How to automatically refresh expired id token using Firebase Admin SDK

[juniorforlife]

I have a SvelteKit app which uses Firebase Authentication. The auth flow is like this

1. when user clicks log in, I will call the below function on the client

export async function loginWithGooglePopup() {
  const credential = await signInWithPopup(auth, authProvider);
  const idToken = await credential.user.getIdToken();

  if (idToken) {
    // call my own SvelteKit api route
    await fetch('/api/login', { method: 'POST', body: JSON.stringify({ idToken }) });
    await invalidateAll();
  }
}

2. then in my /api/login/+server.ts I will verify the id token given above and set my own SvelteKit cookie

export const POST: RequestHandler = async ({ request, cookies }) => {
  const { idToken } = await request.json();

  const expiresIn = 60 * 60 * 24 * 5 * 1000; // 5 days

  try {
    const decodedToken = await adminAuth.verifyIdToken(idToken);
    const cookie = await adminAuth.createSessionCookie(idToken, { expiresIn });
    const options = {
      maxAge: expiresIn,
      httpOnly: true,
      secure: PUBLIC_ENVIRONMENT === 'production' ? true : false,
      path: '/'
    };
    // use decodedToken to insert user data into database and do other stuff

    cookies.set('__session', cookie, options);
    return json({ status: 200 });
  } catch (err) {
    error(401,);
  }
};

The reason I don't use onAuthStateChanged is it only works on the client and will make a flash between logged-out and logged-in user

3. Then in my +hooks.server.ts (a middleware file in SvelteKit) I will verify the id token on every request like this

import { adminAuth } from '$lib/server/firebase-admin/config';
export const handle: Handle = async ({ event, resolve }) => {
  const sessionCookie = event.cookies.get('__session');
  if (!sessionCookie) return await resolve(event);
  
  try {
    const userCookie = await adminAuth.verifySessionCookie(sessionCookie);
    event.locals.user = { ...userCookie }
  } catch (e) {
    console.log(e)
  }
  return await resolve(event);
};

The problem I'm having is when verifySessionCookie throws an error of auth/session-cookie-expired I couldn't find any method to request a new id token on the server. In addition, I don't want to redirect the user to the login page which is annoying. How do I achieve this?

[Yassin-Samir]

add onIdTokenChanged event handler using auth instance the call this api route

auth.onIdTokenChanged( async(user)=> {

await fetch('/api/login', { method: 'POST', body: JSON.stringify({ idToken:await user.getIdToken() }) });

})

this will get triggered once the id token in the client expired and firebase explicitly creates a new one then make your fetch with the new idToken to always hava updated token

[francescovenica]

This issue is probably related to your question, but no answer yet

#2349

[MILLERMARRU]

The Firebase Admin SDK cannot refresh an ID token server-side — that is by design, since the Admin SDK operates with elevated privileges and ID tokens are issued only to authenticated clients. The refresh must originate from the client.

Here is the complete pattern for SvelteKit (works the same in Next.js or any SSR framework):

Client side — listen for token refresh

// src/lib/firebase/client.ts
import { getAuth, onIdTokenChanged } from 'firebase/auth';

export function startTokenSync() {
  const auth = getAuth();

  onIdTokenChanged(auth, async (user) => {
    if (user) {
      // Firebase auto-refreshes the token every ~55 minutes.
      // onIdTokenChanged fires whenever the token is renewed.
      const freshToken = await user.getIdToken();
      // Send it to your server so it can update the session cookie.
      await fetch('/api/session/refresh', {
        method: 'POST',
        headers: { 'Content-Type': 'application/json' },
        body: JSON.stringify({ idToken: freshToken }),
      });
    } else {
      // User signed out — clear the cookie on the server
      await fetch('/api/session/logout', { method: 'POST' });
    }
  });
}

Call startTokenSync() once in your root layout after the user logs in.

Server side — refresh endpoint

// src/routes/api/session/refresh/+server.ts
import { json } from '@sveltejs/kit';
import { adminAuth } from '$lib/firebase/admin';

export async function POST({ request, cookies }) {
  const { idToken } = await request.json();

  // Verify the new token is legitimate before issuing a new cookie
  await adminAuth.verifyIdToken(idToken);

  const expiresIn = 60 * 60 * 24 * 5 * 1000; // 5 days
  const sessionCookie = await adminAuth.createSessionCookie(idToken, { expiresIn });

  cookies.set('session', sessionCookie, {
    path: '/',
    httpOnly: true,
    secure: true,
    sameSite: 'strict',
    maxAge: expiresIn / 1000,
  });

  return json({ status: 'refreshed' });
}

Middleware — handle the expired cookie gracefully

// src/hooks.server.ts
import { adminAuth } from '$lib/firebase/admin';

export async function handle({ event, resolve }) {
  const session = event.cookies.get('session');
  if (!session) return resolve(event);

  try {
    const decoded = await adminAuth.verifySessionCookie(session, true);
    event.locals.user = decoded;
  } catch (err: any) {
    if (err.code === 'auth/session-cookie-expired') {
      // Cookie expired — clear it and let the client's onIdTokenChanged
      // fire a refresh automatically once the page reloads.
      event.cookies.delete('session', { path: '/' });
    }
    event.locals.user = null;
  }

  return resolve(event);
}

Why this works without redirecting to login

Firebase clients automatically refresh ID tokens every ~55 minutes in the background. onIdTokenChanged fires whenever a new token is issued — you just need to forward it to your server. The user never sees a login screen unless they are actually signed out.

The key insight: the server cannot initiate a refresh, but it does not need to. The client always has a valid token as long as the Firebase session is alive; the server just needs a way to receive the new token when it arrives.