firebase-admin 0.1.1

An open-source Firebase Admin SDK for Rust, starting with Authentication
Documentation

firebase-admin-rs

CI crates.io docs.rs license

An open-source, community-maintained Firebase Admin SDK for Rust.

The Rust ecosystem has no mature, actively-maintained Firebase Admin SDK. This project aims to fill that gap: starting with Authentication, and expanding feature-by-feature toward a full SDK (Firestore, Cloud Storage, Realtime Database, Cloud Messaging, ...).

Status

Pre-1.0, under active development. The public API may change between 0.x releases. See the roadmap below.

Features (Authentication)

  • ID token verification (RS256, JWKS caching, full claim validation)
  • Custom token creation (signed locally with a service account key)
  • Session cookie creation and verification — verified against Google's session-cookie certificate endpoint, which is distinct from the ID-token JWKS endpoint (confirmed against the official Admin SDKs; see ARCHITECTURE.md)
  • User management (create, get, update, delete, list, custom claims) via the Identity Toolkit REST API, against both the Firebase Auth Emulator and production Firebase — OAuth2 bearer tokens are acquired automatically via gcp_auth for both explicit service account keys and Application Default Credentials
  • A single, unified client for both production Firebase and the local Firebase Auth Emulator — no divergent APIs or generic type parameters to juggle

All of the above work end-to-end against production Firebase when the default live-user-management feature is enabled (it is on by default).

Quick start

use firebase_admin::auth::AuthClient;
use firebase_admin::core::ServiceAccountKey;

#[tokio::main]
async fn main() -> Result<(), firebase_admin::Error> {
    let key = ServiceAccountKey::from_file("service-account.json")?;
    let auth = AuthClient::builder("my-project-id")
        .service_account_key(key)
        .build()?;

    let claims = auth.verify_id_token("<id-token-from-client>").await?;
    println!("verified uid: {}", claims.sub);

    Ok(())
}

Switching to the local emulator requires no code changes — just set FIREBASE_AUTH_EMULATOR_HOST=localhost:9099 in your environment, or call .use_emulator("localhost:9099") on the builder explicitly.

More examples live in examples/.

Why another Firebase crate?

A few Firebase-related crates exist for Rust, but none combine ID token verification, custom token creation, and full user management under one well-documented, actively-maintained, community-oriented roof. This project is built to be that crate — see ARCHITECTURE.md for the design rationale, including why the live/emulator client is a single concrete type rather than generic over credentials.

Roadmap

  • v0.1.0 (current) — ID token verification, custom token creation, session cookie creation and verification, and full user management (create/get/update/delete/list, custom claims) against both the emulator and production Firebase via OAuth2 bearer tokens (service account + Application Default Credentials).
  • v0.2.0 — Bulk user import, email action links, initial multi-tenancy.
  • v0.3.0 — Broader edge-case coverage on the token-verification path (expired/rotated certificates, malformed key responses, clock-skew handling) ahead of a security review.
  • v1.0.0 — Feature-complete Auth, stable public API, full documentation coverage, security review of the token-verification path.
  • Post-1.0 — Firestore, then Cloud Storage, Realtime Database, Cloud Messaging, Remote Config, as additive modules.

Contributing

Contributions are very welcome — see CONTRIBUTING.md to get started, and ARCHITECTURE.md to understand the module layout. Please also read the Code of Conduct.

Security

See SECURITY.md for how to report vulnerabilities.

License

Licensed under either of

at your option.