Firebase Verify Token

Firebase Verify Token

Secure, lightweight, and pure Dart solution for verifying Firebase JWT tokens.
No backend required. Supports multi-project validation.

Pub Version Pub Points Pub Likes License

✨ Features

  • 🛡️ Pure Dart: Verify tokens without exposing your private keys or using the Firebase Admin SDK.
  • 🌍 Multi-Platform: Works on Android, iOS, Web, macOS, Windows, and Linux.
  • ⏱️ Accurate Timing: Uses NTP synchronization to prevent issues with device clock drift.
  • High Performance: Caches Google's public keys for faster verification.
  • 🔐 Secure Validation:
    • Checks Signature (RSA SHA-256)
    • Validates Expiration (exp), Issued At (iat), and Auth Time (auth_time).
    • Verifies Audience (aud / Project ID) and Issuer (iss).

🚀 Getting Started

1. Install via pubspec.yaml

dependencies:
  firebase_verify_token_dart: ^2.2.0

2. Import the Package

import 'package:firebase_verify_token_dart/firebase_verify_token_dart.dart';

📖 Usage

Initialize

Set the allowed Firebase Project IDs (Audience) before verifying tokens. This is usually done in your main() or initialization logic.

void main() {
  FirebaseVerifyToken.projectIds = ['my-firebase-project-id'];
}

Verify a Token

Verify a raw JWT token string. This method is asynchronous and returns a bool.

final isValid = await FirebaseVerifyToken.verify(token);

if (isValid) {
  print("✅ Token is valid!");
} else {
  print("❌ Invalid token.");
}

Get Verification Details

Pass an optional callback to get detailed results, including the matched project ID and verification duration.

final isValid = await FirebaseVerifyToken.verify(
  token,
  onVerifyCompleted: ({required bool status, String? projectId, int? duration}) {
    if (status) {
      print("✅ Verified for project '$projectId' inside ${duration}ms");
    } else {
      print("❌ Verification failed.");
    }
  },
);

Extract Claims (Without Verification)

Sometimes you just need to read the token's content (e.g., User ID) without a full cryptographic check.

// Get User ID (sub)
final uid = FirebaseVerifyToken.getUserID(token);

// Get Project ID (aud)
final projectId = FirebaseVerifyToken.getProjectID(token);

🛠️ Advanced

Why use this over the Firebase Admin SDK? The Firebase Admin SDK requires a service account with elevated privileges, which is dangerous to use in client-side applications. This package purely verifies the token's signature using Google's public keys, making it safe for client-side use or lightweight server-side Dart applications (e.g., Dart Frog, Shelf).

🤝 Contributing

We welcome contributions!

  • 🐛 Report Issues: Submit bugs or feature requests on GitHub Issues.
  • 💡 Submit PRs: Pull Requests are welcome. Please adhere to the existing code style.

📄 License

This project is licensed under the MIT License.

Libraries

firebase_jwt
firebase_verify_token_dart
models/firebase_mock
models/models