I'm trying to wrap my head around the best way to handle the creation of a customToken with Firebase in a secure way.

This is what I came up with:

The user logs in on the client side with email and password. firebase.auth().signInWithEmailAndPassword(email, password) Storing the current UID of the user in local storage. localStorage.setItem('uid', response.uid); Get the JWT token of the current user. firebase.auth().currentUser.getToken(true) and store the token in localStorage localStorage.setItem('token', res) Make a post call to the server and add the token to Authorization header and send the UID in the body. const headers = new Headers(); headers.append('Content-Type', 'application/json'); headers.append('Authorization', localStorage.getItem('token')); this.http.post('/api/login', localStorage.getItem('uid'), { headers: headers }) On the serverside verify the token const authorization = req.headers.authorization; admin.auth().verifyIdToken(authorization) . If valid set the UID this.uid = decodedToken.uid; Now generate the custom token. Add the additionalClaims const additionalClaims = { premiumAccount: true }; and call the createCustomToken function. admin.auth().createCustomToken(this.uid, additionalClaims) Send the custom token back to the client res.status(200).send({ token: customToken }) On the client side login with the customToken. firebase.auth().signInWithCustomToken(data.token)

Is this summary a good practice or are there better ways to handle this?