Connect Firebase Authentication to authenticate end users with your Char widget. Configure your Firebase project and set up Char for token validation.
Firebase uses a unique token format. Firebase ID tokens use Google’s project-based issuer URL and require specific audience configuration. Ensure you follow this guide carefully.
Prerequisites
A Firebase project with Authentication enabled
At least one sign-in method configured in Firebase
Access to the Char dashboard
Quick Links SDK References Configuration Steps
Set Up Firebase Authentication
Go to the Firebase Console
Select your project (or create a new one)
Navigate to Build → Authentication
Click Get started if not already enabled
Enable your desired sign-in methods (Email/Password, Google, etc.)
Note Your Project ID
From the Firebase Console:
Click the gear icon → Project settings
Find your Project ID in the General tab
Find your Project ID in Firebase settings
Your Project ID is used to construct the issuer URL. It’s different from the Web API Key.
Get Your Firebase Config
In Project settings → General :
Scroll to Your apps
If no web app exists, click Add app → Web
Note the configuration values, especially projectId
// Firebase config object const firebaseConfig = { apiKey: "AIza..." , authDomain: "your-project.firebaseapp.com" , projectId: "your-project-id" , // ← This is your Project ID // ...other config };
Configure Char
In the Char Dashboard :
Navigate to Settings → Integration
Under SSO Configuration , select Custom OIDC as the provider
Enter your configuration:
Field Value Client ID Your Firebase Project ID Issuer URL https://securetoken.google.com/{project-id}
Click Test Connection to verify
Click Save Changes
Configuration Reference Char Field Firebase Value Example Provider Type Custom OIDC custom_oidcClient ID Firebase Project ID my-app-12345Issuer URL Secure Token issuer https://securetoken.google.com/my-app-12345
Firebase ID tokens use https://securetoken.google.com/{project-id} as the issuer, and the audience (aud) is your Project ID. This is different from Google OAuth tokens.
Token Requirements Char validates Firebase tokens with these requirements:
Claim Requirement issMust be https://securetoken.google.com/{project-id} audMust be your Firebase Project ID subRequired - Firebase user UID expMust not be expired auth_timeMust be in the past
Standard Firebase ID Token Claims Claim Description subFirebase user UID (unique identifier) emailUser’s email address email_verifiedWhether email is verified nameUser’s display name pictureUser’s photo URL firebase.sign_in_providerAuthentication provider used firebase.identitiesLinked identity providers
Example: Obtaining and Passing the Token Firebase Web SDK (v9+)
React (Firebase + Context)
Next.js (with firebase-admin)
Firebase Web SDK (v8/compat)
import { initializeApp } from 'firebase/app' ; import { getAuth , onAuthStateChanged , getIdToken } from 'firebase/auth' ; import "@mcp-b/embedded-agent/web-component" ; const firebaseConfig = { apiKey: "AIza..." , authDomain: "your-project.firebaseapp.com" , projectId: "your-project-id" , }; const app = initializeApp ( firebaseConfig ); const auth = getAuth ( app ); onAuthStateChanged ( auth , async ( user ) => { if ( user ) { const idToken = await getIdToken ( user ); const agent = document . querySelector ( "webmcp-agent" ) ?? document . createElement ( "webmcp-agent" ); if ( ! agent . isConnected ) { document . body . appendChild ( agent ); } agent . setAttribute ( "auth-token" , idToken ); } });
import { createContext , useContext , useEffect , useState } from 'react' ; import { initializeApp } from 'firebase/app' ; import { getAuth , onAuthStateChanged , getIdToken } from 'firebase/auth' ; import "@mcp-b/embedded-agent/web-component" ; // Initialize Firebase const app = initializeApp ( firebaseConfig ); const auth = getAuth ( app ); // Auth Context const AuthContext = createContext ( null ); export function AuthProvider ({ children }) { const [ user , setUser ] = useState ( null ); const [ token , setToken ] = useState ( null ); useEffect (() => { return onAuthStateChanged ( auth , async ( user ) => { setUser ( user ); if ( user ) { const idToken = await getIdToken ( user ); setToken ( idToken ); } else { setToken ( null ); } }); }, []); return ( < AuthContext.Provider value = { { user , token } } > { children } </ AuthContext.Provider > ); } // Widget Component function ChatWidget () { const { user , token } = useContext ( AuthContext ); useEffect (() => { if ( user && token ) { const agent = document . querySelector ( "webmcp-agent" ); if ( agent ) { agent . setAttribute ( "auth-token" , token ); } } }, [ user , token ]); return < webmcp-agent /> ; }
