firebase auth/invalid-custom-token

7
votes

I am trying to generate custom tokens with the firebase admin sdk

const uid = '91f0bf4c-3e3c-441c-a21d-6a7fee341db5'
firebaseAdmin.auth().createCustomToken(uid)

With this specific uid sometimes the custom tokens work, other times when using authWithCustomToken() on the client side I get this error:

“auth/invalid-custom-token” The custom token format is incorrect. Please check the documentation."

Is there any way I can debug what is going on with the token? On the surface both the "good" tokens and the "bad" tokens look the same:

They have 3 parts, separated by a .

  • The first part is 36 characters long and in both the working case and the broken case it is the exact same
  • In both examples, the second part is 392 characters and they are almost the exact same
  • The both examples, the third part is 342 characters long and they are different.
2
firebasefirebase-authentication

2 Answers

8
votes

Can you go to https://jwt.io and decode your custom token. It should look like this:

{
  "uid": "some-uid",
  "iat": 1500147255,
  "exp": 1500150855,
  "aud": "https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit",
  "iss": "firebaseserviceaccount@YOUR_PROJECT_ID.iam.gserviceaccount.com",
  "sub": "firebaseserviceaccount@YOUR_PROJECT_ID.iam.gserviceaccount.com"
}

YOUR_PROJECT_ID should match the same project on your client side project.

4
votes

The token is expired. The Firebase SDK throws the same error: auth/invalid-custom-token error for both malformatted tokens and expired tokens.

Hopefully, the error handling improves soon, in the meantime developer can check to see if a token is expired by using a client side library like jwt decode and checking the "exp" timestamp and comparing to the current time.