Firebase only sends already expired email verification links

Question

I'm clicking on the verification links immediately after getting the verification mail, but still the answer is only:

Try verifying your email again Your request to verify your email has expired or the link has already been used

The current code to send off the verification mail looks like this and is run right after the registration.

firebase.auth().onAuthStateChanged(function(user) {
    user.sendEmailVerification();
});

And the required firebase scripts are included like this:

<script src="https://www.gstatic.com/firebasejs/3.6.1/firebase.js"></script>
<script>
  function init(){
    var config = {
      apiKey: "<asdf>",
      authDomain: "<asdf>.firebaseapp.com",
      databaseURL: "<asdf>.firebaseio.com"
    };
    firebase.initializeApp(config);
  }
</script>
<script src="https://www.gstatic.com/firebasejs/3.6.1/firebase-app.js"></script>
<script src="https://www.gstatic.com/firebasejs/3.6.1/firebase-auth.js"></script>
<script src="https://www.gstatic.com/firebasejs/3.6.1/firebase-database.js"></script>

And Email/Password is enabled as a sign-in method. I compared the setup with another Firebase project that has working verifications mails and can't find a difference.

Anyone have an idea what could be the issue?

Answer 1

If you have multiple apiKeys you may want to check this.

I had multiple apiKeys. I was using each of them for different client applications.

As mentioned in other answers, the email verification link includes an apiKey. In my case that apiKey was different from the one I used for the specific client application.

So, the solution was figuring out which apiKey is sent in the email verification and adding <app-name>.firebaseapp.com in the Application Restrictions > HTTP reference.

I wasted several hours, and it ruined my demo to a customer. Hopefully this solution saves someone else time and $

It is obvious the error message is very vague. Pretty much any answer here may lead you to a solution. So, be patient, get a coffee, and see which one applies to your case. I am saying all these because I got burned and stressed out for hours, hopefully you don't have to.

Summary:

If you have multiple apiKeys and you are doing Application Restrictions with HTTP reference, make sure <app-name>.firebaseapp.com is added to each apiKey.

Answer 2

This is how I solved, a slightly different approach from what others suggest : First indeed check which API KEY is being used in the email link, in my case was the PROD one even if I was starting the project with the DEV(unrestricted) one.

The most important thing: it's not enough to add <app-name>.firebaseapp.com. in the Website restrictions section of your API KEY : you need to add the fully qualified domain including https: https://<app-name>.firebaseapp.com. This solved the issue for me.

Answer 3

In case anyone else runs into this issue too, my problem was that I hadn't selected a support email. Selecting one fixed it for me.

Answer 4

If someone still looking for answer!

If you have restricted your API key, then select Firebase Dynamic Links API from dropdown to allow dynamic links. Firebase sends dynamically generated links in the email and you should allow that.

Answer 5

Be sure your Sign-in providers have email and password Provider

Answer 6

The answer is here: stackoverflow.com/a/38274531/213156 Thanks a lot, Travis Christian!

If you've listed any HTTP referrers for your app's API key in the Google API console, you need to include the app itself which is where the emails originate: [app-name].firebaseapp.com. Otherwise this domain is not valid for your app's key."