iOS phone auth calls legacy v3/relyingparty endpoint — reCAPTCHA Enterprise tokens rejected (503) on @react-native-firebase/auth v24.1.1 / Firebase iOS SDK 12.10.0

[drabdanoo]

Environment

	Version
@react-native-firebase/app	24.1.1 (latest on npm)
@react-native-firebase/auth	24.1.1
Firebase iOS SDK (bundled)	12.10.0 (from package.json sdkVersions.ios.firebase)
Expo SDK	56.0.0
React Native	0.85.3
Platform	iOS only (Android phone auth works)
Distribution	TestFlight / production APNs
iOS version tested	iOS 26.5 (iPhone 17,3)
Firebase project	tabiby-rn, project number 58556901822
App bundle ID	com.khazer.tabiby

---

What is happening

Phone auth (signInWithPhoneNumber) fails on real iOS devices (TestFlight). Firebase test numbers pass fine. The SDK surfaces [auth/internal-error] An internal error has occurred which is an empty-body 400/503 — the real server error is hidden.

Android phone auth works correctly — SMS delivers, OTP flow completes.

---

Root cause — confirmed from Sentry network breadcrumbs (production build)

The SDK calls the legacy googleapis.com/identitytoolkit/v3/relyingparty endpoint rather than the modern identitytoolkit.googleapis.com/v1/accounts endpoint. reCAPTCHA Enterprise tokens are generated successfully (all api3 calls return 200) but are then sent to the v3 endpoint which rejects them.

Full network trace from Sentry breadcrumbs on build com.khazer.tabiby@1.0.1+20:

POST [Filtered]  403  ← APNs verifyClient rejected
POST [Filtered]  400  ← sendVerificationCode first attempt rejected
GET  https://identitytoolkit.googleapis.com/v2/recaptchaConfig  200  ← SDK fetches reCAPTCHA config
GET  https://www.gstatic.com/recaptcha/verify_key/orcas/prod/ios/verify_key.txt  200
POST https://www.recaptcha.net/recaptcha/api3/mri  200  ─┐
POST https://www.recaptcha.net/recaptcha/api3/moa  200   ├─ reCAPTCHA Enterprise token generated OK
POST https://www.recaptcha.net/recaptcha/api3/mrr  200  ─┘
POST https://www.googleapis.com/identitytoolkit/v3/relyingparty/sendVerificationCode  503  ← FAILS

The reCAPTCHA Enterprise token is generated (Firebase Console confirms healthy scores), but is sent to https://www.googleapis.com/identitytoolkit/v3/relyingparty/sendVerificationCode which returns 503 Service Unavailable.

The v3 endpoint predates reCAPTCHA Enterprise. The modern endpoint that accepts these tokens is https://identitytoolkit.googleapis.com/v1/accounts:sendVerificationCode.

---

Additional context

• Both credential paths fail: APNs verifyClient returns 403. reCAPTCHA Enterprise token sent to v3 returns 503. This is not a configuration issue — every configurable surface has been verified correct over 19+ TestFlight builds.
• Firebase iOS SDK 12.10.0 is what @react-native-firebase v24.1.1 bundles (from package.json sdkVersions.ios.firebase). Firebase iOS SDK 12.15.0 is the latest available; its changelog (12.11–12.15) shows no phone auth endpoint changes.
• @react-native-firebase v24.1.1 is already the latest on npm — there is no v25 to upgrade to.
• Android works — presumably because the Android Firebase SDK already uses the modern endpoint (or Play Integrity tokens are accepted by v3).
• Probing v3/relyingparty/sendVerificationCode directly with the iOS API key returns INVALID_APP_CREDENTIAL without a reCAPTCHA token, and 503 with a reCAPTCHA Enterprise token.
• The 503 may indicate Google is actively deprecating the v3 endpoint, which would mean every iOS app on @react-native-firebase v24 is affected or about to be affected.

---

What we need

1. Confirmation of which Identity Toolkit endpoint Firebase iOS SDK 12.10.0 calls for phone auth.
2. Confirmation of which Firebase iOS SDK version switches to v1/accounts:sendVerificationCode.
3. A patch release of @react-native-firebase that bundles a Firebase iOS SDK version where the correct endpoint is used.

The workaround in place is Google Sign-In + Apple Sign-In (both work fine via OAuth/OIDC, bypassing phone auth entirely). But phone OTP is the primary sign-in method for this healthcare app's user base.

