Devices and HardwareGamingSecurity and PrivacyContact UsAbout Us

Your Guide to How To Remove App Check Firebase

What You Get:

Free Guide

Free, helpful information about Software & App Operations and related How To Remove App Check Firebase topics.

Helpful Information

Get clear and easy-to-understand details about How To Remove App Check Firebase topics and resources.

Personalized Offers

Answer a few optional questions to receive offers or information related to Software & App Operations. The survey is optional and not required to access your free guide.

How to Remove App Check from Firebase: What Developers Need to Know

Firebase App Check is a powerful security layer — but there are legitimate reasons to disable or remove it from your project. Whether you're restructuring your app's architecture, troubleshooting unexpected token failures, or moving away from Firebase entirely, understanding how App Check is integrated is the first step toward removing it cleanly.

What Is Firebase App Check?

Firebase App Check is a security feature that verifies requests to your Firebase backend (Firestore, Realtime Database, Cloud Storage, Cloud Functions, etc.) are coming from your legitimate app — not from unauthorized scripts or bots.

It works by having your app obtain a cryptographically signed token from an attestation provider (like Apple's DeviceCheck, Google Play Integrity, or reCAPTCHA for web). That token gets attached to every Firebase request. Firebase services then reject requests without a valid token when enforcement is enabled.

This distinction matters enormously when removing App Check: there's a difference between unenforcing it and fully removing the SDK and code.

The Two Layers You Need to Address

Removing App Check isn't a single action — it spans two separate layers:

  • Client-side: The SDK initialization code and any provider configuration in your app code
  • Server-side (Firebase Console): Enforcement settings that tell Firebase services whether to reject unauthenticated requests

Skipping either layer creates problems. Remove only the client code without turning off enforcement, and your users will immediately start getting rejected requests. Disable enforcement without cleaning up the code, and you're carrying dead weight in your build.

Step 1: Turn Off Enforcement in the Firebase Console 🔧

Before touching any code, go to the Firebase Console:

  1. Open your project
  2. Navigate to App Check (under the Build menu)
  3. Select each Firebase service (Firestore, Storage, Functions, etc.)
  4. Switch enforcement from Enforced to Unenforced or Monitoring

Monitoring mode still collects App Check metrics without blocking unverified requests. Unenforced means App Check tokens are ignored entirely for that service.

Do this first. Deploying code changes before disabling enforcement will cause a gap where your app sends no tokens but Firebase still rejects requests.

Step 2: Remove App Check Initialization from Your App Code

The exact steps depend on your platform.

Android (Kotlin/Java)

Remove the FirebaseApp.initializeApp() call that chains App Check initialization, and delete any block resembling: