admin.auth.Auth

interface   static

The Firebase Auth service interface.

Do not call this constructor directly. Instead, use admin.auth().

See Introduction to the Admin Auth API for a full guide on how to use the Firebase Auth service.

Property

app

non-null admin.app.App

The app associated with the current Auth service instance.

Example 

var app = auth.app;

Methods

createCustomToken

createCustomToken(uid, developerClaims) returns Promise containing string

Creates a new Firebase custom token (JWT) that can be sent back to a client device to use to sign in with the client SDKs' signInWithCustomToken() methods.

See Create Custom Tokens for code samples and detailed documentation.

Parameter

uid

string

The uid to use as the custom token's subject.

developerClaims

Optional

Object

Optional additional claims to include in the custom token's payload.

Value may be null.
Returns

non-null Promise containing string A promise fulfilled with a custom token for the provided uid and payload.

createSessionCookie

createSessionCookie(idToken, sessionCookieOptions) returns Promise containing string

Creates a new Firebase session cookie with the specified options. The created JWT string can be set as a server-side session cookie with a custom cookie policy, and be used for session management. The session cookie JWT will have the same payload claims as the provided ID token.

See Manage Session Cookies for code samples and detailed documentation.

Parameter

idToken

string

The Firebase ID token to exchange for a session cookie.

sessionCookieOptions

admin.auth.SessionCookieOptions

The session cookie options which includes custom session duration.

Value must not be null.
Returns

non-null Promise containing string A promise that resolves on success with the created session cookie.

createUser

createUser(properties) returns Promise containing non-null admin.auth.UserRecord

Creates a new user.

See Create a user for code samples and detailed documentation.

Parameter

properties

admin.auth.CreateRequest

The properties to set on the new user record to be created.

Value must not be null.
Returns

non-null Promise containing non-null admin.auth.UserRecord A promise fulfilled with the user data corresponding to the newly created user.

deleteUser

deleteUser(uid) returns Promise containing void

Deletes an existing user.

See Delete a user for code samples and detailed documentation.

Parameter

uid

string

The uid corresponding to the user to delete.
Returns

non-null Promise containing void An empty promise fulfilled once the user has been deleted.

generateEmailVerificationLink(email, actionCodeSettings) returns Promise containing string

Generates the out of band email action link to verify the user's ownership of the specified email. The ActionCodeSettings object provided as an argument to this method defines whether the link is to be handled by a mobile app or browser along with additional state information to be passed in the deep link, etc.

Parameter

email

string

The email account to verify.

actionCodeSettings

Optional

admin.auth.ActionCodeSettings

The action code settings. If specified, the state/continue URL is set as the "continueUrl" parameter in the email verification link. The default email verification landing page will use this to display a link to go back to the app if it is installed. If the actionCodeSettings is not specified, no URL is appended to the action URL. The state URL provided must belong to a domain that is whitelisted by the developer in the console. Otherwise an error is thrown. Mobile app redirects are only applicable if the developer configures and accepts the Firebase Dynamic Links terms of service. The Android package name and iOS bundle ID are respected only if they are configured in the same Firebase Auth project.

Value must not be null.
Returns

non-null Promise containing string 

Example 

var actionCodeSettings = {
  url: 'https://www.example.com/cart?email=user@example.com&cartId=123',
  iOS: {
    bundleId: 'com.example.ios'
  },
  android: {
    packageName: 'com.example.android',
    installApp: true,
    minimumVersion: '12'
  },
  handleCodeInApp: true,
  dynamicLinkDomain: 'custom.page.link'
};
admin.auth()
    .generateEmailVerificationLink('user@example.com', actionCodeSettings)
    .then(function(link) {
      // The link was successfully generated.
    })
    .catch(function(error) {
      // Some error occurred, you can inspect the code: error.code
    });

generatePasswordResetLink(email, actionCodeSettings) returns Promise containing string

Generates the out of band email action link to reset a user's password. The link is generated for the user with the specified email address. The optional ActionCodeSettings object defines whether the link is to be handled by a mobile app or browser and the additional state information to be passed in the deep link, etc.

Parameter

email

string

The email address of the user whose password is to be reset.

actionCodeSettings

Optional

admin.auth.ActionCodeSettings

The action code settings. If specified, the state/continue URL is set as the "continueUrl" parameter in the password reset link. The default password reset landing page will use this to display a link to go back to the app if it is installed. If the actionCodeSettings is not specified, no URL is appended to the action URL. The state URL provided must belong to a domain that is whitelisted by the developer in the console. Otherwise an error is thrown. Mobile app redirects are only applicable if the developer configures and accepts the Firebase Dynamic Links terms of service. The Android package name and iOS bundle ID are respected only if they are configured in the same Firebase Auth project.

