Migrate from Firebase Auth

Firebase Auth stores passwords using a modified scrypt (firebase-scrypt) that requires the project-level signer key and salt separator to verify. This guide shows how to carry everything across intact.

Prerequisites

• avnology CLI installed.
• Admin API key in .env.
• Firebase project owner or Authentication Admin role.
• gcloud CLI + the Firebase CLI (firebase-tools).

Equivalent concepts

Export users from Firebase

firebase auth:export firebase_users.json \
  --format=JSON \
  --project=<your-project-id>

The export includes top-level hashing parameters (salt, saltSeparator, memoryCost, rounds) required to verify passwords later. Keep this file out of version control — it contains everything needed to check credentials.

A record looks like:

{
  "users": [
    {
      "localId": "firebase-user-1",
      "email": "[email protected]",
      "emailVerified": true,
      "displayName": "Margaret Hamilton",
      "photoUrl": "https://…",
      "passwordHash": "base64hash==",
      "salt": "perUserSalt==",

Import with the CLI

avnology migrate firebase-auth --import firebase_users.json --dry-run
avnology migrate firebase-auth --import firebase_users.json

The CLI:

• Copies passwordHash + per-user salt into the identity's password record.
• Attaches the project-level saltSeparator, memoryCost, rounds, and signer key as hash parameters.
• Marks the hash algorithm as firebase-scrypt.
• Sets external_id = <localId>.
• Copies displayName → traits.name, photoUrl → traits.picture, phoneNumber → traits.phone_number, customAttributes → traits.custom_attributes.

Social providers

Firebase Auth social IDPs (Google, Apple, Facebook, Twitter, GitHub, Microsoft) map to Avnology's social providers. Users linked via social sign-in on Firebase have a providerUserInfo[] array listing each federated identity — these are preserved as link-later records on Avnology. The next time the user signs in via the same provider, Avnology reconciles the identities by external_id.

OAuth client migration

Firebase Auth has implicit client configuration — you configure providers inside the Firebase console. On Avnology you register explicit OAuth 2.1 clients. For each app that currently uses Firebase Auth:

1. Register a new OAuth client in the Avnology dashboard under Developer → Applications.
2. Add the old Firebase Auth domain to Allowed Origins during the cutover window so tokens issued before cutover still validate.

Redirect URL mapping

Firebase's client SDK hard-codes its endpoints; you cannot keep the Firebase SDK and target Avnology. Swap to @avnology/sdk-typescript or the framework-specific wrapper.

Blocking functions → Hooks

Firebase Auth's beforeCreate / beforeSignIn blocking functions become Avnology webhook hooks subscribed to user.pre_create / session.pre_create. The payload fields map straightforwardly; port the function body into your own HTTP handler and subscribe it.

Cutover plan

1. Stage the migration in a non-production Firebase project first. Verify a password-backed login and a Google social login after import.
2. Deploy both Firebase Auth and Avnology side-by-side for 1 week. Your frontend can probe both (Firebase first, fall back to Avnology) to catch any missed users.
3. Cutover: switch the frontend to Avnology-only. Keep Firebase running for 30 days.
4. Delete the Firebase Auth user pool once audit logs are exported.