How to Remove App Check from Firebase: What Developers Need to Know

Firebase App Check is a powerful security layer — but there are legitimate reasons to disable or remove it from your project. Whether you're restructuring your app's architecture, troubleshooting unexpected token failures, or moving away from Firebase entirely, understanding how App Check is integrated is the first step toward removing it cleanly.

What Is Firebase App Check?

Firebase App Check is a security feature that verifies requests to your Firebase backend (Firestore, Realtime Database, Cloud Storage, Cloud Functions, etc.) are coming from your legitimate app — not from unauthorized scripts or bots.

It works by having your app obtain a cryptographically signed token from an attestation provider (like Apple's DeviceCheck, Google Play Integrity, or reCAPTCHA for web). That token gets attached to every Firebase request. Firebase services then reject requests without a valid token when enforcement is enabled.

This distinction matters enormously when removing App Check: there's a difference between unenforcing it and fully removing the SDK and code.

The Two Layers You Need to Address

Removing App Check isn't a single action — it spans two separate layers:

• Client-side: The SDK initialization code and any provider configuration in your app code
• Server-side (Firebase Console): Enforcement settings that tell Firebase services whether to reject unauthenticated requests

Skipping either layer creates problems. Remove only the client code without turning off enforcement, and your users will immediately start getting rejected requests. Disable enforcement without cleaning up the code, and you're carrying dead weight in your build.

Step 1: Turn Off Enforcement in the Firebase Console 🔧

Before touching any code, go to the Firebase Console:

1. Open your project
2. Navigate to App Check (under the Build menu)
3. Select each Firebase service (Firestore, Storage, Functions, etc.)
4. Switch enforcement from Enforced to Unenforced or Monitoring

Monitoring mode still collects App Check metrics without blocking unverified requests. Unenforced means App Check tokens are ignored entirely for that service.

Do this first. Deploying code changes before disabling enforcement will cause a gap where your app sends no tokens but Firebase still rejects requests.

Step 2: Remove App Check Initialization from Your App Code

The exact steps depend on your platform.

Android (Kotlin/Java)

Remove the FirebaseApp.initializeApp() call that chains App Check initialization, and delete any block resembling:

val appCheck = FirebaseAppCheck.getInstance() appCheck.installAppCheckProviderFactory( PlayIntegrityAppCheckProviderFactory.getInstance() ) 

Then remove the dependency from your build.gradle:

implementation 'com.google.firebase:firebase-appcheck-playintegrity' 

Or whichever provider you used (firebase-appcheck-debug, firebase-appcheck-safetynet, etc.).

iOS (Swift)

Remove the AppCheck.setAppCheckProviderFactory() call from your AppDelegate or app initialization file, then remove the Firebase App Check package from your Swift Package Manager or CocoaPods dependencies (pod 'FirebaseAppCheck').

Web (JavaScript/TypeScript)

Delete any initializeAppCheck() call and the associated ReCaptchaV3Provider or CustomProvider import:

// Remove this block entirely import { initializeAppCheck, ReCaptchaV3Provider } from "firebase/app-check"; const appCheck = initializeAppCheck(app, { ... }); 

If you're using the Firebase compat SDK (firebase/compat/app-check), remove that import reference as well.

Flutter

Remove the FirebaseAppCheck.instance.activate() call and the firebase_app_check package from your pubspec.yaml.

Step 3: Clean Up Environment Variables and Tokens

App Check often requires debug tokens stored as environment variables (especially in CI/CD pipelines). Check for:

• FIREBASE_APP_CHECK_DEBUG_TOKEN in environment configs
• Any debug token entries registered in the Firebase Console under App Check > Apps > Manage debug tokens

Leaving registered debug tokens active is a minor security concern — they could be used to bypass your backend if App Check enforcement is ever re-enabled.

What Happens to Existing Firebase Security Rules?

Removing App Check does not change your Firestore or Realtime Database security rules. Those operate independently. If your security rules relied on request.auth or custom claims, they continue working exactly as before. App Check was an additional verification layer sitting above your rules — removing it doesn't weaken rule-based access control.

However, if you were using request.app checks in your Firestore security rules (a less common but valid pattern), those will need to be revised. A rule like allow read: if request.app != null will behave differently once App Check tokens are no longer being sent.

Variables That Shape How This Affects Your App 🔍

The impact of removing App Check varies significantly depending on:

A small hobby project with a single web frontend has a very different removal process than a production app deployed across Android, iOS, and web with separate CI pipelines and per-service enforcement configurations.

When Partial Removal Makes More Sense

Some teams don't need to eliminate App Check entirely — they need to relax it. Switching from Enforced to Monitoring mode keeps the telemetry without blocking requests, which can be useful during migrations or debugging phases. Others disable enforcement on specific services (like Cloud Functions) while keeping it active on Firestore.

Whether a full removal or a partial configuration change is the right path depends on why App Check was causing friction in the first place — and that answer lives in your specific architecture, your users' devices, and the threat model your backend actually needs to defend against.