How to Use reCAPTCHA Enterprise with Firebase Phone Authentication

How to Use reCAPTCHA Enterprise with Firebase Phone Authentication

Environment

• Firebase JavaScript SDK: version 11.6.0

Steps I’ve followed:

1. Created reCAPTCHA Enterprise key in the GCP console:

• GCP reCAPTCHA Enterprise Console

2. Registered reCAPTCHA Enterprise in Firebase Console App Check:

• Under the “Apps” tab in Firebase App Check settings.

3. Applied Authentication in Firebase App Check:

• Under the “API” tab in Firebase App Check settings.

4. Configured via Admin SDK (updateProjectConfig method):

const projectConfig = await admin.auth().projectConfigManager().updateProjectConfig({
recaptchaConfig: {
phoneEnforcementState: 'ENFORCE',
useSmsTollFraudProtection: true,
useSmsBotScore: true,
}
});

5. Executed signInWithPhoneNumber on the frontend (without the third argument):

Request URL:

<URL Removed by Staff>

Response:

{
"error": {
"code": 500,
"message": "Internal error encountered.",
"status": "INTERNAL"
}
}

When switching phoneEnforcementState to OFF

Admin SDK configuration:

const projectConfig = await admin.auth().projectConfigManager().updateProjectConfig({
recaptchaConfig: {
phoneEnforcementState: 'OFF',
useSmsTollFraudProtection: false,
useSmsBotScore: false,
}
});

Response becomes:

{
"recaptchaEnforcementState": [
{
"provider": "EMAIL_PASSWORD_PROVIDER",
"enforcementState": "ENFORCEMENT_STATE_UNSPECIFIED"
},
{
"provider": "PHONE_PROVIDER",
"enforcementState": "OFF"
}
],
"useSmsBotScore": false,
"useSmsTollFraudProtection": false
}

Question

I want to enable reCAPTCHA Enterprise for Firebase Phone Authentication, but I keep receiving a 500 Internal error. Is there anything I’m missing or doing incorrectly?

Hi @kitta07 ,

Welcome to Google Cloud Community!

The 500 Internal error occurs because Firebase Phone Authentication requires a client-side reCAPTCHA token to accompany the request, even when reCAPTCHA Enterprise is enforced via App Check and the Admin SDK (phoneEnforcementState: ‘ENFORCE’). Without the RecaptchaVerifier, the backend cannot validate the request, resulting in a server-side failure. Adding the verifier ensures a token is generated and sent, aligning with the security requirements of both Firebase Authentication and reCAPTCHA Enterprise.

Before you can sign in users with their phone numbers, you must set up Firebase’s reCAPTCHA verifier. Firebase uses reCAPTCHA to prevent abuse, such as by ensuring that the phone number verification request comes from one of your app’s allowed domains.

• Firebase Phone Authentication for details on using RecaptchaVerifier with signInWithPhoneNumber.
• Firebase App Check with reCAPTCHA Enterprise - Outlines how to configure App Check with reCAPTCHA Enterprise for secure API calls.
• reCAPTCHA Enterprise Documentation - Provides guidance on creating and managing reCAPTCHA Enterprise keys in GCP.
• Firebase Admin SDK: Update Project Config - Confirms the use of updateProjectConfig for enforcing reCAPTCHA settings.

For more detailed insights you may reach out to Google Cloud Support for assistance.

Was this helpful? If so, please accept this answer as “Solution”. If you need additional assistance, reply here within 2 business days and I’ll be happy to help.

I found that it was failing in updateConfig.

https://cloud.google.com/identity-platform/docs/reference/rest/v2/projects/updateConfig?hl=ja

400

"recaptchaKeys": [
{
"key": "6Leo7gcrAAAAAPNfXkUe2-g_MeeICjkcP8tP66J6",
"type": "WEB"
}
]

200

"recaptchaKeys": [
{
"key": "6Leo7gcrAAAAAPNfXkUe2-g_MeeICjkcP8tP66J6",
"type": "CLIENT_TYPE_UNSPECIFIED"
}
]

スクリーンショット 2025-04-21 11.36.55.png1122×694 49.5 KB