using postman to access firebase REST API

Question

I'm trying to use postman to do REST API calls to firebase. I've managed to read from firebase when my security rule is to permit all users including unauthorized ones.

but when I use this rule :

{"rules":{".read": "auth != null", ".write": "auth != null"}}

I get 'error' : 'permission denied' from postman. I did the request token for google's web oauth2.0 client and got the authorization_code token back.

I tried to use token in the URL and in the header, tried it with GET & POST request and still get denied.

please help. Thanks in advance

You'll need an access token with the proper scope, an authorization code is just an intermediate credential used to get an OAuth 2.0 access token. Once you have it, you can pass it in the header as `Authorization: Bearer ` — Michael Bleigh, Jul 29 '16 at 17:40
still permission denied. the scope i used is googleapis.com/auth/firebase how can i test if the token is working. im not sure where the fault is: 1. google creds? 2. firebase auth/rules? 3. oauth from postman? — Reno Wijoyo, Jul 30 '16 at 00:43

score 34 · Answer 1 · answered Nov 11 '16 at 21:23

34

The answers above did not work for me.

What did work for me was going to

Project Settings (top left corner gear) -> Service Accounts (far right tab) -> Database Secrets (left menu) -> Scroll down, hover over the bulltets and click Show

Use this as the auth key, i.e. .../mycollection.json?auth=HERE

answered Nov 11 '16 at 21:23

CodyBugstein

21,984
61
207
363

.json is must for Rest Api – ketankk Dec 18 '17 at 15:37
1

Should be accepted answer since this is the only solution which actually works! – Junia Montana Oct 02 '20 at 04:10

score 15 · Answer 2 · answered Oct 29 '16 at 03:17

15

For me it worked like this:

https://your-database-url/users.json?auth=YOUR_AUTH_KEY

Where can you get this AUTH_KEY?

you get this key from your Project Settings -> Database -> Secret Key

answered Oct 29 '16 at 03:17

Andre Evangelista

3,390
1
21
14

Project Settings -> Database -> Secret Key? There is no such path – CodyBugstein Nov 11 '16 at 21:19
4

Currently the secret key is accessed in your firebase console by clicking on: Project Settings -> Service Accounts (Tab) -> Database Secrets Then hover over the secret and a 'SHOW' button will display. Click this then you can see it. Also note that your database url can be found from your console by clicking on the Database item in the left menu. – omarjebari Dec 06 '16 at 14:18
1

Also try using the Simulator in the Firebase Console under Database->Rules. It helps you to build up a valid authenticated request which you can then copy across to postman. – omarjebari Dec 06 '16 at 14:55
@andreEvangelista yes it worked but firebase doc says database secrets are now depreciated, so should we still use it?I am using c# and there is no official sdk available so I have to use restapi and use a work around , what you suggest. – Dragon Jul 24 '17 at 07:29
Thank u it worked for me – poonam kalra Jun 28 '23 at 08:37

score 6 · Answer 3 · answered Jul 29 '16 at 17:53

6

Try something like this

https://your-database-url/users.json?auth=YOUR_AUTH_KEY

Respone is a JSON of your USERS node

answered Jul 29 '16 at 17:53

Veeresh Charantimath

4,641
5
27
36

still permission denied. the scope i used is https://www.googleapis.com/auth/firebase – Reno Wijoyo Jul 30 '16 at 00:40
https://project-5345143141106430789.firebaseio.com/users.json?access_token=ya29.Ci8wAzAqJp346BXPzy0NgeHCqZeF7w82FS_zaVPa902ncwtMpC4V-c8X9SFcQIujDg – Reno Wijoyo Jul 30 '16 at 00:45
1

CORRECTION: so i was using access_token parameter instead of auth. that's why i've been getting the permision denied. after changing it to AUTH I am getting the `"error": "Could not parse auth token."` when using my returned access_token. per firebase docs you can access it using either authenticated token OR firebase's app secret. using the latter as my AUTH value I've managed to get the data. but using auth'ed token is still resutling error – Reno Wijoyo Jul 30 '16 at 02:55
Same problem here – CodyBugstein Nov 11 '16 at 21:16

score 5 · Answer 4 · answered Aug 23 '17 at 02:40

I created a Postman pre-request script for helping create a Authentication: Bearer JWT. Should save a lot of copy pasting when testing APIs with Firebase Auth. https://gist.github.com/moneal/af2d988a770c3957df11e3360af62635

Copy of script at time of posting:

