Usage of ID Token vs uid?

Question

This article mentions:

If your app includes a custom backend server, ID tokens can and should be used to communicate securely with it. Instead of sending requests with a user’s raw uid which can be easily spoofed by a malicious client, send the user's ID token which can be verified via a Firebase Admin SDK (or even a third-party JWT library if Firebase does not have an Admin SDK in your language of choice). To facilitate this, the modern client SDKs provide convenient methods for retrieving ID tokens for the currently logged-in user. The Admin SDK ensures the ID token is valid and returns the decoded token, which includes the uid of the user it belongs to as well as any custom claims added to it.

---

From learning on Youtube, the raw uid always seems to be used.

Eg:

try {
 final foo = FirebaseFirestore.instance
  .collection("users")
  .doc(FirebaseAuth.instance.currentUser!.uid)
  .collection("...");
}

How do I convert this to use the getIdToken() or getIdTokenResult() instead of uid?

Answer 1

The UID of a user is a unique, constant identifier for that user. So if the same user logs in multiple times, they'll get the same UID.

It makes no sense to use the ID token as the identifier for the user in the database, as an ID token will change every hour.

You should continue to use the UID to identify the user, and only use the ID token when you need to verify the user's identity.