---

Steps to reproduce

1. Install @react-native-firebase/auth v24.1.1 in an Expo SDK 56 app.
2. Configure Firebase phone auth with reCAPTCHA Enterprise (PHONE_PROVIDER: ENFORCE).
3. Distribute via TestFlight (production APNs environment).
4. Call signInWithPhoneNumber(auth, phoneNumber) on a real iOS device.
5. Observe: no SMS received. auth/internal-error thrown.
6. Inspect Sentry/network logs: v3/relyingparty/sendVerificationCode called, returns 503.

[drabdanoo]

Correction to original report — Android also broken

In the original issue I stated:

Android phone auth works correctly — SMS delivers, OTP flow completes (build 6, confirmed via Sentry)

This was an incorrect inference from a single Sentry event. Android phone auth is also broken.

Tested on Android preview build (build 9, com.khazer.tabiby@1.0.1+9) on a Huawei LIO-L29 (Android 10):

Error: [auth/unknown] An internal error has occurred. [ Error code: 39 ]

Sentry does not capture HTTP breadcrumbs for the Android Firebase SDK (it uses native networking, not the JS layer), so we can't confirm whether Android also routes through v3/relyingparty. But the failure pattern is the same — phone auth fails before any SMS is sent.

So the issue affects both iOS and Android on @react-native-firebase v24.1.1:

• iOS: auth/internal-error → SDK confirmed calling https://www.googleapis.com/identitytoolkit/v3/relyingparty/sendVerificationCode → 503
• Android: auth/unknown error code 39 → internal error before SMS delivery

Apologies for the incorrect original statement.

[mikehardy]

Hi there 👋

Sorry for the trouble - with regards to these (I've added numbers):

1 Confirmation of which Identity Toolkit endpoint Firebase iOS SDK 12.10.0 calls for phone auth.
2 Confirmation of which Firebase iOS SDK version switches to v1/accounts:sendVerificationCode.
3 A patch release of @react-native-firebase that bundles a Firebase iOS SDK version where the correct endpoint is used.

Numbers 1 and 2 will find answers upstream in firebase-ios-sdk - I can't answer those here

However, for number 3 I can tell you that I just merged support for the latest firebase-ios-sdk (12.15.0):

• build(deps): adopt Firebase SDK 12.15.0 / Android BOM 34.15.0 #9064

...it did require a build fix though and is a breaking change over the current 12.10.0.

You may safely adopt through firebase-ios-sdk 12.13.0 with the current react-native-firebase codebase by using the SDK override escape hatch mentioned here https://rnfirebase.io/#overriding-native-sdk-versions

You may not upgrade past that to 12.14.0 or 12.15.0 without a small compile fix in this specific file - though it is a small fix and that would allow you to access the newest firebase-ios-sdk versions to see if that fixes things: https://github.com/invertase/react-native-firebase/pull/9064/changes#diff-2deb37137a0aaa758c4c3232992178eaf3aeb3e8db940d400b4f1f083bf96034

In addition, this isn't quite ready for publish yet but I pushed the working tree of full reCAPTCHA Enterprise support which will undoubtedly affect this area, it's the current frontier of development here but I'm hoping to release it tomorrow morning

• feat: implement reCAPTCHA Enterprise #9066

Once I've got the react-native-firebase v25 release out - with the contents of those PRs so we are fully current I think this will need a full re-test for reproduction

You may have luck just with the firebase-ios-sdk local override updates I mention though - if you do I would be interested to know

Thanks

[drabdanoo]

Thanks @mikehardy — incredibly fast response, appreciate it.

While waiting, we implemented a Cloud Function proxy workaround that calls v1/accounts:sendVerificationCode with a service account bearer token, bypassing the native SDK path entirely. It's live and we'll test it this build cycle.

For the native fix: we'll skip the 12.13.0 override and wait for v25 with the full reCAPTCHA Enterprise support (#9066). Will test as soon as it's published and report back here with results.

One note: the original issue table says "Android phone auth works" — we posted a correction comment earlier (Android is also broken, auth/unknown error code 39). We later discovered the Android failure had a separate cause: our google-services.json was pointing at the wrong Firebase project entirely (medconnect-2 instead of tabiby-rn). Fixed that. So Android was a config error on our end, not an SDK bug — the iOS endpoint issue remains the real question for v25.

[mikehardy]

react-native-firebase v25.0.1 is publishing right now (there was a tiny type export fix on the v25.0.0 from this morning)

point an agent at https://rnfirebase.io/migrating-to-v25 and it hopefully gives you a nice migration 🤞

I'm very curious to hear testing results vs the new version (with the new underlying SDK versions)