3

I am using firebase auth in a flutter app I am developing.

I am using the firebase_auth dart library.

Once the user is logged in, every request to my custom server backend contains the idToken, which I obtain by calling FirebaseUser.getIdToken(). What I recently just noticed is that the idToken is 900 characters long!! That seems excessively long. By just sending the firebase idToken on every request, I have increased my network data usage by 25x.

Is this normal? I have never used JWT before, so I don't know what to expect.

avocadoLambda
  • 1,332
  • 7
  • 16
  • 33
Scorb
  • 1,654
  • 13
  • 70
  • 144

1 Answers1

0

This is normal, and also not that big in modern terms.

There is no maximum size of a JWT. It's going to be dependent on what Firebase Auth puts in it, which comes from the authentication provided they used to sign in. The size will definitely vary from user to user, especially based on what you might put in custom claims.

Doug Stevenson
  • 297,357
  • 32
  • 422
  • 441
  • 1
    It just seems like it does not need to be so large :( – Scorb Jun 13 '20 at 19:54
  • You can file a feature request with Firebase to see if it can be reduced, but honestly, it's not really that big at all for the purpose it serves, and I don't think anything will change. https://support.google.com/firebase/contact/support – Doug Stevenson Jun 13 '20 at 19:56
  • 2
    To keep my server stateless, I need to send a 1kb token every request. It just seems so gross and wasteful. – Scorb Jun 14 '20 at 01:20
  • I understand, and you have no way around this if you want to be able to honor the expiration of the token. You'll have to believe me when I say 1k is not that much data. It was in 1990, but not today. – Doug Stevenson Jun 14 '20 at 01:48