Get Firebase Access Token in POSTMAN

Question

In my web application, I am using Firebase for Authentication, to access any API, I have to authenticate from firebase.

Question: How can I get access token of firebase in Postman?

I have 2 solutions for this problem:

1) Get Access Token from firebase in postman, store that access token in postman global env. variable and then I can do other API request. (Here I don't know how to get access token in postman)

2) Do the login in the browser, copy access token from network request, store it in bash_profile and then use it in Postman. (Here I don't know how to read OS env. variable)

I dont understand this question. Why do you need the access token from firebase, if your goal is to access any API? Do you mean any firebase API? And also, in your web app how do you use the authentication. Do you use the SDK or the firebase REST api? — DauleDK, Apr 20 '18 at 07:54
@DauleDK I am using firebase SDK. Firebase Access Token is required to generate Cookie from server side. API will return response only if valid cookie present in request. — Farhan Chauhan, Apr 20 '18 at 10:25

score 105 · Answer 1 · answered Nov 19 '19 at 13:59

105

When you want to use Postman only and don't want to build a frontend you can use this auth request in Postman: POST https://www.googleapis.com/identitytoolkit/v3/relyingparty/verifyPassword?key={API_KEY}

In the Body you should send the following JSON string:

{"email":"{YOUR_EMAIL_ADDRESS}","password":"{PASSWORD}","returnSecureToken":true}

Content type is application/json (will be set automatically in Postman). You can find the Firebase API_KEY in the Firebase project settings (it's the Web-API-key).

As response you will get a JSON object and the idToken is the token you need for all your API requests as Bearer token.

To have a automated setting of this token, you can add the following code in the Tests tab at your auth request:

var jsonData = JSON.parse(responseBody);
postman.setGlobalVariable("id_token", jsonData.idToken);

For all your API requests you should set the Authorization to Bearer Token and the value for the token is {{id_token}}.

Now the token will be automatically used once you executed the auth request and got the response.

answered Nov 19 '19 at 13:59

naptoon

1,203
2
8
11

What when token expires? – jean d'arme Mar 01 '20 at 16:28
I'm able to get the expected response back by POST to the endpoint you've suggested, but when I try to verify the ID Token via firebase admin sdk in my Node app I get `Error: Decoding Firebase ID token failed. Make sure you passed the entire string JWT which represents an ID token` . Any suggestions? – MikeG May 01 '20 at 20:02
Oops, Postman was adding "Bearer" to the beginning of the token string when i set the auth type to "Bearer Token" – MikeG May 01 '20 at 20:24
If you're getting the following error, just change the type of authorization (under the Authorization tab in Postman's request) to `OAuth 2.0`. No need to provide any further details. The error I got before doing so: – A-S May 03 '20 at 23:56
`{ "error": { "code": 401, "message": "Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.", "errors": [ { "message": "Invalid Credentials", "domain": "global", "reason": "authError", "location": "Authorization", "locationType": "header" } ], "status": "UNAUTHENTICATED" } }` – A-S May 03 '20 at 23:56
3

I'd like to add that in the `"email":"{YOUR_EMAIL_ADDRESS}","password":"{PASSWORD}"` fields, use a user account, not the Firebase sign-in account lol. Silly mistake – tyirvine Jul 05 '20 at 19:13
1

Has anyone managed to get this working with the Authentication Emulator? – David Ritchie Nov 24 '20 at 13:22
1

I've gained the idToken successfully, but I get "401 Unauthorized" & "Your client does not have permission to the requested URL" when I access the API with my bearer token set. – Samuel Oct 22 '21 at 04:30
@jeand'arme Token expired at 3600 seconds. response has a field: ` "expiresIn": "3600" ` – sendon1982 Apr 01 '22 at 22:42
For those who couldn't make it work like that, try using this endpoint instead `https://identitytoolkit.googleapis.com/v1/accounts:signInWithPassword?key=[API_KEY]` – Hiimdjango Feb 06 '23 at 02:04
Same for me as above: I managed to get the token, but when I wanted to reach the realtime database via REST api, I get ` "error": "Unauthorized request."`. I suppose the problem is that the returned JWT does not contain the scope prop, like here: https://stackoverflow.com/a/40831536/5506730. Any suggestion? – gazdagergo Jul 10 '23 at 02:03

score 12 · Accepted Answer · edited May 02 '20 at 09:47

An easy way to retrieve the access token from firebase is to:

create an html file in a directory
copy in the html file the content of firebase auth quickstart
replace the firebase-app.js and firebase-auth.js as explained in firebase web setup to point them at the proper cdn location on the web
replace firebase.init script with the initialization code from your app on the console like this:

var config = {
    apiKey: "my secret api key",
    authDomain: "myapp.firebaseapp.com",
    databaseURL: "https://myapp.firebaseio.com",
    projectId: "myapp-bookworm",
    storageBucket: "myapp.appspot.com",
    messagingSenderId: "xxxxxxxxxxxxx"
};
firebase.initializeApp(config);

open the html file in your browser and either sign in or sign up. The Firebase auth currentUser object value should be displayed.
1. inspect the html and expand the quickstart-account-details element. This should have the json object displayed.
2. copy the content of accessToken
3. In postman go to authorization, select bearer token and paste the copied token in the token value field.

You should be now able to call apis that are secured by firebase auth. Keep in mind that this only gets and passes the access token so once the token is expired you may need to request a new one (steps 5 to 8)

you can also look at this
Hope this helps!

Leo · Answer 3 · 2023-08-01T12:33:05.113

go to the pre-request script and add this code (use your API_KEY, USER_EMAIL, USER_PASSWORD)

  const reqObject = {
    url: "https://www.googleapis.com/identitytoolkit/v3/relyingparty/verifyPassword?key={API_KEY}", // API_KEY -> your API key from firebase config 
    method: 'POST',
    header: 'Content-Type:application/json',
    body: {
        mode: 'raw',
        raw: JSON.stringify({ "email": {USER_EMAIL}, "password": {USER_PASSWORD}, "returnSecureToken": true })
    }
};

pm.sendRequest(reqObject, (err, res) => {
    const idToken = res.json().idToken;  // your idToken
    pm.environment.set("FIREBASE_TOKEN", idToken ); // set environment variable FIREBASE_TOKEN with value idToken 
});

this code will add the environment variable FIREBASE_TOKEN, but u can do whatever you want with idToken =)

score 6 · Answer 4 · answered Jul 31 '20 at 10:48

In addition of naptoon's post:

var jsonData = JSON.parse(responseBody);
postman.setGlobalVariable("id_token", jsonData.idToken);

This is "old style", which is deprecated by Postman. The "new style" is:

pm.environment.set("id_token", pm.response.json().idToken);

score 5 · Answer 5 · answered Nov 18 '20 at 21:22

I came across a need to do this where staging and production environments require a different Firebase idToken but local does not use one. I expanded upon naptoon's and leo's answers to use the identitytoolkit's verifyPassword endpoint as part of a pre-request:

const apiKey = pm.environment.get('api_key');

if ( ! apiKey) {
    return
}

const tokenEnv = pm.environment.get('token_env')

if (tokenEnv && tokenEnv === pm.environment.name) {
    const tokenTimestamp = Number.parseInt(pm.environment.get('token_timestamp'), 10)
    const elapsed = Date.now() - tokenTimestamp
    if (elapsed < 20 * 60000) {
        return
    }
}

pm.sendRequest({
    url: `https://www.googleapis.com/identitytoolkit/v3/relyingparty/verifyPassword?key=${apiKey}`,
    method: 'POST',
    header: {
        'Content-Type': 'application/json',
    },
    body: {
        mode: 'raw',
        raw: JSON.stringify({
            email: pm.environment.get('auth_username'),
            password: pm.environment.get('auth_password'),
            returnSecureToken: true,
        }),
    },
}, function (err, res) {
    let json
    if ( ! err) {
        json = res.json()
        if (json.error) {
            err = json.error
        }
    }
    if (err) {
        pm.environment.unset('auth_token')
        pm.environment.unset('token_env')
        pm.environment.unset('token_timestamp')
        throw err
    }
    pm.expect(json.idToken).to.not.be.undefined
    pm.environment.set('auth_token', json.idToken)
    pm.environment.set('token_env', pm.environment.name)
    pm.environment.set('token_timestamp', Date.now())
})

The access token is cached for a given environment for up to 20 minutes (I have not implemented refresh token). The token is cleared if the environment is different to the last request or an error occurs.

