Get started using App Check for Google Sign-in on iOS

This page shows you how to enable App Check in an iOS app. When you enable App Check, you help ensure that only your app can access Google's OAuth 2.0 endpoints on behalf of your project. See an Overview of this feature.

App Check uses App Attest to help verify that OAuth 2.0 requests are coming from your authentic app. App Check does not use App Attest to analyze fraud risk.

Before you begin

Make sure you have Xcode 12.5 or newer.
Integrate Google Sign-in into your iOS app, using the Google Sign-in library.

1. Set up your project

You must have a Firebase project to use App Check with Google Sign-in.
- If your app already uses Firebase, use the same project.
- If your app uses Google Sign-in, but not Firebase, you already have a Google Cloud project. Add Firebase to your Google Cloud project by selecting it when you create a new project in the Firebase console
See also: Relationship between Firebase projects and Google Cloud
If you haven't already done so, add your iOS apps to your Firebase project using the Project settings page of the Firebase console.
Register your apps to use App Check with the App Attest provider in the App Check section of the Firebase console.

Note: The Token time to live setting has no effect on the App Check tokens used with Google Sign-in. A fresh App Attest assertion is obtained prior to each interaction with Google's OAuth 2.0 endpoints.
Make sure all of your project's OAuth clients are linked to an app.

If you have unlinked clients, you'll see a message in the Google Identity for iOS section of the App Check page that says, You have n unlinked OAuth clients which require additional setup.

Additionally, if you have deleted some OAuth clients after setting them up in App Check, you'll see a message that says, You have n overrides with no matching OAuth client. You can safely clean up by deleting those overrides.

You can link unlinked clients to an existing or new app on the OAuth clients page of the Firebase console.

2. Add the Beta Google Sign-in library to your app

In your Xcode project, set the Google Sign-in dependency to version 7.1.0-fac-beta-1.0.0:

SPM

Set the dependency rule of googlesignin-ios to the exact version: 7.1.0-fac-beta-1.0.0.

CocoaPods

Update your Podfile:

source 'https://github.com/CocoaPods/Specs.git'
source 'https://github.com/firebase/SpecsDev.git'

target 'YourAppName' do
  use_frameworks!

  pod 'GoogleSignIn',
      :git => 'https://github.com/google/GoogleSignIn-iOS.git',
      :tag => '7.1.0-fac-beta-1.0.0'
  pod 'GoogleSignInSwiftSupport'  # If you use SwiftUI.
end

Then, run pod install and open the created .xcworkspace file.

In Xcode, add the App Attest capability to your app.
In your project's .entitlements file, set the App Attest environment to production.

Note: App Check doesn't accept tokens generated in the App Attest sandbox environment.

3. Initialize App Check

In your app delegate's didFinishLaunchingWithOptions method, call GIDSignIn.sharedInstance.configure(completion:). You should call this method as early as possible in your app's lifecycle to minimize user-perceived latency.

import SwiftUI
import GoogleSignIn

class AppDelegate: NSObject, UIApplicationDelegate {
  func application(
    _ application: UIApplication,
    didFinishLaunchingWithOptions launchOptions: [UIApplication.LaunchOptionsKey : Any]? = nil
  ) -> Bool {
    #if targetEnvironment(simulator)
    // Configure for debugging.
    // See: https://developers.google.com/identity/sign-in/ios/appcheck/debug-provider
    #else
    GIDSignIn.sharedInstance.configure { error in
      if let error {
        print("Error configuring `GIDSignIn` for Firebase App Check: \(error)")
      }
    }
    #endif

    return true
  }
}

@main
struct YourAppNameApp: App {
  @UIApplicationDelegateAdaptor(AppDelegate.self) var appDelegate

  // ...
}

Next steps

Once the App Check library is installed in your app, start distributing the updated app to your users.

The updated client app will begin sending App Check tokens along with every request it makes to Google's authentication endpoints, but the endpoints won't require the tokens to be valid until you enable enforcement in the App Check section of the Firebase console.

Monitor metrics

Before you enable enforcement, however, you should make sure that doing so won't disrupt your existing legitimate users. On the other hand, if you're seeing suspicious use of your app resources, you might want to enable enforcement sooner.

To help make this decision, you can look at App Check metrics for Google Sign-in.

Enable App Check enforcement

When you understand how App Check will affect your users and you're ready to proceed, you can enable App Check enforcement.

Use App Check in debug environments

If, after you have registered your app for App Check, you want to run your app in an environment that App Check would normally not classify as valid, such as a simulator during development, or from a continuous integration (CI) environment, you can create a debug build of your app that uses the App Check debug provider instead of App Attest.

See Use App Check with the debug provider.