firebase
diff --git a/‎docs/app-check/custom-resource.mdx
Lines changed: 44 additions & 0 deletions b/‎docs/app-check/custom-resource.mdx
Lines changed: 44 additions & 0 deletions
diff --git a/‎docs/app-check/usage.mdx renamed to ‎docs/app-check/debug-provider.mdx
Lines changed: 6 additions & 83 deletions b/‎docs/app-check/usage.mdx renamed to ‎docs/app-check/debug-provider.mdx
Lines changed: 6 additions & 83 deletions
diff --git a/‎docs/app-check/default-providers.mdx
Lines changed: 220 additions & 0 deletions b/‎docs/app-check/default-providers.mdx
Lines changed: 220 additions & 0 deletions
@@ -0,0 +1,44 @@
+---
+title: Protect non-Firebase resources with App Check
+sidebar_label: Non-Firebase resources
+---
+
+You can protect your app's non-Firebase resources, such as self-hosted backends,
+with App Check. To do so, you will need to do both of the following:
+
+- Modify your app client to send an App Check token along with each request
+  to your backend, as described on this page.
+- Modify your backend to require a valid App Check token with every request,
+  as described in [Verify App Check tokens from a custom backend](https://firebase.google.com/docs/app-check/custom-resource-backend).
+
+## Before you begin
+
+Add App Check to your app, using the [default providers](default-providers).
+
+## Send App Check tokens with backend requests
+
+To ensure your backend requests include a valid, unexpired, App Check token,
+precede each request with a call to `getToken()`. The App Check library
+will refresh the token if necessary.
+
+Once you have a valid token, send it along with the request to your backend. The
+specifics of how you accomplish this are up to you, but _don't send
+App Check tokens as part of URLs_, including in query parameters, as this
+makes them vulnerable to accidental leakage and interception. The recommended
+approach is to send the token in a custom HTTP header.
+
+For example:
+
+```dart
+void callApiExample() async {
+    final appCheckToken = await FirebaseAppCheck.instance.getToken();
+    if (appCheckToken != null) {
+        final response = await http.get(
+            Uri.parse("https://yourbackend.example.com/yourExampleEndpoint"),
+            headers: {"X-Firebase-AppCheck": appCheckToken},
+        );
+    } else {
+        // Error: couldn't get an App Check token.
+    }
+}
+```
@@ -1,94 +1,17 @@
 ---
-title: App Check
-sidebar_label: Usage
+title: Use App Check with the debug provider
+sidebar_label: Debugging
 ---
 
-Once installed, you can access the [`firebase_app_check`](!firebase_app_check) plugin by importing
-it in your Dart code:
-
-```dart
-import 'package:firebase_app_check/firebase_app_check.dart';
-```
-
-To create a new Firebase App Check instance, call the instance getter on `FirebaseAppCheck`:
-
-```dart
-FirebaseAppCheck appCheck = FirebaseAppCheck.instance;
-```
-
-By default, this allows you to interact with Firebase App Check using the default Firebase App used whilst installing FlutterFire on your platform. If however you'd like to use a secondary Firebase App, use the `instanceFor` method:
-
-```dart
-FirebaseApp secondaryApp = Firebase.app('SecondaryApp');
-FirebaseAppCheck appCheck = FirebaseAppCheck.instanceFor(app: secondaryApp);
-```
-
-## Activate the default provider
-
-To activate the default App Check attestation provider you must call activate before any usages of your Firebase
-services such as Storage, but after calling `Firebase.initializeApp()`;
-
-```dart {10} title="lib/main.dart"
-import 'package:flutter/material.dart';
-import 'package:firebase_core/firebase_core.dart';
-
-// Import the firebase_app_check plugin
-import 'package:firebase_app_check/firebase_app_check.dart';
-
-Future<void> main() async {
-  WidgetsFlutterBinding.ensureInitialized();
-  await Firebase.initializeApp();
-  await FirebaseAppCheck.instance.activate(
-    webRecaptchaSiteKey: 'recaptcha-v3-site-key',
-  );
-  runApp(App());
-}
-```
-
-## Getting the current token
-
-To get the current token associated with App Check, call the `getToken` method:
-
-```dart
-String? token = await FirebaseAppCheck.instance.getToken();
-print(token);
-```
-
-Optionally, you can force the token to refresh when fetching:
-
-```dart
-String? token = await FirebaseAppCheck.instance.getToken(true);
-```
-
-## Listen to token changes
-
-To subscribe to App Check token changes, listen to the `onTokenChange` `Stream`:
-
-```dart
-FirebaseAppCheck.instance.onTokenChange.listen((token) {
-  print(token);
-});
-```
-
-## Automatic refreshing
-
-To enable the SDK to automatically refresh the App Check token when required, call the `setTokenAutoRefreshEnabled` method:
-
-```dart
-await FirebaseAppCheck.instance.setTokenAutoRefreshEnabled(true);
-```
-
-## Debugging
-
-:::caution
-Warning: The debug provider allows access to your Firebase resources from unverified devices. Don't use the debug provider in production builds of your app, and don't share your debug builds with untrusted parties.
