Why Firebase Auth Fails in FlutterFlow
Firebase Authentication is the default auth provider in FlutterFlow, and it works reliably - until it doesn't. The visual builder hides the complexity of token management, OAuth configuration, and session persistence. When something breaks, you get a blank screen or an unhelpful "auth/internal-error" message with no stack trace.
As certified FlutterFlow Experts, we've debugged auth failures across hundreds of production apps. This guide documents every failure pattern and its fix.
The 8 Most Common Firebase Auth Failures
1. Google Sign-In Fails on iOS Only
Error: PlatformException(sign_in_failed, com.google.GIDSignIn)
Cause: Missing or incorrect iOS OAuth Client ID in Firebase Console. FlutterFlow auto-configures Android but iOS requires manual setup: you need the GoogleService-Info.plist Client ID added to both Firebase and FlutterFlow's iOS settings.
Fix: In Firebase Console → Authentication → Sign-in method → Google, make sure the iOS OAuth Client ID matches your GoogleService-Info.plist. In FlutterFlow → Settings → Firebase, re-download and re-upload the iOS config file. Then add the reversed client ID as a URL scheme in your iOS deployment settings.
2. Apple Sign-In Returns Null Email
Symptom: User signs in with Apple successfully but their email is null in Firestore.
Cause: Apple only provides the user's email on the FIRST sign-in. If the user has previously signed in and then deleted their account, Apple sends a null email on subsequent attempts. Also, Apple's "Hide My Email" feature generates a relay email that may look unexpected.
Fix: Always capture the email during the initial sign-in flow and store it in your Users collection. For users with null emails, prompt them to enter their email manually. To reset Apple's "first sign-in" state during testing, go to Settings → Apple ID → Password & Security → Apple ID Logins → remove your app.
3. Token Refresh Failures After 1 Hour
Symptom: Users get logged out or see permission errors after approximately 1 hour of use.
Cause: Firebase auth tokens expire after 1 hour. FlutterFlow handles automatic token refresh, but if your app uses custom API calls with hardcoded tokens (instead of using currentUser.getIdToken()), the stale token causes 401 errors.
Fix: Never store auth tokens in app state. Instead, always call getIdToken(true) before API requests to get a fresh token. In FlutterFlow Custom Actions, use FirebaseAuth.instance.currentUser?.getIdToken(true) instead of cached values. For custom functions, make sure async token retrieval completes before the API call.
4. Email Verification Loop
Symptom: User verifies their email via the link, but FlutterFlow still shows them as unverified.
Cause: FlutterFlow caches the user's verification status. After clicking the email link, the user needs to reload their auth state - but the app doesn't do this automatically.
Fix: After the verification screen, add a Custom Action that calls await FirebaseAuth.instance.currentUser?.reload(); followed by setState(() {}); to refresh the cached user object. Alternatively, add a "I've verified my email" button that triggers this reload.
5. Anonymous Auth to Permanent Account Migration
Symptom: User starts as anonymous, then tries to create an account, and loses all their data.
Cause: FlutterFlow's default "Create Account" action creates a NEW user instead of linking credentials to the existing anonymous account. The anonymous UID and all associated Firestore data become orphaned.
Fix: Use a Custom Action that calls linkWithCredential() instead of createUserWithEmailAndPassword(). This preserves the anonymous UID and all associated data. Build the credential from email/password, then link it to the current anonymous user.
6. Phone Auth OTP Not Received
Symptom: SMS verification code never arrives, or verification fails silently.
Cause: Multiple possible causes: wrong phone number format (must include country code with +), Firebase quota exceeded, SHA-1 fingerprint not added to Firebase project (Android), or reCAPTCHA verification failing.
Fix: make sure phone numbers include country code (e.g., +1 for US). Add SHA-1 and SHA-256 fingerprints to Firebase → Project Settings → Android apps. For testing, add test phone numbers in Firebase Console → Authentication → Phone → Phone numbers for testing.
7. Custom Claims Not Available Immediately
Symptom: You set custom claims via Cloud Functions but they don't take effect until the user logs out and back in.
Cause: Custom claims are embedded in the Firebase ID token, which is cached for up to 1 hour. Setting claims server-side doesn't automatically refresh the client's token.
Fix: After setting custom claims, force a token refresh on the client: await FirebaseAuth.instance.currentUser?.getIdToken(true);. In FlutterFlow, trigger this via a Custom Action after the Cloud Function completes.
8. Auth State Persists After Account Deletion
Symptom: You delete a user from Firebase Console but they remain logged in on their device.
Cause: Firebase Auth caches the auth state locally. Deleting the user server-side doesn't invalidate existing sessions until the token expires or is refresh-checked.
Fix: Revoke refresh tokens via the Admin SDK before deleting the user: admin.auth().revokeRefreshTokens(uid). On the client side, add error handling for user-token-expired that redirects to the login screen.
Auth Architecture Best Practices
| Pattern | Recommended | Avoid |
|---|---|---|
| Token management | getIdToken(true) per request | Caching tokens in app state |
| Social sign-in | Google + Apple on both platforms | Google-only (Apple required for iOS) |
| Email verification | Reload user state after verify link | Polling or timed redirects |
| Anonymous → permanent | linkWithCredential() | createUser() (creates new UID) |
| Custom claims | Force token refresh after setting | Assuming immediate availability |
Need Expert Help?
Firebase Auth in FlutterFlow has dozens of edge cases the visual builder doesn't surface. Rehost's FlutterFlow engineers have implemented auth systems for healthcare (HIPAA), fintech, and marketplace apps. Get Expert Rescue →
FAQ
Why does Google Sign-In work on Android but not iOS in FlutterFlow?
iOS requires a separate OAuth Client ID configured in both Firebase and FlutterFlow's iOS settings. The GoogleService-Info.plist must be re-downloaded and the reversed client ID added as a URL scheme. Android auto-configures via the SHA fingerprint.
How do I handle Firebase Auth token expiration in FlutterFlow?
Never cache tokens in app state. Use getIdToken(true) in Custom Actions before each API request to get a fresh token. FlutterFlow handles automatic Firestore auth, but custom API calls need manual token management.
Can I use both email and social login in the same FlutterFlow app?
Yes, but you need to handle account linking. If a user signs up with email, then later tries Google Sign-In with the same email, Firebase may throw an "account-exists-with-different-credential" error. Handle this by linking the new credential to the existing account.