Get token for firebase admin authentication - node.js

this is my function, for firebase function:
export const hello = onRequest({ cors }, async (request, response) => {
const token = request.headers.authorization?.split('Bearer ')[1]
if (token) {
const tokenData = await getAuth().verifyIdToken(token, true)
status: 'success',
} else {
I don't like how I'm getting token here, but that's the only way I found:
request.headers.authorization?.split('Bearer ')[1]
is there any better way? Let's say, maybe admin itself has some built in method?

The verifyIdToken() requires only the JWT token as first parameter. The 'Bearer ' just indicates that the request uses Bearer token system. If you just add the token in your API request you won't have to parse the string to get the token part. The Admin SDK does not have any built-in function for that.
Alternatively, you can use onCall() instead of onRequest() that'll handle the authentication part and you can read user's information from context.auth object.


Next-auth How to redirect when 401?

I am working with Next-auth and rtk query. I need that when a request, any, returns a 401 unauthorized error, the page redirects directly to the login. How is it done?
I added 'maxAge: 60' to the [...nextauth].js file and also refetchInterval={30} refetchOnWindowFocus={true} to the component tried to find a similar solution, but it doesn't work
since you're using rtk query, you can update your apiSlice baseQuery function, to check for auth errors and redirect on that, my suggestion is this:
create a base query where you check for the 401 and any other error you want:
// try to execute the req, if it fails logout, and redirect to login.
const baseQueryWithAuth: BaseQueryFn = async (args, api, extraOptions) => {
const result = await baseQuery(args, api, extraOptions);
if (result.error?.status === 403 || result.error?.status === 401) {
// non authorized, then redirect to login page.
// if we have jwt, here u should update the access token
return result;
in the snippet above, when I'm referring to token deletion as logout because the token is already invalid in the DB, so I just need to delete it in the front, so no invalidate request is needed.
the mentioned baseQuery can be done like this:
const baseUrl = `${process.env.NEXT_PUBLIC_API_PROTOCOL}://${process.env.NEXT_PUBLIC_API_HOST}/api`;
const TOKEN_KEY_IN_LOCAL_STORAGE = 'SavedToken';
const baseQuery = fetchBaseQuery({
// credentials: 'include',
prepareHeaders: (headers) => {
// get the authentication token from local storage if it exists
const token = localStorage.getItem(TOKEN_KEY_IN_LOCAL_STORAGE);
if (token) {
headers.set('Authorization', token);
} else {
return headers;
and then now since you have a working base query with auth support, you can use that to create a main rtk query apiSlice for your project:
// create api
export const apiSlice = createApi({
baseQuery: baseQueryWithAuth,
tagTypes: ['tag1', 'tag2', 'tag3'],
endpoints: (_builder) => ({}),

How to get userId from token?

I'm coding a simple get endpoint, and I send from front-end header the token information. But in back-end I need to use userId. I think it is available on token, but how can I get userId from token?
// React Front End service
const response = await fetch(
headers: {
Authorization: `Bearer ${authService.getToken()}`,
// Nestjs Back End controller
async exportDataPdf(#Query() query: GetOrdersFilterDto): Promise<any> {
// I need to use userId from token here.
return await this.exportDataService.exportDataPdf(query);
It depends on how you sign this.jwtService.sign() while signIn a user / while generating jwt token.
For example if you use
this.jwtService.sign({ userId: user._id });
Then you can simply do this on your controller
getUserId(#Request() req: any) {
return req.user.userId;
Note req.user object is used internally by nestjs to store jwt payload data.
In case you want any data you provide on jwt in a nestjs guard. You can also get access it from req object.
context: ExecutionContext,
): boolean | Promise<boolean> | Observable<boolean> {
const [req] = context.getArgs();
// console log user ID
// create your conditional logic here before return true
return true;
You can make a method called getUserIdFromToken and use it for that. If bcrypt was used to create the token out of the email, you can get the email back from it.
Here is how I did it in node:
Encode the token
const hashData = { email: }
const accessToken = jwt.sign(hashData, process.env.ACCESS_TOKEN_SECRET)
Decode the token
const email = jwtDecode(token).email;
Then, you can retrieve the user with the email.

external api handling in the backend

On my express server I make queries to an external API using its own token. When I log in to my server I request a token to the external API based on the user who logged in, and I keep the token of the external API in the token of my express server.
Each user gets different data according to their token from the external api, for queries that require external API information, I read the received token and get the external API token to send it through headers with axios, for example:
const LoginUser = (request, response) {'/ExternalApi/auth',request.body)
.then( data =>{
const payload = {
tokenExternalApi: data.token
const token = jwt.sign(payload, ...)
return response.status(200).json(token)
const getData = (req, response){
const tokenFromClient = req.headers.authorization
//Function extract tokenExternalApi from payload Token
const tokenExternalApi = getTokenExternl(tokenFromClient )
axios.get(`/urlExternalApi`, { headers:
{ Authorization: tokenExternalApi }}
).then(res => {
return response.status(200).json(
Is this the correct approach to managing external apis tokens or is there a cleaner way to do it?
Here is my sample code that I use for hit an external API within function in node js using axios
first time you should install axios npm install axois
const axios = require('axios');
async yourFunction(){
method: 'POST',
url: "",
data: {
name: '+62'+phoneNumber,
number: '+62'+phoneNumber,
message: 'success',
In my personal opinion, this seems to be a clean approach.
But keep in mind that tokens are visible to users, so the fact is your users can decode the token, view tokenExternalApi, know that you are using an external API in the backend and directly make calls to ExternalApi using that token, provided they have the know-how of it. If you understand this fact and are fine with it, then this works.
Otherwise, you can consider encoding the token before sending it to the user or store it on the server-side session.

Auth0 "service not found" error

I'm attempting to use Auth0 to issue JWT tokens for accessing my API (so that Auth0 handles all the OAuth and security concerns, etc., and my API just needs to check the token). When I try to test the Authorization Code flow for clients to receive an access token (using Node + Express), the following happens:
The authorization code request works fine, and the client is redirected back to my redirect_uri with the code appended to the query. All good.
The token request then always fails. If I include the audience parameter, the request returns an access_denied error with the following details: Service not found: {the audience parameter}, regardless of what value I set for the audience parameter.
If I don't include the audience parameter, I get a server_error with the message Service not found:
I've checked every Auth0 setting and read every documentation page thoroughly, and so far nothing has worked. I've also tested the Authorization Code flow in Auth0's API debugger, and it worked fine. My test follows exactly the same parameters, and yet still receives an error requesting the token. I'm testing on localhost. The client credentials and implicit flows are working fine.
Here is a test endpoint I created which retrieves the authorization code from Auth0:
const qs = require('querystring');
const getCode = (req, res) => {
const params = {
audience, // the value of the API Audience setting for the client
client_id, // the client ID
redirect_uri, // the redirect_uri, which is also listed in the Allowed Callback URLs field
response_type: `code`,
scope: `offline_access open` // ask to return ID token and refresh token,
state: `12345`,
const authDomain = ``;
The redirect_uri then redirects to the following endpoint, where I make the request for the access token:
const https = require('https');
const callback = (req, res) => {
const body = {
code: req.query.code,
grant_type: `authorization_code`,
redirect_uri, // same value as provided during the code request
const opts = {
headers: { 'Content-Type': `application/json` },
hostname: ``,
method: `POST`,
path: `/oauth/token`,
const request = https.request(opts, response => {
let data = ``;
response.on(`data`, chunk => { data += chunk; });
response.on(`error`, res.send(err.message));
response.on(`end`, () => res.json(JSON.parse(data))); // this executes, but displays the error returned from Auth0
request.on(`error`, err => res.send(err.message));
request.end(JSON.stringify(body), `utf8`);
Any suggestions as to what I might be doing wrong?
The issue was that I was calling the incorrect URL at Auth0. I mistakenly thought that both the authorization and token endpoints began with /oauth, when in fact the authorization endpoint is just /authorize, while the token endpoint is /oauth/authorize. Correcting the URLs in my code fixed the problem.
My solution was the identifier of the api was not found. If it is not exact it won't find it. I had an extra backslash on my 'audience' where the identifier didnt have one. pretty easy mistake but the error is not very clear in Auth0.
In my case, I was using auth0 react hooks. So the example code looked like this:
const getUserMetadata = async () => {
const domain = process.env.REACT_APP_AUTH0_DOMAIN
try {
const accessToken = await getAccessTokenSilently({
audience: `https://${domain}/api/v2/`,
scope: 'read:current_user',
console.log('accessToken', accessToken)
localStorage.setItem('access_token', accessToken)
} catch (e) {
console.log('error in getting access token', e.message)
My solution to this was using by default Auth0 Audience value in audience field
const getUserMetadata = async () => {
const auth0audience = process.env.REACT_APP_AUTH0_AUDIENCE
try {
const accessToken = await getAccessTokenSilently({
audience: auth0audience,
scope: 'read:current_user',
console.log('accessToken', accessToken)
localStorage.setItem('access_token', accessToken)
} catch (e) {
console.log('error in getting access token', e.message)
Because its stated in auth0 docs of configuring custom domains that, you need to use by default API audience
Source -

Firebase 3.0 Tokens : [Error: Invalid claim 'kid' in auth header.]

I'm trying to create JWT tokens in node.js for use with the REST api in firebase, but when I try to use them, I get the error "Error: Invalid claim 'kid' in auth header."
This is my code
http.createServer(function (req, res) {
var payload = {
uid: "bruh"
var token = jwt.sign(payload, sact["private_key"], {
algorithm: 'RS256',
issuer: sact["client_email"],
subject: sact["client_email"],
audience: '',
expiresIn: '3600s',
jwtid: sact["private_key_id"],
header: {
"kid": sact["private_key_id"]
res.end("It worked. (" + token + ")");
These are my requires
var http = require('http');
var jwt = require('jsonwebtoken');
Please use returnSecureToken: true, with correct Spellings
I hope it will solve the problem of Invalid claim 'kid' in the auth header.
This is an issue because you're generating a Firebase ID token, not an access token for the Firebase REST API.
To generate a REST API token I would use the legacy Firebase Token Generator library which still works perfectly well (but only generates REST tokens, not general purpose access tokens).
Note that your Firebase Database secret is now located under the gear icon in the top left of the console.
So I had this error and I've fixed it. Now here is the solution:
You'll need to retrieve the ID-token using an additional function. Here is the function you can use:
firebase.auth().currentUser.getIdToken(/* forceRefresh */ true).then(function(idToken) {
// Send token to your backend via HTTPS
// ...
}).catch(function(error) {
// Handle error
I implemented it somewhat like this:
//google OAuth login handler
const googleLoginHandler = () => {
const provider = new firebase.auth.GoogleAuthProvider();
.then((result) => {
/** #type {firebase.auth.OAuthCredential} */
// The signed-in user info.
const userId = result.user.uid;
const displayName = result.user.displayName;
const email =;
//This is the function for getting the ID-Token
firebase.auth().currentUser.getIdToken(/* forceRefresh */ true).then((idToken) => {
// Send token to your backend via HTTPS
}).catch((error) => {
// Handle error
}).catch((error) => {
// Handle Errors here.
The id token you get by this method can be used to access the firebase real-time database and other firebase services.
check out these links for more details:
