App Check with reCAPTCHA

Last Updated: 25 Jul 2021

NOTE: This feature works in Browser/HTML5 Export only

Step 1: Register for reCAPTCHA v3

1. Visit this page to register.

2. Click the "Create" option ("+" icon in top-right corner) and choose reCAPTCHA v3

3. Keep the Domain section empty and fill up rest of the form.

4. You will need the Site Key and the Secret Key in the later steps.

Step 2: Enable Firebase App Check

This step will allow your Firebase Services to keep a track of all requests and prepare a graph that will show whether the requests sent to your Firebase Project are from verified clients, or unverified clients (outdated, unknown origin or malicious)

This image shows an example graph ->

As seen above, the request metrics for each product are broken down into four categories:

  • Verified requests are those that have a valid App Check token. After you enable App Check enforcement, only requests in this category will succeed.

  • Outdated client requests are those that are missing an App Check token. These requests might be from an older version of the Firebase SDK before App Check was included in the app.

  • Unknown origin requests are those that are missing an App Check token, and don't look like they come from the Firebase SDK. These might be from requests made with stolen API keys or forged requests made without the Firebase SDK.

  • Malicious requests are those that have an invalid App Check token, which might be from an inauthentic client attempting to impersonate your app.


1. Go to Firebase Console > Project Settings > App Check

2. Click on the app for which you want to enable App Check.

3. Enter your reCAPTCHA Secret Key.

Step 3: Enforce App Check

This step will enforce app check on your selected Firebase Services. Enforcing App Check means only Verified Clients will be allowed to access the Firebase Service. So completing this step will allow you to block Unverified clients like outdated client, unknown origin and malicious requests.

The distribution of these categories for your app should inform when you decide to enable enforcement. Here are some guidelines:

  • If almost all of the recent requests are from verified clients, consider enabling enforcement to start protecting your backend resources.

  • If a significant portion of the recent requests are from likely-outdated clients, to avoid disrupting users, consider waiting for more users to update your app before enabling enforcement. Enforcing App Check on a released app will break prior app versions that are not integrated with the App Check SDK.

  • If your app hasn't launched yet, you should enable App Check enforcement immediately, since there aren't any outdated clients in use.

  • If your app has been made for multiple export platforms, do not enable App Check enforcement.


Click on your required Product Service, and just click Enforce.

Step 4: Firebase SDK Plugin Property

1. In your Construct 3 Editor, go to Firebase SDK Plugin Property.

2. Enable App Check

3. Enter your reCAPTCHA Site Key.

Portions of this page are modifications based on work created and shared by Google and used according to terms described in the Creative Commons 4.0 Attribution License.