Which API should I use to exchange a Firebase Custom Token?

Question

I have read many articles regarding using Firebase Custom Tokens. To summarize, there are three steps:

1. Create a custom token using firebase-admin.auth().createCustomToken(/* user ID */)
2. Get an ID token by exchanging the custom token.
3. Post documents to Firestore

I can obtain the ID token from both of the below APIs.

https://www.googleapis.com/identitytoolkit/v3/relyingparty/verifyCustomToken?key=API_KEY
https://identitytoolkit.googleapis.com/v1/accounts:signInWithCustomToken?key=API_KEY

Of these two Google APIs, which should I be using for a new project?

Some information that I'd also like to know:

• Are these APIs actually the same?
• What is the difference between the two aside from the names verifyCustomToken and accounts:signInWithCustomToken?
• Should I use the v3 API because it's not v1? Some tutorials still refer to the v1 API.

Answer 1

The current Google Identity Toolkit for Websites API documentation uses the v3 URL format (GITKit v3). Therefore v1 and v2 are both deprecated and shouldn't be used. Interestingly enough, the official reference doesn't list out all of the GITKit v3 endpoints.

The current version of the Firebase SDK v7.14.2 makes use of the v3 API, so I would recommend using the same endpoint.

https://www.googleapis.com/identitytoolkit/v3/relyingparty/verifyCustomToken?key=API_KEY

The release of GITKit v3 involved a restructure of the GITKit v1 and v2 APIs - leading to endpoints being renamed.

Moving forward, make use of the GITKit v3 endpoints.