// pages/api/token.js - Verify and refresh token server-side import { getAuth } from 'firebase-admin/auth' ; import { initializeApp , getApps , cert } from 'firebase-admin/app' ; if ( ! getApps (). length ) { initializeApp ({ credential: cert ( JSON . parse ( process . env . FIREBASE_SERVICE_ACCOUNT )), }); } export default async function handler ( req , res ) { const token = req . headers . authorization ?. split ( 'Bearer ' )[ 1 ]; if ( ! token ) { return res . status ( 401 ). json ({ error: 'No token provided' }); } try { const decodedToken = await getAuth (). verifyIdToken ( token ); // Token is valid, return it or generate a new one res . json ({ valid: true , uid: decodedToken . uid }); } catch ( error ) { res . status ( 401 ). json ({ error: 'Invalid token' }); } } // Client-side component 'use client' ; import { useEffect } from 'react' ; import { auth } from '../lib/firebase' ; import "@mcp-b/embedded-agent/web-component" ; export default function Widget () { useEffect (() => { const unsubscribe = auth . onAuthStateChanged ( async ( user ) => { if ( user ) { const token = await user . getIdToken (); const agent = document . querySelector ( "webmcp-agent" ); if ( agent ) { agent . setAttribute ( "auth-token" , token ); } } }); return () => unsubscribe (); }, []); return < webmcp-agent /> ; }
import firebase from 'firebase/compat/app' ; import 'firebase/compat/auth' ; import "@mcp-b/embedded-agent/web-component" ; firebase . initializeApp ( firebaseConfig ); firebase . auth (). onAuthStateChanged ( async ( user ) => { if ( user ) { const idToken = await user . getIdToken (); const agent = document . querySelector ( "webmcp-agent" ) ?? document . createElement ( "webmcp-agent" ); if ( ! agent . isConnected ) { document . body . appendChild ( agent ); } agent . setAttribute ( "auth-token" , idToken ); } });
Token Refresh Firebase ID tokens expire after 1 hour. Handle token refresh:
import { getAuth , getIdToken } from 'firebase/auth' ; const auth = getAuth (); // Force refresh to get a new token async function refreshToken () { const user = auth . currentUser ; if ( user ) { // Pass true to force refresh const newToken = await getIdToken ( user , true ); return newToken ; } return null ; } // Set up automatic refresh before expiration setInterval ( async () => { const newToken = await refreshToken (); if ( newToken ) { const agent = document . querySelector ( "webmcp-agent" ); if ( agent ) { agent . setAttribute ( "auth-token" , newToken ); } } }, 55 * 60 * 1000 ); // Refresh every 55 minutes
Custom Claims Add custom claims using Firebase Admin SDK:
// Server-side: Set custom claims import { getAuth } from 'firebase-admin/auth' ; await getAuth (). setCustomUserClaims ( uid , { role: 'admin' , team: 'engineering' , subscription: 'premium' , }); // Client-side: Access custom claims const user = auth . currentUser ; const tokenResult = await user . getIdTokenResult (); console . log ( 'Role:' , tokenResult . claims . role );
Custom claims are included in the ID token. Changes take effect on the next token refresh (force refresh with getIdToken(user, true)).
Multiple Authentication Providers Firebase supports linking multiple authentication providers:
// User signed in with email can link Google import { GoogleAuthProvider , linkWithPopup } from 'firebase/auth' ; const googleProvider = new GoogleAuthProvider (); const result = await linkWithPopup ( auth . currentUser , googleProvider ); // The ID token will include all linked identities in firebase.identities
Troubleshooting
The issuer URL format is incorrect:
Use the correct format : https://securetoken.google.com/{project-id}Verify Project ID : Found in Firebase Console → Project settingsNo trailing slash : The URL should not end with /Case sensitivity : Project IDs are lowercase
The token’s audience doesn’t match:
The audience must be your Firebase Project ID (not API key)
Verify you’re using getIdToken(), not getAccessToken()
Check the Project ID in the Char configuration matches exactly
Char couldn’t reach Google’s JWKS endpoint:
Firebase uses Google’s public keys at https://www.googleapis.com/service_accounts/v1/jwk/[email protected]
This should always be accessible; if not, check your network configuration
Firebase tokens expire after 1 hour:
Implement automatic token refresh (see “Token Refresh” section)
Use getIdToken(user, true) to force a fresh token
Consider checking exp claim before making requests
Custom claims not appearing
If custom claims aren’t in the token:
Custom claims require a token refresh to take effect
Call getIdToken(user, true) after setting claims
Check claims were set correctly using Admin SDK
Custom claim keys cannot start with reserved prefixes (firebase:, google:)
Firebase vs Google OAuth Don’t confuse Firebase Auth with Google OAuth. They use different issuers and token formats:Provider Issuer URL Audience Firebase Auth https://securetoken.google.com/{project-id}Project ID Google OAuth https://accounts.google.comClient ID
If you’re using the Google sign-in provider within Firebase, you still use Firebase tokens (not Google OAuth tokens). Security Best Practices
Enable email verification for email/password authenticationConfigure authorized domains in Firebase Console → Authentication → SettingsUse security rules for Firestore/Realtime Database access controlEnable App Check to protect against abuseMonitor usage in Firebase Console for unusual patternsSet session duration appropriately in Firebase ConsoleImplement proper sign-out to invalidate sessions
