Thanks, that clarifies it. With Firebase, it’s not that often you’d access a service from a privileged environment (App Engine in this case), while using an end-user’s credentials. It’s more common to perform such end-user operations at the client-side, like the article you’ve cited. With the Admin SDK, developers usually verify the ID token to establish requester identity, and then execute subsequent service calls (e.g. RTDB access) as an admin.

I don’t think option (a) is going to work, so (b) and (c ) are going to be your best bets. Also I think it’s better to move this discussion to StackOverflow, where more Firebase developers can chime in.