When I generate a token using createCustomToken from Firebase admin sdk, how can I verify that is the valid token without using the SDK again?
I assumed its a valid OAuth token but I can not find the signing key and therefore check the integrity. I use Firebase Auth for storing the token and the admin sdk.
Custom Tokens created with the Firebase admin SDK are signed using a service account. In the default setting the service account email has the form firebase-adminsdk-bh96s@<YOUR_PROJECT_ID>.iam.gserviceaccount.com.
Under https://www.googleapis.com/robot/v1/metadata/x509/<service account email> you will find the corresponding public keys.
See also https://firebase.google.com/docs/auth/admin/create-custom-tokens
Firebase ID tokens are JWTs (JSON Web Tokens) and can be verified either with the Firebase Admin SDK, or with any other JWT parsing library.
