXPECTED_HEADERS,
-            data: { customToken: TEST_TOKEN_TO_EXCHANGE }
+            data: {
+              customToken: TEST_TOKEN_TO_EXCHANGE,
+              limitedUse: undefined,
+            }
+          });
+        });
+    });
+
+    it('should resolve with the App Check token on success with limitedUse', () => {
+      const stub = sinon
+        .stub(HttpClient.prototype, 'send')
+        .resolves(utils.responseFrom(TEST_RESPONSE, 200));
+      stubs.push(stub);
+      return apiClient.exchangeToken(TEST_TOKEN_TO_EXCHANGE, APP_ID, true)
+        .then((resp) => {
+          expect(resp.token).to.deep.equal(TEST_RESPONSE.token);
+          expect(resp.ttlMillis).to.deep.equal(3000);
+          expect(stub).to.have.been.calledOnce.and.calledWith({
+            method: 'POST',
+            url: `https://firebaseappcheck.googleapis.com/v1/projects/test-project/apps/${APP_ID}:exchangeCustomToken`,
+            headers: EXPECTED_HEADERS,
+            data: {
+              customToken: TEST_TOKEN_TO_EXCHANGE,
+              limitedUse: true,
+            }
           });
         });
     });

diff --git a/test/unit/app-check/app-check.spec.ts b/test/unit/app-check/app-check.spec.ts
@@ -168,6 +168,20 @@ describe('AppCheck', () => {
           expect(token.ttlMillis).equals(3000);
         });
     });
+
+    it('should resolve with AppCheckToken on success with limitedUse', () => {
+      const response = { token: 'token', ttlMillis: 3000 };
+      const stub = sinon
+        .stub(AppCheckApiClient.prototype, 'exchangeToken')
+        .resolves(response);
+      stubs.push(stub);
+      return appCheck.createToken(APP_ID, { limitedUse: true })
+        .then((token) => {
+          expect(token.token).equals('token');
+          expect(token.ttlMillis).equals(3000);
+          expect(stub).to.have.been.calledOnce.and.calledWith(sinon.match.string, APP_ID, true);
+        });
+    });
   });
 
   describe('verifyToken', () => {