We are moving soon this project to production.

1 – Our Mobile App will create money transfer by posting it to our internal microserve. Such post request will return a CustomToken generated from our internal NodeJs server.

2 – Our internal microservice will replicate such transfer to Firestore and update its state on Firestore accordingly.

3 – Instead of our Mobilie App poll or listen our internal microservice to get the status it will listen to Firestore for getting the status from respective document. In order to listen, it will use the CustomToken returned from post in step 1. Our company wants just take advantage of Real Time Database feature from Google Firestore for this project (reactive approach).

Do you see any consideration/issue when compared what I am doing with this statement: “Google prefers in most cases that you authorize using a service account”? (copied from other related discussion)

The CustomToken is created internally with this NodeJs server and depending on uid extrated from antenticated user authentication/users from Google Firebase

    const admin = require('firebase-admin');

    exports.serviceAccount = {
      "type": "service_account",
      "project_id": "firetestjimis",
      "private_key_id": "ecfc6 ... fd05923",
      "private_key": "-----BEGIN PRIVATE KEY-----nMIIE .... 5EKvQ==n-----END PRIVATE KEY-----n",
      "client_email": "[email protected]",
      "client_id": "102422819688924138150",
      "auth_uri": "https://accounts.google.com/o/oauth2/auth",
      "token_uri": "https://oauth2.googleapis.com/token",
      "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
      "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/firebase-adminsdk-fg6p9%40firetestjimis.iam.gserviceaccount.com"

       credential: admin.credential.cert(exports.serviceAccount)

var uid = "NS .... Ro2"; //copied from https://console.firebase.google.com/project/firetestjimis/authentication/users
var claim = {
  control: true
  .then(function (customToken) {
  .catch(function (error) {
    console.log("Error creating custom token:", error);

Our mobile (example in Angular but same idea for IOS and Android) has the SERVICE_ACCOUNT_JSON_FILE I downloaded like this:


export const environment = {
  production: false,
  firebaseConfig: {
    apiKey: "AIzaSy ... 3DCGihK3xs",
    authDomain: "firetestjimis.firebaseapp.com",
    databaseURL: "https://firetestjimis.firebaseio.com",
    projectId: "firetestjimis",
    storageBucket: "firetestjimis.appspot.com",
    messagingSenderId: "795318872350",
    appId: "1:7953 ... 32b26fb53dc810f"


  public transfers: Observable<any[]>;

  transferCollectionRef: AngularFirestoreCollection<any>;

  constructor(public auth: AngularFireAuth, public db: AngularFirestore) {

  async listenSingleTransferWithToken() {
    await this.auth.signInWithCustomToken("eyJh ### CUSTOMTOKEN GENERATED FROM INTERNAL NODEJS SERVER ABOVE ### CVg");
    this.transferCollectionRef = this.db.collection<any>('transfer', ref => ref.where("id", "==", "1"));
    this.transfers = this.transferCollectionRef.snapshotChanges().map(actions => {
      return actions.map(action => {
        const data = action.payload.doc.data();
        const id = action.payload.doc.id;
        return { id, ...data };

I understand that both CustomToken creation and its use from our Mobile is relying entirely on Service Account. Am I right? Did I miss some concept and I am using USER CREDENTIAL behind the scene and something that works properly in DEV environment will pop up some surprise when in production? Obviously for this question all comes from my free account but in production it will be paid account but the code and steps will be exactly the same here.

*** Edited after John’s comments

Indeed environment.ts goes to Browser. Maybe an Angular Dev with experience to listen Firestore documents can comment if there is an issue