Verifying ID tokens with Firebase Authentication
When you call verifyIdToken
, the Admin SDK decodes the token with the public key and verifies that the signature is valid. It downloads this key from Google's servers, but it's cached for 24 hours (since it hardly ever changes). After verifying the token, it checks whether the token was revoked, which requires another call to the Firebase Authentication servers. This request happens for each call to verifyIdToken
.
You can check this against the source code.
verifyIdToken
fetchPublicKeys
verifyJWT
verifyDecodedJWTNotRevoked