Guide Updated 2026-06-18

Firebase Auth JWT Issuer & Claims

Q: How do I verify a Firebase ID token?

The recommended way is the Firebase Admin SDK: admin.auth().verifyIdToken(token) in Node.js, firebase_admin.auth.verify_id_token(token) in Python. The SDK fetches the JWKS, verifies the RS256 signature, and validates iss, aud, and exp for you. For manual verification, fetch public keys from https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com, hardcode algorithms: ['RS256'], and validate iss (https://securetoken.google.com/YOUR_PROJECT) and aud (your project ID).

Q: What is the Firebase JWT issuer URL?

The iss claim is https://securetoken.google.com/YOUR_PROJECT, where YOUR_PROJECT is your Firebase project ID. Validate iss against your exact project. The JWKS endpoint is shared across Firebase projects at https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com, and Firebase signs with RS256.

Q: Should I use the Firebase Admin SDK or verify JWTs manually?

Use the Firebase Admin SDK (admin.auth().verifyIdToken) whenever you can: it handles JWKS fetching, caching, signature verification, and iss/aud/exp validation correctly and stays current with Firebase's key rotation. Verify manually only when you cannot use the SDK (e.g. a non-SDK language or a constraint that prevents the SDK). The manual process is straightforward but easy to get wrong on claim validation.

Verify Firebase Auth JWTs. Firebase's issuer, JWKS URL, RS256 signing, and the user_id, sign_in_provider, firebase claims explained with validation rules.

Firebase Authentication issues JWT ID tokens that you verify in your backend to authorize requests. The ID token is signed with RS256. The issuer is https://securetoken.google.com/YOUR_PROJECT (where YOUR_PROJECT is your Firebase project ID). Firebase publishes its JWKS at a shared Google endpoint.

Issuer details

Property	Firebase Auth
Issuer (iss)	`https://securetoken.google.com/YOUR_PROJECT`
JWKS URL	`https://www.googleapis.com/service_accounts/v1/jwk/[email protected]`
OIDC discovery	`https://securetoken.google.com/YOUR_PROJECT/.well-known/openid-configuration`
Signing algorithm	RS256 (default)

 Issuer-specific claims
 Claims you will encounter in Firebase Auth JWTs and what they mean for this issuer:
    Claim  Meaning for this issuer  
 
  iss https://securetoken.google.com/YOUR_PROJECT: your Firebase project ID. Validate against your exact project.
sub The Firebase user's UID. Stable across the project. Use this as the primary key.
user_id Same as sub: the Firebase user UID. Present for backwards compatibility.
aud Your Firebase project ID. Validate aud on every request.
email The user's email. May be absent for anonymous or phone-auth users.
email_verified Boolean: whether the user's email is verified. Reject unverified emails for sensitive flows.
sign_in_provider The provider used to sign in (google.com, password, phone, anonymous, etc.). Useful for conditional flows and audit logging.
firebase An object containing identities and sign_in_provider. Nested under the firebase claim.
 
 
 Verifying tokens from this issuer
 Fetch public keys from https://www.googleapis.com/service_accounts/v1/jwk/[email protected]. Hardcode algorithms: ['RS256']. Validate iss against https://securetoken.google.com/YOUR_PROJECT and aud against your Firebase project ID. The official Firebase Admin SDKs (Node.js, Python, Java, Go) handle all of this for you via admin.auth().verifyIdToken(token): prefer the SDK over manual verification unless you cannot use it.
   
Frequently asked questions
     How do I verify a Firebase ID token?
  
  The recommended way is the Firebase Admin SDK: admin.auth().verifyIdToken(token) in Node.js, firebase_admin.auth.verify_id_token(token) in Python. The SDK fetches the JWKS, verifies the RS256 signature, and validates iss, aud, and exp for you. For manual verification, fetch public keys from https://www.googleapis.com/service_accounts/v1/jwk/[email protected], hardcode algorithms: ['RS256'], and validate iss (https://securetoken.google.com/YOUR_PROJECT) and aud (your project ID). 
 
 
   What is the Firebase JWT issuer URL?
  
  The iss claim is https://securetoken.google.com/YOUR_PROJECT, where YOUR_PROJECT is your Firebase project ID. Validate iss against your exact project. The JWKS endpoint is shared across Firebase projects at https://www.googleapis.com/service_accounts/v1/jwk/[email protected], and Firebase signs with RS256. 
 
 
   Should I use the Firebase Admin SDK or verify JWTs manually?
  
  Use the Firebase Admin SDK (admin.auth().verifyIdToken) whenever you can: it handles JWKS fetching, caching, signature verification, and iss/aud/exp validation correctly and stays current with Firebase's key rotation. Verify manually only when you cannot use the SDK (e.g. a non-SDK language or a constraint that prevents the SDK). The manual process is straightforward but easy to get wrong on claim validation. 
 
 
 
 
  Related
    issuers hub  
  verify in Node.js  
  verify in Python

Claim	Meaning for this issuer
`iss`	https://securetoken.google.com/YOUR_PROJECT: your Firebase project ID. Validate against your exact project.
`sub`	The Firebase user's UID. Stable across the project. Use this as the primary key.
`user_id`	Same as sub: the Firebase user UID. Present for backwards compatibility.
`aud`	Your Firebase project ID. Validate aud on every request.
`email`	The user's email. May be absent for anonymous or phone-auth users.
`email_verified`	Boolean: whether the user's email is verified. Reject unverified emails for sensitive flows.
`sign_in_provider`	The provider used to sign in (google.com, password, phone, anonymous, etc.). Useful for conditional flows and audit logging.
`firebase`	An object containing identities and sign_in_provider. Nested under the firebase claim.