I’m trying to get some user data from my server via a GET request. First I obtain a Firebase ID token on the client:
const token = await auth.currentUser.getIdToken(true /* forces refresh */);
Then I pass it to the server on authorization headers where it gets verified:
const user = await getAuth().verifyIdToken(token);
Once the token gets verified on the server and a response gets sent to the client, is that token invalidated due to the force refresh param? Or is it the case that the next API call will generate a new token but both will still be valid?
>Solution :
Firbase Authentication tokens are bearer tokens, meaning they are valid until they expire. There isn’t really any built-in way to invalidate that token once it’s been minted.
If you want to not allow that token anymore, you’ll have to track and check it yourself. There’s a good example of this in the documentation on managing user sessions.