Value must not be null.
Returns

non-null Promise containing string 

Example 

var actionCodeSettings = {
  url: 'https://www.example.com/?email=user@example.com',
  iOS: {
    bundleId: 'com.example.ios'
  },
  android: {
    packageName: 'com.example.android',
    installApp: true,
    minimumVersion: '12'
  },
  handleCodeInApp: true,
  dynamicLinkDomain: 'custom.page.link'
};
admin.auth()
    .generatePasswordResetLink('user@example.com', actionCodeSettings)
    .then(function(link) {
      // The link was successfully generated.
    })
    .catch(function(error) {
      // Some error occurred, you can inspect the code: error.code
    });

generateSignInWithEmailLink(email, actionCodeSettings) returns Promise containing string

Generates the out of band email action link to sign in or sign up the owner of the specified email. The ActionCodeSettings object provided as an argument to this method defines whether the link is to be handled by a mobile app or browser along with additional state information to be passed in the deep link, etc.

Parameter

email

string

The email account to sign in with.

actionCodeSettings

admin.auth.ActionCodeSettings

The action code settings. These settings provide Firebase with instructions on how to construct the email link. This includes the sign in completion URL or the deep link for redirects and the mobile apps to use when the sign-in link is opened on an Android or iOS device. Mobile app redirects are only applicable if the developer configures and accepts the Firebase Dynamic Links terms of service. The Android package name and iOS bundle ID are respected only if they are configured in the same Firebase Auth project.

Value must not be null.
Returns

non-null Promise containing string 

Example 

var actionCodeSettings = {
  // The URL to redirect to for sign-in completion. This is also the deep
  // link for mobile redirects. The domain (www.example.com) for this URL
  // must be whitelisted in the Firebase Console.
  url: 'https://www.example.com/finishSignUp?cartId=1234',
  iOS: {
    bundleId: 'com.example.ios'
  },
  android: {
    packageName: 'com.example.android',
    installApp: true,
    minimumVersion: '12'
  },
  // This must be true.
  handleCodeInApp: true,
  dynamicLinkDomain: 'custom.page.link'
};
admin.auth()
    .generateSignInWithEmailLink('user@example.com', actionCodeSettings)
    .then(function(link) {
      // The link was successfully generated.
    })
    .catch(function(error) {
      // Some error occurred, you can inspect the code: error.code
    });

getUser

getUser(uid) returns Promise containing non-null admin.auth.UserRecord

Gets the user data for the user corresponding to a given uid.

See Retrieve user data for code samples and detailed documentation.

Parameter

uid

string

The uid corresponding to the user whose data to fetch.
Returns

non-null Promise containing non-null admin.auth.UserRecord A promise fulfilled with the user data corresponding to the provided uid.

getUserByEmail

getUserByEmail(email) returns Promise containing non-null admin.auth.UserRecord

Gets the user data for the user corresponding to a given email.

See Retrieve user data for code samples and detailed documentation.

Parameter

email

string

The email corresponding to the user whose data to fetch.

Returns

non-null Promise containing non-null admin.auth.UserRecord A promise fulfilled with the user data corresponding to the provided email.

getUserByPhoneNumber

getUserByPhoneNumber(phoneNumber) returns Promise containing non-null admin.auth.UserRecord

Gets the user data for the user corresponding to a given phone number. The phone number has to conform to the E.164 specification.

See Retrieve user data for code samples and detailed documentation.

Parameter

phoneNumber

string

The phone number corresponding to the user whose data to fetch.
Returns

non-null Promise containing non-null admin.auth.UserRecord A promise fulfilled with the user data corresponding to the provided phone number.

importUsers

importUsers(userImportRecords, userImportOptions) returns Promise containing non-null admin.auth.UserImportResult

Imports the provided list of users into Firebase Auth. At most 1000 users are allowed to be imported one at a time. When importing users with passwords, UserImportOptions are required to be specified. This operation is optimized for bulk imports and will ignore checks on uid, email and other identifier uniqueness which could result in duplications.

Parameter

userImportRecords

Array of non-null admin.auth.UserImportRecord

The list of user records to import to Firebase Auth.

Value must not be null.

userImportOptions

Optional

admin.auth.UserImportOptions

The user import options, required when the users provided include password credentials.

