You can forget about the ID token in the server-side, but the assumption is there’s also a Firebase client somewhere in the picture which is signed into Firebase Auth and initiating these createSessionCookie() API calls remotely. Firebase Auth SDK keeps the ID token refreshed in the client, and when the server-side session expires, the client can send the latest ID token back to the server, and obtain a new session cookie.

Written by

Software engineer at Google. Enjoys working at the intersection of cloud, mobile and programming languages. Fan of all things tech and open source.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store