The BigQuiz app uses Firebase for keep track of the question, category and game scores of individual players. In JSON web tokens I showed an example of how to authenticate and authorize when making a call to the Firebase JSON API. This is now built in to goa so that an App that needs multiple OAUTH2authorizations (as BigQuiz app does) can use the same library and technique for everything. 

Goa library is available with this key


Try the App here.

Firebase authentication

There are multiple ways to authorize Firebase requests to the Firebase JSON API, the easiest of which is using JSON web tokens (JWT). This post covers how to make JWT using goa. All that’s needed is to append each request with the ?auth=jwt parameter, where jwt is a JSON web token made from an api key and the uid of who is accessing and generated and managed by goa. A future post will go into the more complex OAuth2 method using Goa.

Security and rules

Firebase security is controlled through rules. This app dashboard entry shows that I am the only person allowed to access this database, and than I am allowed to both read and write.

Firebase secret

To be able to use JWT, you can use Firebase custom  Login & Auth to setup a Firebase secret.

You’ll find this under Secrets

Each request to the Firebase JSON API take a JWT made up from this secret, plus an object that describes who is accessing – which will be validated against the Security and Rules entry we looked at earlier. In my case, this object looks like this, with the uid matching the one set up in the Security and Rules entry.
{ uid:"bruce" }

Database root

The third thing that’s required for database access is the root of the Firebase database, which in my case is'

Setting up Goa

Just as in all Goa authorization setups, you need a one off function that can be deleted after running. Mine looks like this.
  cGoa.GoaApp.setPackage (PropertiesService.getScriptProperties() , {
You’ll need to change the packagename to whatever you want to refer by this to,  the root to your database, the uid to the accessor and the clientSecret to your firebase secret.  You can also change the property store from the script property store if for example, you want to use different credentials for different users. Although this method is not using OAuth2, this would follow the same approach as described in  Using OAuth2 when published as ‘user accessing the webapp’. However it’s more likely you’ll be using the scriptproperties if you are using JWT for authorization.

Using the jwt

If you are using my cFireBase library (more on this in a subsequent post), then this is all that’s required. Just change the package name and the properties service to the ones you’ve used.
    // make a goa and get a firebase handle
    var goa =  cGoa.make (,Demo.PACKAGE_PLAY.props);
    // use this handle for everything
    var handle = new cFireBase.FireBase().setAuthData (goa);
Subsequent accesses to firebase are simply made as in these examples

var result = handle.get(dataPath);
var result =,dataPath);
var result =,dataPath);
If you are not using the cFireBase library, you can extract the auth parameter from goa like this
// make a goa and get a firebase handle
var goa =  cGoa.make  (,Demo.PACKAGE_PLAY.props);
// use in your request
var result = UrlFetchApp (goa.getProperty ("root") + dataPath + '.json' + '?auth=' + goa.getToken(), options);
If you are not using the cGoa library, cFirebase  also has a built in JWT generator. You can use it like this, passing your database root, the auth rules, and your client secret.
  var handle = new cFireBase

For more like this see Google Apps Scripts Snippets