Value must not be null.
Returns

non-null Promise containing non-null admin.auth.UserImportResult A promise that resolves when the operation completes with the result of the import. This includes the number of successful imports, the number of failed imports and their corresponding errors.

listUsers

listUsers(maxResults, pageToken) returns Promise containing non-null admin.auth.ListUsersResult

Retrieves a list of users (single batch only) with a size of maxResults and starting from the offset as specified by pageToken. This is used to retrieve all the users of a specified project in batches.

See List all users for code samples and detailed documentation.

Parameter

maxResults

Optional

number

The page size, 1000 if undefined. This is also the maximum allowed limit.

pageToken

Optional

string

The next page token. If not specified, returns users starting without any offset.
Returns

non-null Promise containing non-null admin.auth.ListUsersResult A promise that resolves with the current batch of downloaded users and the next page token.

revokeRefreshTokens

revokeRefreshTokens(uid) returns Promise containing void

Revokes all refresh tokens for an existing user.

This API will update the user's tokensValidAfterTime to the current UTC. It is important that the server on which this is called has its clock set correctly and synchronized.

While this will revoke all sessions for a specified user and disable any new ID tokens for existing sessions from getting minted, existing ID tokens may remain active until their natural expiration (one hour). To verify that ID tokens are revoked, use verifyIdToken(idToken, true) where checkRevoked is set to true.

Parameter

uid

string

The uid corresponding to the user whose refresh tokens are to be revoked.
Returns

non-null Promise containing void An empty promise fulfilled once the user's refresh tokens have been revoked.

setCustomUserClaims

setCustomUserClaims(uid, customUserClaims) returns Promise containing void

Sets additional developer claims on an existing user identified by the provided uid, typically used to define user roles and levels of access. These claims should propagate to all devices where the user is already signed in (after token expiration or when token refresh is forced) and the next time the user signs in. If a reserved OIDC claim name is used (sub, iat, iss, etc), an error is thrown. They are set on the authenticated user's ID token JWT.

See Defining user roles and access levels for code samples and detailed documentation.

Parameter

uid

string

The uid of the user to edit.

customUserClaims

Object

The developer claims to set. If null is passed, existing custom claims are deleted. Passing a custom claims payload larger than 1000 bytes will throw an error. Custom claims are added to the user's ID token which is transmitted on every authenticated request. For profile non-access related user attributes, use database or other separate storage systems.

Value may be null.
Returns

non-null Promise containing void A promise that resolves when the operation completes successfully.

updateUser

updateUser(uid, properties) returns Promise containing non-null admin.auth.UserRecord

Updates an existing user.

See Update a user for code samples and detailed documentation.

Parameter

uid

string

The uid corresponding to the user to delete.

properties

admin.auth.UpdateRequest

The properties to update on the provided user.

Value must not be null.
Returns

non-null Promise containing non-null admin.auth.UserRecord A promise fulfilled with the updated user data.

verifyIdToken

verifyIdToken(idToken, checkRevoked) returns Promise containing non-null admin.auth.DecodedIdToken

Verifies a Firebase ID token (JWT). If the token is valid, the promise is fulfilled with the token's decoded claims; otherwise, the promise is rejected. An optional flag can be passed to additionally check whether the ID token was revoked.

See Verify ID Tokens for code samples and detailed documentation.

Parameter

idToken

string

The ID token to verify.

checkRevoked

Optional

boolean

Whether to check if the ID token was revoked. This requires an extra request to the Firebase Auth backend to check the tokensValidAfterTime time for the corresponding user. When not specified, this additional check is not applied.
Returns

non-null Promise containing non-null admin.auth.DecodedIdToken A promise fulfilled with the token's decoded claims if the ID token is valid; otherwise, a rejected promise.

verifySessionCookie

verifySessionCookie(sessionCookie, checkRevoked) returns Promise containing non-null admin.auth.DecodedIdToken

Verifies a Firebase session cookie. Returns a Promise with the cookie claims. Rejects the promise if the cookie could not be verified. If checkRevoked is set to true, verifies if the session corresponding to the session cookie was revoked. If the corresponding user's session was revoked, an auth/session-cookie-revoked error is thrown. If not specified the check is not performed.

See Verify Session Cookies for code samples and detailed documentation

Parameter

sessionCookie

string

The session cookie to verify.

checkRevoked

Optional

boolean

Whether to check if the session cookie was revoked. This requires an extra request to the Firebase Auth backend to check the tokensValidAfterTime time for the corresponding user. When not specified, this additional check is not performed.
Returns

non-null Promise containing non-null admin.auth.DecodedIdToken A promise fulfilled with the session cookie's decoded claims if the session cookie is valid; otherwise, a rejected promise.