How to Fix Firebase Auth Custom Claims
In this tutorial, you'll learn about How to Fix Firebase Auth Custom Claims. We cover key concepts, practical examples, and best practices.
Firebase custom claims are not showing in the ID token. You set claims with the Admin SDK but the client sees an empty claims object.
The Wrong Way
// Setting claims on the client side
firebase.auth().currentUser.getIdTokenResult().then((result) => {
result.claims.admin = true; // This does nothing
});
Custom claims cannot be modified from the client. They must be set server-side.
The Right Way
Step 1: Set claims with the Admin SDK
// Server-side (Node.js Admin SDK):
const admin = require('firebase-admin');
await admin.auth().setCustomUserClaims(uid, {
role: 'admin',
department: 'engineering',
tier: 'premium'
});
Step 2: Force token refresh on the client
// After the server sets claims, the client must refresh:
await admin.auth().setCustomUserClaims(uid, customClaims);
// Invalidate the user's current session:
await admin.auth().revokeRefreshTokens(uid);
Step 3: Read claims on the client
const user = firebase.auth().currentUser;
const tokenResult = await user.getIdTokenResult();
// Force refresh in case token is cached:
const freshResult = await user.getIdTokenResult(true);
console.log(freshResult.claims.role); // 'admin'
console.log(freshResult.claims.department); // 'engineering'
Step 4: Check claims size
# Custom claims have a 1000-byte limit
# Verify with:
const claims = {
role: 'admin',
permissions: ['read', 'write', 'delete']
};
const size = new TextEncoder().encode(JSON.stringify(claims)).length;
console.log(size); // Must be < 1000 bytes
Custom claims set and verified — user sees `role: 'admin'` in ID token, access control rules match.
Prevention
- Keep custom claims under 100 bytes — use short key names and minimal data.
- Use
getCustomClaims()in security rules instead of client-side checks for critical access decisions. - The custom claims pattern is central to Doda Browser's permission model — lightweight role data embedded in the auth token for fast authorization.
Common Mistakes with auth custom claims
- Mixing let bindings with <- bindings in do notation, producing type errors
- Overlapping type class instances that cause GHC to reject the program with ambiguous dispatch errors
- Non-exhaustive pattern matches that compile with warnings then crash at runtime
These mistakes appear frequently in real-world FIREBASE code. DodaTech's contributors have identified these patterns through analysis of open-source projects and production systems.
Practice Exercise
Write a pure function that safely divides two integers using Maybe, then test it with edge cases like division by zero and negative numbers.
This exercise reinforces the concepts covered in this guide. Try implementing it before checking online solutions.
FAQ
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro