Firebase

Firebase

Firebase is Google's mobile and web application development platform offering authentication, real-time database, cloud functions, and analytics. Web SDK scripts initialize Firebase services and may track app events via Firebase Analytics, which is powered by Google Analytics 4. Widely used in single-page apps and PWAs for backend infrastructure and usage tracking.

Google
Part of Google
Back to Vendor Library

Overview

Firebase is Google's full-stack application development platform, providing authentication, real-time and Firestore databases, cloud functions, hosting, remote config, and analytics. On the web, the Firebase JavaScript SDK initializes one or more services depending on what the application imports, and Firebase Analytics — powered by Google Analytics 4 — is frequently bundled with Firebase deployments in single-page applications and progressive web apps.

What This Script Does

Firebase web SDK scripts are modular, and the specific functionality loaded depends on which packages the site imports. The following covers the most commonly deployed components.

Firebase Authentication Firebase Auth uses localStorage and IndexedDB to store session tokens and user credentials. It contacts identitytoolkit.googleapis.com for sign-in flows, securetoken.googleapis.com for token refresh, and www.googleapis.com for OAuth provider flows. No tracking cookies are set for cross-site purposes; storage is strictly scoped to session management.

Firebase Analytics (GA4-powered) When firebase/analytics is imported, the SDK loads from www.googletagmanager.com/gtag/js and registers the following cookies:

  • _ga (first-party, 2 years) — unique client identifier for GA4
  • _ga_<MEASUREMENT_ID> (first-party, 2 years) — session and hit counter for the specific GA4 property
  • _gid (first-party, 24 hours) — day-level session identifier
  • _FIREBASE_APP_INSTANCE_ID (IndexedDB/localStorage) — Firebase-specific app instance identifier

The analytics layer contacts analytics.google.com, www.google-analytics.com, and region1.google-analytics.com. It collects: page URLs, page titles, referrer, scroll depth, session duration, event names and parameters, device type, browser and OS version, screen resolution, language, and approximate geolocation inferred from IP address.

Firebase Performance Monitoring When firebase/performance is imported, the SDK instruments the browser using the PerformanceObserver API. It captures First Contentful Paint (FCP), page load timing, network request latency for XHR and fetch calls, and custom performance traces. Data is sent to firebaselogging-pa.googleapis.com. No cookies are set; measurements are sent as authenticated payloads using the Firebase app config.

Firebase Cloud Messaging (FCM) When push notifications are enabled, the SDK registers a service worker that contacts fcm.googleapis.com. The browser's notification permission prompt is shown before any messaging occurs. A registration token is stored in the app's IndexedDB.

Firebase Remote Config Contacts firebaseremoteconfig.googleapis.com to fetch configuration values. No cookies or persistent identifiers are set for this module specifically.

Consent & Compliance

GDPR/ePrivacy: Firebase Authentication, Hosting, Firestore, and Remote Config are strictly necessary services when used as application infrastructure. Firebase Analytics sets persistent tracking cookies (_ga, _gid) and transfers behavioral data to Google — requiring explicit opt-in consent under GDPR Article 7 and the ePrivacy Directive. The French CNIL and German DSK have both issued guidance that Google Analytics (the engine behind Firebase Analytics) requires consent and appropriate data transfer safeguards.

CCPA/CPRA: Firebase Analytics data flowing to Google Analytics constitutes sharing personal information under CCPA. Sites must honor opt-out requests and disclose this data sharing.

EU-US Data Transfers: Firebase Analytics data is processed by Google LLC in the United States. Google participates in the EU-US Data Privacy Framework (DPF), providing a valid transfer mechanism post-Schrems II.

IAB TCF: Firebase Analytics maps to IAB TCF Purpose 1 (store/access information) and Purpose 7 (measurement).

Consent category: Mixed — Essential (Auth, Firestore, Hosting, Functions) and Analytics (Firebase Analytics, Performance Monitoring).

Should You Block This Without Consent?

Conditional. Firebase Authentication, Firestore, Cloud Functions, and Hosting are essential infrastructure — do not block them. Firebase Analytics and Performance Monitoring set persistent cookies and transfer behavioral data to Google; initialize these modules only after analytics consent is granted. Use Firebase's modular SDK imports to ensure analytics packages are never loaded before consent is established.

Visit website

Consent Categories

Analytics
Essential

Also Known As

Firebase AnalyticsFirebase SDKGA4Google FirebaseFirebase Hosting

Industries

Computers Electronics and TechnologySearch Engines

Tracked Domains (4)

firebaseinstallations.googleapis.comEssential
firebase.googleapis.comEssential
firebaseremoteconfig.googleapis.comEssential
firebaselogging-pa.googleapis.comEssential

Frequently Asked Questions

Does Firebase require cookie consent?

It depends on which modules are loaded. Firebase Auth, Firestore, Hosting, and Functions are essential — no consent required. Firebase Analytics (powered by GA4) sets persistent tracking cookies and requires analytics consent before initialization. Block only the analytics module; do not block the entire Firebase SDK.

What cookies does Firebase Analytics set?

Firebase Analytics sets _ga (first-party, 2 years) as the GA4 client identifier, _ga_<MEASUREMENT_ID> (2 years) for session tracking, and _gid (24 hours) for day-level sessions. A _FIREBASE_APP_INSTANCE_ID is stored in IndexedDB. Data is sent to analytics.google.com. Firebase Auth stores session tokens in localStorage, not cookies.

