[firebase_app_check] Can you document when assessment requests are made?

[MarcVanDaele90]

I'm using Flutter web and reCAPTCHA enterprise

I would like to reduce the cost of reCAPTCHA enterprise and hence I would like to reduce the number of assessment requests.

In Firebase, I've increased "Token time to live" to 7 days so I would assume that this would somehow halve the number of assessments (assuming that my users return at least twice a week).
Unfortunately, this doesn't seem to happen.

Can you explain when an assessment request happens and what I can do to reduce the number of requests?

Thanks a lot!

[fr33d0s]

Good question, the docs are thin on this. Here's the actual behavior:

When assessment requests happen:

1. Cold start / new session — if initializeAppCheck finds no valid cached token, the SDK requests one from reCAPTCHA Enterprise. One assessment per fresh session.
2. Proactive refresh — with isTokenAutoRefreshEnabled: true (the default), the SDK refreshes the token at ~50 % of TTL, not at expiry. A 7-day TTL refreshes at ~3.5 days → one additional assessment.
3. Manual getToken(true) — force-refresh bypasses the cache.
4. Multi-tab / incognito / new browser context — the token cache lives in IndexedDB and isn't shared across contexts. Opening your app in a new tab = a fresh assessment.

Why a 7-day TTL isn't halving your assessments:

• A user who visits twice a week gets at least one cold-start assessment per session regardless of TTL — each session finds a stale or empty cache.
• Auto-refresh at 50 % of TTL means even a 7-day token gets refreshed after 3.5 days.
• If persistence is failing (IndexedDB unavailable, privacy mode, cleared storage), every load is effectively a cold start.

What actually reduces assessment count:

1. Verify cache persistence. In the browser console: indexedDB.databases() should list firebase-app-check-database. If it doesn't, the cache isn't persisting and every load is a cold start.
2. Disable auto-refresh if you don't need it:

   initializeAppCheck(app, {
     provider: new ReCaptchaEnterpriseProvider(siteKey),
     isTokenAutoRefreshEnabled: false, // only request when getToken() is called
   })

   Trade-off: some Firebase services call getToken() internally and will re-trigger a request anyway.
3. Batch your Firebase calls per session. 10 Firestore calls in a single session share the same cached token — 1 assessment. If calls span the refresh boundary, you get 2.
4. Switch platforms where you can. Play Integrity (Android) and DeviceCheck (iOS) are free. reCAPTCHA Enterprise is only mandatory for Web. If your Flutter app is mobile-first, mobile assessments drop to zero.
5. Use debug tokens in CI and internal builds. Keeps your prod assessment count clean of dev and staging traffic.

Rough arithmetic:

weekly_sessions_per_user × (1 + refreshes_in_session) ≈ weekly_assessments

At 7-day TTL with 2 sessions per week: each session is either cold or half-expired → ~2 assessments per week. Same as a 1-day TTL in that usage pattern.

TTL only helps when user sessions last longer than half the TTL and the cache survives between sessions. Most web users don't match either condition.