Operating System

Windows 11, iPhone

Environment (if applicable)

Chrome 138, Safari

Firebase SDK Version

11.9.1

Firebase SDK Product(s)

AppCheck

Project Tooling

Angular 20.0.4 (latest)
@angular/fire 20.0.1 (latest)
firebase 11.9.1 (latest)

AppCheck is initialized in app.config.ts via:

import { ReCaptchaV3Provider, initializeAppCheck, provideAppCheck } from '@angular/fire/app-check';

    provideAppCheck(() => initializeAppCheck(getApp(), { provider: new ReCaptchaV3Provider(recaptcha3SiteKey), isTokenAutoRefreshEnabled: true })),

No changes have been made to this configuration since 2023 aside from updating dependencies (and we don't actively/explicitly show "Captcha" to the user).

Detailed Problem Description

Recently many users are reporting issues loading our webapp, stemming from an AppCheck throttling error (which blocks access to Firestore).

Console error

POST https://content-firebaseappcheck.googleapis.com/v1/projects/<projectId>/apps/<appId>:exchangeRecaptchaV3Token?key=<apiKey> 403 (Forbidden)
@firebase/app-check: AppCheck: 403 error. Attempts allowed again after 01d:00m:00s (appCheck/initial-throttle).
@firebase/app-check: AppCheck: Requests throttled due to previous 403 error. Attempts allowed again after 01d:00m:00s (appCheck/throttled).

Network tab

{ 
  error: {
    code: 403, 
    message: "App attestation failed.",
    status: "PERMISSION_DENIED"
  }
}

I suppose this error is meant to show up to "bots", but recently it's occuring to real users too frequently.
Perhaps something changed on the AppCheck server side that made it too strict?

Steps to reproduce issue

1. Close all incognito windows (important)
2. Open a new Chrome incognito window
3. Go to https://www.brainko.com and wait 5 seconds for the site to load
4. Open Chrome DevTools console (Ctrl + Shift + J)
5. You should see the errors above (POST 403 App attestation failed followed by appCheck/initial-throttle error, followed by appCheck/throttled, followed by failing requests to Firestore...)
6. If you don't see the error, close all incognito windows and try again a few times

Notes

Note 1: This might be related to recent changes by @hsubox76 in March 2025 (PR #8842, commit 95b4fc6), which introduced the INITIAL_THROTTLE error.

Note 2: This might be related to #7371 which reported a similar issue two years ago but was closed by the bot without a resolution. Also related: https://www.reddit.com/r/Firebase/comments/1ivpaet/firestore_app_check_throttling_requests/.

Note 3: I've encountered the throttling error in incognito since June 2023 (two years ago) and assumed it's for protection against bots, but in the past week real users are reporting this issue (and they're probably not using incognito... I just used that for the reproduction.) There might be some changes in iOS privacy that are triggering this more frequently, or changes in AppCheck server.

Note 4: On iPhone, this is happening very frequently on Safari (not on private browsing), but not on Chrome.
Also happens on iPhone when the webapp is installed as a PWA (added to home screen and opened as an app).
Perhaps there were some recent privacy-oriented changes in how Safari behaves on iOS that the reCAPTCHA server needs to adapt to.

Note 5: Google reCAPTCHA admin console shows 36% "Suspicious requests" over the past 7 days, 22% percent "Suspicious requests" over the past 90 days (screenshot).