AbuseGraph + Firebase Auth
Score Firebase signups from Cloud Functions with the hosted check API.
Install the browser SDK
npm install @palisade/sdk
Init early on app load. Call check({ email }) at signup or login — not on every page view.
Keys
| Key | Env | Use |
|---|---|---|
| Secret | ABUSEGRAPH_SECRET_KEY (sk_…) | Server /api/v1/check |
| Site | ABUSEGRAPH_SITE | Licensed domain |
| Publishable | NEXT_PUBLIC_ABUSEGRAPH_PUBLISHABLE_KEY (pk_…) | Optional browser SDK |
Env
bash
ABUSEGRAPH_SITE=acme.com
ABUSEGRAPH_CHECK_URL=https://abusegraph.com/api/v1/check
ABUSEGRAPH_SECRET_KEY=sk_live_…Cloud Function — beforeUserCreated
typescript
import { beforeUserCreated } from "firebase-functions/v2/identity"
import { HttpsError } from "firebase-functions/v2/https"
export const abusegraphBeforeCreate = beforeUserCreated(async (event) => {
const email = event.data.email
if (!email) return
const site = process.env.ABUSEGRAPH_SITE!
const res = await fetch(
process.env.ABUSEGRAPH_CHECK_URL ??
"https://abusegraph.com/api/v1/check",
{
method: "POST",
headers: {
"content-type": "application/json",
"x-api-key": process.env.ABUSEGRAPH_SECRET_KEY!,
"x-abusegraph-site": site,
},
body: JSON.stringify({
email,
userId: event.data.uid,
event: "signup",
ip: event.ipAddress,
site,
}),
},
)
if (res.status === 402) {
throw new HttpsError("resource-exhausted", "credits_exhausted")
}
const result = await res.json()
if (result.verdict === "block") {
throw new HttpsError("permission-denied", "Signup blocked")
}
})Login
Use beforeUserSignedIn with event: "login" the same way.
Browser SDK (optional)
typescript
import { init } from "@palisade/sdk"
const sdk = init({
publicKey: process.env.NEXT_PUBLIC_ABUSEGRAPH_PUBLISHABLE_KEY!,
})
const collected = await sdk.collect()
const edge = await sdk.evaluate(collected, { email })
// Send sdk.toCheckBody(collected, { email, event: "signup",
// verdictToken: edge.verdictToken.token }) to a Callable Function that
// posts to /api/v1/check with sk_