-:::
-
 If, after you have registered your app for App Check, and you want to run your app in an environment that
 App Check would normally not classify as valid, such as a simulator during development, or from a continuous
 integration (CI) environment, you can create a debug build of your app that uses the App Check debug provider instead
 of a real attestation provider.
 
+:::caution
+Warning: The debug provider allows access to your Firebase resources from unverified devices. Don't use the debug provider in production builds of your app, and don't share your debug builds with untrusted parties.
+:::
+
 For now the debug provider does not currently have a Dart API; you'll need to apply the changes for your platforms as
 shown below:
 
 
@@ -0,0 +1,220 @@
+---
+title: Enable App Check in Flutter apps
+sidebar_label: Enable App Check
+---
+
+This page shows you how to enable App Check in a Flutter app, using the
+default providers: SafetyNet on Android, Device Check on Apple platforms, and
+reCAPTCHA v3 on web. When you enable App Check, you help ensure that
+only your app can access your project's Firebase resources. See an
+[Overview](overview) of this feature.
+
+
+## 1. Set up your Firebase project {#project-setup}
+
+1.  [Install and initialize FlutterFire](../overview) if you haven't
+    already done so.
+
+1.  Register your apps to use App Check with the SafetyNet, Device Check, and reCAPTCHA providers in the
+    [**Project Settings > App Check**](https://console.firebase.google.com/project/_/settings/appcheck)
+    section of the Firebase console.
+
+    You usually need to register all of your project's apps, because once you
+    enable enforcement for a Firebase product, only registered apps will be able
+    to access the product's backend resources.
+
+1.  **Optional**: In the app registration settings, set a custom time-to-live
+    (TTL) for App Check tokens issued by the provider. You can set the TTL
+    to any value between 30 minutes and 7 days. When changing this value, be
+    aware of the following tradeoffs:
+
+    - Security: Shorter TTLs provide stronger security, because it reduces the
+      window in which a leaked or intercepted token can be abused by an
+      attacker.
+    - Performance: Shorter TTLs mean your app will perform attestation more
+      frequently. Because the app attestation process adds latency to network
+      requests every time it's performed, a short TTL can impact the performance
+      of your app.
+    - Quota and cost: Shorter TTLs and frequent re-attestation deplete your
+      quota faster, and for paid services, potentially cost more.
+      See [Quotas &amp; limits](https://firebase.google.com/docs/app-check#quotas_limits).
+
+    The default TTL
+    is reasonable for most apps. Note that the App Check library refreshes
+    tokens at approximately half the TTL duration.
+
+
+## 2. Add the App Check library to your app {#install-sdk}
+
+1.  From the root of your Flutter project, run the following command to install the plugin:
+
+    ```bash
+    flutter pub add firebase_app_check
+    ```
+
+1.  Once complete, rebuild your Flutter application:
+
+    ```bash
+    flutter run
+    ```
+
+
+## 3. Initialize App Check {#initialize}
+
+Add the following initialization code to your app so that it runs before you
+use any Firebase services such as Storage, but after calling
+`Firebase.initializeApp()`;
+
+```dart
+import 'package:flutter/material.dart';
+import 'package:firebase_core/firebase_core.dart';
+
+// Import the firebase_app_check plugin
+import 'package:firebase_app_check/firebase_app_check.dart';
+
+Future<void> main() async {
+  WidgetsFlutterBinding.ensureInitialized();
+  await Firebase.initializeApp();
+  await FirebaseAppCheck.instance.activate(
+    webRecaptchaSiteKey: 'recaptcha-v3-site-key',
+  );
+  runApp(App());
+}
+```
+
+Once the App Check library is installed in your app, start distributing the
+updated app to your users.
+
+The updated client app will begin sending App Check tokens along with every
+request it makes to Firebase, but Firebase products will not require the tokens
+to be valid until you enable enforcement in the App Check section of the
+Firebase console. See the next two sections for details.
+
+
+## 4. Monitor request metrics {#metrics}
+
+Now that your updated app is in the hands of users, you can enable enforcement
+of App Check for the Firebase products you use. Before you do so, however,
+you should make sure that doing so won’t disrupt your existing legitimate users.
