Skip to content

How to Fix Firebase Auth Custom Claims

DodaTech Updated 2026-06-24 2 min read

In this tutorial, you'll learn about How to Fix Firebase Auth Custom Claims. We cover key concepts, practical examples, and best practices.

Firebase custom claims are not showing in the ID token. You set claims with the Admin SDK but the client sees an empty claims object.

The Wrong Way

// Setting claims on the client side
firebase.auth().currentUser.getIdTokenResult().then((result) => {
  result.claims.admin = true; // This does nothing
});

Custom claims cannot be modified from the client. They must be set server-side.

The Right Way

Step 1: Set claims with the Admin SDK

// Server-side (Node.js Admin SDK):
const admin = require('firebase-admin');

await admin.auth().setCustomUserClaims(uid, {
  role: 'admin',
  department: 'engineering',
  tier: 'premium'
});

Step 2: Force token refresh on the client

// After the server sets claims, the client must refresh:
await admin.auth().setCustomUserClaims(uid, customClaims);
// Invalidate the user's current session:
await admin.auth().revokeRefreshTokens(uid);

Step 3: Read claims on the client

const user = firebase.auth().currentUser;
const tokenResult = await user.getIdTokenResult();
// Force refresh in case token is cached:
const freshResult = await user.getIdTokenResult(true);

console.log(freshResult.claims.role);        // 'admin'
console.log(freshResult.claims.department);  // 'engineering'

Step 4: Check claims size

# Custom claims have a 1000-byte limit
# Verify with:
const claims = {
  role: 'admin',
  permissions: ['read', 'write', 'delete']
};
const size = new TextEncoder().encode(JSON.stringify(claims)).length;
console.log(size); // Must be < 1000 bytes
Custom claims set and verified — user sees `role: 'admin'` in ID token, access control rules match.

Prevention

  • Keep custom claims under 100 bytes — use short key names and minimal data.
  • Use getCustomClaims() in security rules instead of client-side checks for critical access decisions.
  • The custom claims pattern is central to Doda Browser's permission model — lightweight role data embedded in the auth token for fast authorization.

Common Mistakes with auth custom claims

  1. Mixing let bindings with <- bindings in do notation, producing type errors
  2. Overlapping type class instances that cause GHC to reject the program with ambiguous dispatch errors
  3. Non-exhaustive pattern matches that compile with warnings then crash at runtime

These mistakes appear frequently in real-world FIREBASE code. DodaTech's contributors have identified these patterns through analysis of open-source projects and production systems.

Practice Exercise

Write a pure function that safely divides two integers using Maybe, then test it with edge cases like division by zero and negative numbers.

This exercise reinforces the concepts covered in this guide. Try implementing it before checking online solutions.

FAQ

### Why are my custom claims not appearing after setting them?

The client ID token is cached. The user must either: (1) sign out and sign back in, (2) call getIdToken(true) to force refresh, or (3) wait for the 1-hour automatic refresh. Calling revokeRefreshTokens forces an immediate refresh.

Can I store large objects in custom claims?

No. Custom claims are limited to 1000 bytes (serialized JSON). For larger data, use Firestore and fetch it after authentication. Store only role identifiers in claims, not full user profiles.

How do I delete custom claims?

await admin.auth().setCustomUserClaims(uid, null);
// This removes all custom claims for the user
// The client must refresh the token to see the change

Or set specific claims to null to remove individual fields: setCustomUserClaims(uid, { role: null }).

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro