Expand description
Session cookie verification.
Session cookies are RS256-signed JWTs like ID tokens, but with two
differences confirmed against the official Node.js and Python Admin SDK
source (COOKIE_CERT_URI/COOKIE_ISSUER_PREFIX vs.
ID_TOKEN_CERT_URI/ID_TOKEN_ISSUER_PREFIX in
token-verifier.ts/_token_gen.py), and directly against Google’s
endpoints:
- Issuer:
https://session.firebase.google.com/<project-id>, nothttps://securetoken.google.com/<project-id>. - Signing keys: a separate X.509 certificate endpoint
(
https://www.googleapis.com/identitytoolkit/v3/relyingparty/publicKeys), not the securetoken JWKS used for ID tokens — seecrate::auth::session_cookie::certs.
Structs§
- Session
Cookie Verifier - Verifies Firebase session cookies against Google’s session-cookie certificate endpoint and the project’s expected issuer/audience.