+
+### Realtime Database, Cloud Firestore, and Cloud Storage {#metrics-other}
+
+An important tool you can use to make this decision for Realtime Database,
+Cloud Firestore, and Cloud Storage is the App Check request metrics screen.
+
+To view the App Check request metrics for a product, open the
+[**Project Settings > App Check**](https://console.firebase.google.com/project/_/settings/appcheck)
+section of the Firebase console. For example:
+
+<img src="https://firebase.google.com/docs/app-check/app-check-metrics.png"
+     alt="Screenshot of the App Check metrics page"
+     class="screenshot"/>
+
+The request metrics for each product are broken down into four categories:
+
+- **Verified** requests are those that have a valid App Check token. After
+  you enable App Check enforcement, only requests in this category will
+  succeed.
+
+- **Outdated client** requests are those that are missing an App Check
+  token. These requests might be from an older version of the Firebase SDK
+  before App Check was included in the app.
+
+- **Unknown origin** requests are those that are missing an App Check token,
+  and don't look like they come from the Firebase SDK. These might be from
+  requests made with stolen API keys or forged requests made without the
+  Firebase SDK.
+
+- **Invalid** requests are those that have an invalid
+  App Check token, which might be from an inauthentic client attempting to
+  impersonate your app, or from emulated environments.
+
+The distribution of these categories for your app should inform when you decide
+to enable enforcement. Here are some guidelines:
+
+- If almost all of the recent requests are from verified clients, consider
+  enabling enforcement to start protecting your backend resources.
+
+- If a significant portion of the recent requests are from likely-outdated
+  clients, to avoid disrupting users, consider waiting for more users to update
+  your app before enabling enforcement. Enforcing App Check on a released
+  app will break prior app versions that are not integrated with the
+  App Check SDK.
+
+- If your app hasn't launched yet, you should enable App Check enforcement
+  immediately, since there aren't any outdated clients in use.
+
+### Cloud Functions {#metrics-functions}
+
+For Cloud Functions, you can get App Check metrics by examining your
+functions' logs. Every invocation of a callable function emits a structured log
+entry like the following example:
+
+```json
+{
+  "severity": "INFO",    // INFO, WARNING, or ERROR
+  "logging.googleapis.com/labels": {"firebase-log-type": "callable-request-verification"},
+  "jsonPayload": {
+    "message": "Callable header verifications passed.",
+    "verifications": {
+      // ...
+      "app": "MISSING",  // VALID, INVALID, or MISSING
+    }
+  }
+}
+```
+
+You can analyze these metrics in the Google Cloud Console by [creating a
+logs-based counter metric](https://cloud.google.com/logging/docs/logs-based-metrics/counter-metrics)
+with the following metric filter:
+
+```
+resource.type="cloud_function"
+resource.labels.function_name="YOUR_CLOUD_FUNCTION"
+resource.labels.region="us-central1"
+labels.firebase-log-type="callable-request-verification"
+```
+
+[Label the metric](https://cloud.google.com/logging/docs/logs-based-metrics/labels#create-label)
+using the field `jsonPayload.verifications.appCheck`.
+
+
+## 5. Enable enforcement {#enable-enforcement}
+
+To enable enforcement, follow the instructions for each product, below. Once you
+enable enforcement for a product, all unverified requests to that product will
+be rejected.
+
+### Realtime Database, Cloud Firestore, and Cloud Storage {#enable-other}
+
+To enable enforcement for Realtime Database, Cloud Firestore (iOS and Android), and Cloud Storage:
+
+1.  Open the [**Project Settings > App Check**](https://console.firebase.google.com/project/_/settings/appcheck)
+    section of the Firebase console.
+
+1.  Expand the metrics view of the product for which you want to enable
+    enforcement.
+
+1.  Click **Enforce** and confirm your choice.
+
+    Important: Cloud Firestore support is currently available only for Android and
+    iOS clients. If your project has a web app, **don't enable Cloud Firestore
+    enforcement** until web client support is available.
+
+Note that it can take up to 10 minutes after you enable enforcement for it to
+take effect.
+
+### Cloud Functions {#enable-functions}
+
+See [Enable App Check enforcement for Cloud Functions](https://firebase.google.com/docs/app-check/cloud-functions).
+
+
+## Next steps
+
+If, after you have registered your app for App Check, you want to run your
+app in an environment that App Check would normally not classify as valid,
+such as an emulator during development, or from a continuous integration (CI)
+environment, you can create a debug build of your app that uses the
+App Check debug provider instead of a real attestation provider.
+
+See [Use App Check with the debug provider](debug-provider).