/**
 * This script expects the global variables 'refresh_token' and 'firebase_api_key' to be set. 'firebase_api_key' can be found
 * in the Firebase console under project settings then 'Web API Key'.
 * 'refresh_token' as to be gathered from watching the network requests to https://securetoken.googleapis.com/v1/token from 
 * your Firebase app, look for the formdata values
 * 
 * If all the data is found it makes a request to get a new token and sets a 'auth_jwt' environment variable and updates the 
 * global 'refresh_token'.
 * 
 * Requests that need authentication should have a header with a key of 'Authentication' and value of '{{auth_jwt}}'
 *
 * Currently the nested assertions silently fail, I don't know why.
 */
pm.expect(pm.globals.has('refresh_token')).to.be.true;
pm.expect(pm.globals.has('firebase_api_key')).to.be.true;

var sdk = require('postman-collection'),
  tokenRequest = new sdk.Request({
    url: 'https://securetoken.googleapis.com/v1/token',
    method: 'POST',
    body: {
      mode: 'urlencoded',
      urlencoded: [{
          type: 'text',
          key: 'key',
          value: pm.globals.get('firebase_api_key')
        },
        {
          type: 'text',
          key: 'grant_type',
          value: 'refresh_token'
        },
        {
          type: 'text',
          key: 'refresh_token',
          value: pm.globals.get('refresh_token')
        },
      ]
    }
  });

pm.sendRequest(tokenRequest, function(err, response) {

  pm.test('request for access token was ok', function() {
    pm.expect(response).to.be.ok();
  });

  const json = response.json();
  pm.expect(json).to.an('object');

  pm.test('response json has needed properties', function() {

    pm.expect(json).to.have.own.property('access_token');
    pm.expect(json).to.have.own.property('token_type');
    pm.expect(json).to.have.own.property('refresh_token');

    const accessToken = json.access_token;
    const tokenType = json.token_type;
    const refreshToken = json.refresh_token;

    pm.environment.set('auth_jwt', tokenType + ' ' + accessToken);
    pm.globals.set('refresh_token', refreshToken);

  });

});

score 3 · Answer 5 · answered May 25 '19 at 20:10

Note: Adding this answer as all Options listed here is either deprecated or not working(mostly due to missing steps).

Best way to make it work with Postman is to use Google OAuth2 access tokens. The provided link described in full length but I have added quick steps.

Step 1: Download Service-Accounts.json

Step 2: Generate Access token in Java (provided link described support in other language for this)

make sure to include this dependency:

implementation 'com.google.api-client:google-api-client:1.25.0'

OR

<dependency>
   <groupId>com.google.api-client</groupId>
   <artifactId>google-api-client</artifactId>
   <version>1.25.0</version>
 </dependency>

Run this code to generate token(Copied from google's javadocs)

   // Load the service account key JSON file
     FileInputStream serviceAccount = new FileInputStream("path/to/serviceAccountKey.json");

     GoogleCredential scoped = GoogleCredential
     .fromStream(serviceAccount)
     .createScoped(
         Arrays.asList(
           "https://www.googleapis.com/auth/firebase.database",
           "https://www.googleapis.com/auth/userinfo.email"
         )
     );
     // Use the Google credential to generate an access token
     scoped.refreshToken();
     String token = scoped.getAccessToken();
     System.out.println(token);

Step 3: Use the token in Postman

score 1 · Answer 6 · answered Aug 30 '18 at 17:35

1

It is very simple to fetch data via Postman: Here is how I did it

1 Your DB URL

https://YOUR_PROJECT_URL.firebaseio.com/YOUR_STRUCTURE/CLASS.json

2 Add API key in header as auth

auth = Value of your API_KEY

example:

answered Aug 30 '18 at 17:35

sud007

5,824
4
56
63

what is config.json ? From where you got this class – Anand_5050 Dec 18 '18 at 04:59
I am unable to get data in postman. Can you please tell me what is data and config.json in url? – rajlaxmi_jagdale Dec 25 '18 at 07:13
Oh please do not go on the `config.json` as this is just the URL endpoint for your URL. That URL is just an example of the URL. Here `config` is the name of the class which I want to access. – sud007 Dec 29 '18 at 16:54
It says , { "error" : "Permission denied" } , I have added the Header auth – N.K Apr 08 '19 at 08:54
@N.KIf you are doing so, then please validate with your API documentation that you are not missing correct format in which you have to prepare the API request params and header params. – sud007 Apr 08 '19 at 10:31

score -1 · Answer 7 · edited Nov 26 '22 at 17:20

-1

We can use Firebase with postman for rest APIs

How we use Firebase in postman?

Copy your Firebase database URL
Paste it into your postman URL
Add .json at the last like shown in the image
Then play with your firebase database and make REST API

edited Nov 26 '22 at 17:20

primo

1,340
3
12
40

answered Nov 22 '22 at 12:19

Badal Nayak

11
2

using postman to access firebase REST API

7 Answers7

Step 1: Download Service-Accounts.json

Step 2: Generate Access token in Java (provided link described support in other language for this)

Step 3: Use the token in Postman

Linked