How does ConsentStack manage Firebase on single-page apps?

ConsentStack classifies Firebase as mixed: essential for Auth, Firestore, and Hosting; analytics for Firebase Analytics. It blocks Firebase Analytics initialization until analytics consent is granted. ConsentStack recommends modular SDK imports so the analytics package is never loaded before the user's consent status is established on page load.

Other Google Products

Google Ads
Google Ads
Google Ads is Google's advertising platform for search, display, and remarketing campaigns. Conversion tracking scripts fire on advertiser landing pages to measure actions taken after ad clicks. The remarketing tag builds audience lists for retargeting users across Google's ad network.
Google Analytics
Google Analytics
Google Analytics is the world's most widely deployed web analytics platform. Scripts track page views, sessions, user demographics, traffic sources, and conversion events. Drops cookies to identify returning visitors and attribute user journeys across sessions.
Google Fonts
Google Fonts
Google Fonts is a free font hosting service that serves hundreds of typeface families via a global CDN. Stylesheets and font files load from fonts.googleapis.com and fonts.gstatic.com to deliver web fonts to visitors. No advertising or tracking functionality is included.
Google Maps
Google Maps
Google Maps is the dominant web mapping service used for embedded maps and location features on websites. Scripts load interactive map tiles, geocoding, and Places API functionality through the Maps JavaScript API. May set cookies to remember map preferences and manage API quota.
Google Tag Manager
Google Tag Manager
Google Tag Manager is a tag management system that lets marketers deploy and update analytics and marketing scripts without code changes. The GTM container script loads synchronously in the page head and injects configured tags, triggers, and variables on behalf of other vendors. No data collection of its own — acts as a loader for other scripts.
reCAPTCHA
reCAPTCHA
Google reCAPTCHA is a bot detection and spam prevention service protecting web forms, login pages, and checkout flows. Scripts analyze user behavior, mouse movements, and browser fingerprints to distinguish humans from bots. The invisible reCAPTCHA v3 scores interactions without requiring user challenges.
YouTube
YouTube
YouTube is Google's video platform, widely used to embed video content on external websites. The YouTube iframe player loads JavaScript that communicates with Google's servers for video playback, quality control, and ad serving. Embedded players may set cookies tied to the viewer's Google account to track watch history and personalize recommendations.
Google Search
Google Search
Google Search appears on websites through the Programmable Search Engine, enabling custom site-specific search functionality. Scripts load the search widget from Google's servers to render search bars and display results within the host website. Sends search queries to Google's index and may set cookies for search personalization and query history.
Sign in with Google
Sign in with Google
Sign in with Google is an OAuth-based authentication service that enables users to log into websites using their Google account credentials. Scripts load the Google Identity Services library, display sign-in buttons, and handle token exchange for secure authentication. Stores session tokens and authentication cookies to maintain login state across page visits.
YouTube Player
YouTube Player
YouTube Player embeds YouTube videos on external websites via iframe. Scripts load from Google's servers and set cookies for video playback preferences, watch history, and ad targeting. Cookies are dropped even when visitors only view the embed without interacting with the player.

Related Vendors

Google
Google
Google is the dominant provider of web analytics, advertising, and infrastructure tools. Scripts like Google Analytics, Tag Manager, Ads, and reCAPTCHA collect behavioral data, manage tag firing, serve targeted ads, and detect bots. Sets persistent cookies to track users and correlate activity across sites.
Google Analytics
Google Analytics
Google Analytics is the world's most widely deployed web analytics platform. Scripts track page views, sessions, user demographics, traffic sources, and conversion events. Drops cookies to identify returning visitors and attribute user journeys across sessions.
Microsoft Dynamics 365
Microsoft Dynamics 365
Microsoft Dynamics 365 is a suite of CRM and ERP applications that integrates with websites through tracking scripts and embedded forms. Web tracking code captures visitor behavior, page views, and form submissions to build customer profiles and score leads. Sets cookies to identify returning visitors and attribute marketing touchpoints across sessions.
Microsoft
Microsoft
Runs Clarity (session recording and heatmaps), the Microsoft Advertising UET tag (conversion tracking), and Bing's remarketing pixel. Clarity injects a recording script that captures mouse movements, clicks, and rage clicks. The UET tag fires conversion events to tie ad clicks to on-site actions across Microsoft's ad network.
LinkedIn Insight Tag
LinkedIn Insight Tag
LinkedIn Insight Tag is a JavaScript tracking pixel for LinkedIn's advertising and analytics platform. The tag fires on every page view to collect URL, referrer, IP address, and device data for conversion tracking, website demographics reporting, and retargeting audience building. Sets cookies to identify LinkedIn members across advertiser websites.
Amazon.com
Amazon.com
Present on third-party sites through Amazon Associates (affiliate tracking), Amazon Advertising pixels, and AWS-hosted assets. The Associates script fires conversion events when users arrive from Amazon affiliate links. Amazon Advertising's pixel tracks product page views and purchase events to build retargeting audiences on Amazon's ad network.

Manage consent for Firebase

ConsentStack automatically detects and manages Firebase trackers so your site stays compliant with global privacy regulations.

Get started free