Guides
Learn how to manage user sessions, revoke tokens, and generate email action links using Fuego's intuitive interface for Firebase Authentication.
Complete Guide to Auth Session Management with Fuego
Ever had to revoke tokens for a user who reported a stolen device? Or needed to create a custom token or send a password reset email? With Fuego, managing user sessions and generating email action links becomes a breeze.
With its built-in session management tools, you can perform these critical security operations directly from a visual interface—no code required.
Understanding Firebase session management
Firebase Authentication uses a token-based system for managing user sessions. When users sign in, they receive two tokens: an ID token (valid for one hour) and a refresh token (valid until explicitly revoked). This architecture means that even after you disable a user, their existing ID token remains valid until it expires.
This is where token revocation becomes essential. It immediately invalidates all refresh tokens, forcing users to reauthenticate on their next request.
Revoking refresh tokens with Fuego
Fuego provides flexible options for revoking tokens based on your specific needs.
Revoking tokens for selected users
When a user reports a compromised account or you detect suspicious activity, you need to act fast. With Fuego:
- Open the Firebase Authentication panel in your Firebase project
- Select one or more users from the user list
- Click Selected Users → Revoke Refresh Tokens from the top menu (or right-click context menu)
- Confirm the operation
The timestamp of revocation is recorded, and the affected users will need to reauthenticate on their next app interaction.
Revoking tokens for all users
In case of a security breach or when rotating your authentication infrastructure, you may need to force all users to reauthenticate:
- Navigate to Firebase Authentication
- Select Actions → Revoke Refresh Tokens
- Choose the scope: all users or a specific tenant (for multi-tenancy setups)
- Confirm with your project credentials
⚠️ Important: This operation affects every user in the selected scope. They will all need to sign in again.
Multi-tenancy support
If you’re using Firebase Authentication with multi-tenancy, Fuego allows you to target specific tenants. This is particularly useful when:
- You manage separate user pools for different clients or applications
- A security incident affects only one tenant’s users
- You’re migrating users from one tenant to another
Simply select the target tenant before performing the revoke operation, and only users within that tenant will be affected.
Detecting token revocation in your app
After revoking tokens, your backend should verify ID tokens with the revocation check enabled. Here’s how it works:
import { getAuth } from "firebase-admin/auth";
const verifyToken = async (idToken: string) => {
try {
// The second parameter enables revocation checking
const decodedToken = await getAuth().verifyIdToken(idToken, true);
return { valid: true, uid: decodedToken.uid };
} catch (error) {
if (error.code === "auth/id-token-revoked") {
// Token has been revoked - prompt user to reauthenticate
return { valid: false, reason: "revoked" };
}
// Token is invalid for other reasons
return { valid: false, reason: "invalid" };
}
};
✅ Best practice: Enable revocation checking on security-sensitive endpoints like payment processing or account settings changes.
Generating email action links
Beyond session management, Fuego also supports generating email action links. These are the links embedded in password reset, email verification, and sign-in emails.
Available link types
Fuego supports generating all three types of email action links:
Password reset links: Generate when users request to reset their password through your custom UI or when you need to force a password change.
Email verification links: Useful for custom onboarding flows or re-sending verification to users who missed the original email.
Email sign-in links: Enable passwordless authentication with custom email templates.
Configuring action link settings
When generating links, you can configure:
| Setting | Purpose |
|---|---|
| Continue URL | Where users return after completing the action |
| iOS Bundle ID | Enables opening the link in your iOS app |
| Android Package | Enables opening the link in your Android app |
| Handle in App | Whether to process the action in mobile app or browser |
| Link Domain | Custom domain for the action link |
Common pitfalls
Users still appearing logged in after revocation
Token revocation doesn’t immediately log users out. The client must attempt a token refresh (which will fail) or make a request to your backend with revocation checking enabled.
Solution: Implement a mechanism to detect revoked tokens on the client side and trigger reauthentication:
// On the client, handle token refresh failures
import { getAuth, signOut } from "firebase/auth";
const auth = getAuth();
auth.onIdTokenChanged(async (user) => {
if (user) {
try {
await user.getIdToken(true); // Force refresh
} catch (error) {
if (error.code === "auth/user-token-expired") {
await signOut(auth);
// Redirect to login
}
}
}
});
Email links not opening in mobile app
If your email action links open in the browser instead of your app, check that:
- The iOS Bundle ID or Android Package Name is correctly configured
- Your app has the proper URL schemes or App Links set up
- The
handleCodeInAppsetting istruewhen generating links
Related resources:
Related Posts
Implementing Multi-Tenancy with Firebase Auth
Learn when multi-tenancy is needed, common pitfalls with Firebase Auth, how to implement it in TypeScript, and how Fuego streamlines tenant and user management.
Point-in-Time Recovery in Firestore: Visual Restore with Fuego
Explore Firestore's Point-in-Time Recovery (PITR) and see how Fuego enables you to navigate document history, view diffs, and restore data visually with ease.