FirebaseServerApp fails with API key that has web restrictions, even when domain is correctly added #9173
Description
Operating System
Windows 11
Environment (if applicable)
NodeJs
Firebase SDK Version
12.0.0
Firebase SDK Product(s)
Auth
Project Tooling
- Next JS version 15
- Next JS15.4.2-canary.9,
Detailed Problem Description
When using FirebaseServerApp with an API key that has web restrictions enabled, I receive the following error, even though the domain is properly added to the allowed list in the Google Cloud Console:
FirebaseServerApp: auth/requests-from-referer--are-blocked
However, if I switch to using an API key with no web restrictions, the error disappears and everything works as expected.
It appears that requests made from the server (Next.js middleware or API routes) do not include a referer header, which causes Firebase to reject the request — despite the domain being listed in the restrictions.
Is this expected behavior for FirebaseServerApp? is there a workaround other than service workers?
`
import { FirebaseServerAppSettings, initializeServerApp } from "firebase/app";
import { getAuth } from "firebase/auth";
export async function serverApp() {
const headersList = await headers();
const authIdToken = headersList.get('authorization')?.split(' ')[1];
const serverApp = initializeServerApp(firebaseConfig, { authIdToken });
const auth = getAuth(serverApp);
await auth.authStateReady();
if (!auth.currentUser) {
console.warn('No authenticated user found');
return { currentUser: null };
}
}`
Steps and code to reproduce issue
Add your Firebase environment variables to .env and to Vercel Edge environment variables.
NEXT_PUBLIC_FIREBASE_API_KEY="" along other config.
- SignInWithEmailPassord - works fine
- User is well stored in the local storage
- throw error when using server side [ FirebaseServerApp: auth/requests-from-referer--are-blocked]