My signed-in Android clients register their tokens with my server. The problem is I am not sure whether the token sent by a particular client genuinely belongs to that client user id. A bad client could register valid tokens of other users.
Given an FCM token and a user id, how can my admin code on the server verify that the token indeed belongs to the (authenticated) user id?
On a Firebase level there is no connection between a Authentication UID, and a Cloud Messaging Instance ID token.
A Firebase Authentication UID uniquely identifies a user. If that user signs in on a different device, they have the same UID value.
A Firebase Authentication Instance ID token identifies a single app on a single device. If a different user signs in to that app, the app will keep the same Instance ID token.
If you want to associate a UID with an FCM tokens, you have to do that in your application code. For example, many developers clear the FCM Instance ID tokens when the user signs out of their app. This ensures that a new user who signs in on the same device will get a new Instance ID token.
Also see:
