Migrate from Firebase

Migrate from Firebase Auth

Firebase Auth is great for prototypes. When you outgrow it, the export is well-defined and the migration is straightforward.

What you'll keep, what you'll lose, what you'll gain

  • Keep: Email, display name, photo URL, providerUserInfo (Google, GitHub, Apple, Microsoft, Facebook, Twitter), Custom Claims (preserved in Authio user metadata as claims.*), Firebase multi-tenancy tenants (each becomes an Authio organization).
  • Lose: Password hashes (bcrypt or scrypt; Authio is passwordless), Phone-Auth sessions (users re-verify), Firebase Anonymous users (unless they have an email).
  • Gain: Multi-org without enabling Identity Platform tenants. SCIM. The risk engine. Webhooks. A first-class management API.

The org concept

Firebase Auth has no native multi-tenant org concept. Firebase Identity Platform tenants are auth tenants (used to silo users by application), not B2B orgs. The importer treats:

  • A Firebase project with no tenantId on users → one synthetic Default Authio org, all users as members.
  • A Firebase project with tenantId on users → one Authio org per Firebase tenant, with users placed accordingly.
  • You can also supply --orgs-table if your app has its own orgs concept stored outside Firebase Auth.

Custom Claims

Firebase stores custom claims as a JSON-encoded string on each user. The importer parses them and stores them under user.metadata.claims:

{"customAttributes": "{\"role\":\"admin\",\"plan\":\"pro\"}"}
↓
user.metadata = {"claims": {"role": "admin", "plan": "pro"}}

Sessions

Firebase sessions are dropped. The Firebase JWT (idToken) is not Authio-compatible. Re-authentication on next visit issues a fresh Authio session JWT signed by Authio's JWKS.

Rollback plan

Run nightly imports against a fresh firebase auth:export. Flip your application's auth provider when ready. The Firebase Admin SDK can co-exist with the Authio Node SDK during the cutover.

Step-by-step: CLI

# 1) Install Firebase CLI if you haven't.
npm install -g firebase-tools
firebase login

# 2) Export.
firebase auth:export firebase.json --format=JSON --project YOUR_PROJECT

# 3) Dry-run.
authio import firebase --input ./firebase.json --dry-run | jq '.stats'

# 4) Apply.
authio import firebase --input ./firebase.json

Step-by-step: dashboard wizard

Visit app.authio.com/migrate/firebase and follow the four-step flow. The wizard accepts an optional orgs-table JSON if your app stores B2B orgs outside of Firebase.

Live import (paste an API token)

Firebase Auth's live importer isn't wired in this release — Firebase's Admin SDK pulls service-account JSON, and packaging the (large) Google Auth Library into the Authio CLI/dashboard is on the next iteration's plate.

Use the firebase auth:export file path above for now. The dashboard wizard's Connect with API token tab will accept a service-account JSON in a future release.

Post-migration checklist

  • Swap firebase/auth for @authio/node (server) and your app's framework SDK.
  • Re-issue any Firebase ID-token verifications to use Authio's JWKS.
  • Update client SDK initialization to point at Authio's hosted UI.
  • Send migration emails.
Firebase Auth is being deprecated for some surfaces; the Google identity landscape is shifting. If you're migrating because of that, you're not alone — the Firebase importer is intentionally the most permissive about partial exports.