What should be the request body if I have opted for the phone sign-in method, using the phone number and an OTP? I have added the test phone number and the OTP in the Firebase console but what is the request body attributes? — Shubham A., May 13 '21 at 16:03

Josh · Answer 6 · 2021-05-20T06:22:49.703

Copy the below block of code and place it in the 'pre-request scripts' tab of the request on Postman. It will automatically get a token and put it as 'Authorization' header every time you make a request. You don't need to add any header or authorization manually. You don't even need to worry about token expiry.

Obviously, replace the app api key, username and password place holders.

const postRequest = {
  url: 'https://www.googleapis.com/identitytoolkit/v3/relyingparty/verifyPassword?key={APP_API_Key}',
  method: 'POST',
  header: {
    'Content-Type': 'application/json'
  },
  body: {
    mode: 'raw',
    raw: JSON.stringify({
    "email": "{Your_Email}",
    "password": "{Your_Password}",
    "returnSecureToken": true
})
  }
};

pm.sendRequest(postRequest, (error, response) => {
  var jsonData = response.json();
  pm.globals.set("id_token", jsonData.idToken)
});

pm.request.headers.add({key: 'Authorization', value: '{{id_token}}'})

score 1 · Answer 7 · answered Jan 13 '22 at 04:37

1

Firebase Auth not response Access Token just idToken. you must verify/exchange with your auth system to get it.

answered Jan 13 '22 at 04:37

LordGift

51
1
7

As it’s currently written, your answer is unclear. Please [edit] to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Jan 13 '22 at 11:34

score 1 · Answer 8 · answered Apr 01 '22 at 23:39

1

Here is the full list apis I found for interacting with Firebase by using its API endpoint directly.

https://www.any-api.com/googleapis_com/identitytoolkit/docs/relyingparty

answered Apr 01 '22 at 23:39

sendon1982

9,982
61
44

score 0 · Answer 9 · answered Oct 21 '21 at 15:29

If your using Node here's my solution,

With the firebase admin SDK import that into your file, and follow @naptoon instructions for setting up a route in PostMan.

In Nodejs in your file put the following const user = admin.auth().verifyIdToken(req.headers.authorization)

I tried using const auth = getAuth() const user = auth.currentUser

and that way didn't work for me so I went with the firebase admin route which worked well with minimal code

score 0 · Answer 10 · answered Mar 01 '22 at 10:16

For anyone still a bit confused, this works perfectly with Firebase using Auth emulators.

Brief Overview

Create functions
Setup emulator
Generate Token
Perform authed request(s)

1. Create functions

2 functions are required:

Generate ID Token function:

import {https} from "firebase-functions";
import {auth} from "firebase-admin";

export const generateAuthToken = https.onCall((data, _context) => {
    if (!data.uid) {
        return new https.HttpsError("invalid-argument", "Missing UID argument", "Missing UID argument");
    }

    return auth().createCustomToken(data.uid).then(value => {
        console.log(`Token generated: ${value}`);
        return {
            status: true,
            token: value
        };
    }).catch(reason => {
        console.warn(reason);
        return {
            status: false,
            token: ""
        }
    });
});

(optional) Auth'd function:

import {https} from "firebase-functions";
import {auth} from "firebase-admin";

export const checkAuthenticated = https.onCall((_data, context) => {
    if (!context.auth) {
        return new https.HttpsError("unauthenticated", "You need to be authenticated to retrieve this data");
    }

    return "Congratulations! It works.";

});

2. Setup environment

(optional) Setup emulators
Run your firebase project as you'd normally do
Postman, create 2 requests:

1. generateAuthToken

Method: POST
URL: http://127.0.0.1:5001/{project-name}/{region}/generateAuthToken

Headers:

  "Content-Type": "application/json; charset=utf-8"

body (RAW: JSON)

{
    "data": {
        "uid":"1234567890"
    }
}

2. checkAuthenticated

Method: POST
URL: http://127.0.0.1:5001/{project-name}/{region}/checkAuthenticated

Headers:

  "Content-Type": "application/json; charset=utf-8"

body (RAW: JSON)

{
    "data": {

    }
}

Authentication Tab > Type Bearer: {insert token}

3. Generate Token

Call postman function using method described in 2.1

4. Perform authed request(s)

For every authed request, add the bearer token as described in 2.2 and it all works as expected.