When sending a Firebase ID token from your React frontend to your Node API, the browser preflight request often fails with a CORS error.
This prevents your backend from verifying the token using firebase-admin.
CORS errors with Firebase and Node happen when the frontend domain isn't authorized in Firebase or when your Express API lacks the correct headers.
Quick Fix Summary
- Add your frontend domain (localhost or Vercel URL) to Firebase Authorized Domains.
- Use the cors() middleware in your Express.js application.
- Send tokens using Authorization: Bearer <token>.
Root Causes
Missing Express CORS Headers
Your Node.js API is rejecting requests from a different origin (port) because CORS is not explicitly allowed.
Unauthorized Firebase Domain
Firebase will reject Google OAuth and link requests if the requesting domain is not explicitly whitelisted.
Step-by-Step Fix Guide
Install and configure CORS in Express
You must whitelist your specific frontend domains inside your backend server.
const express = require('express');
const cors = require('cors');
const app = express();
app.use(cors({
origin: ['http://localhost:3000', 'https://your-production-app.vercel.app'],
credentials: true
}));Add domains to Firebase Console
Go to Firebase Console -> Authentication -> Settings -> Authorized domains and add your Vercel/Netlify URL.
Database returning permission denied?
I can audit your Firestore rules, fix CORS errors, and secure your authentication flow.
Get Firebase HelpRelated Errors
Missing or insufficient permissions
Ensure your Firestore rules check for request.auth.uid != null.
Prevention Strategy
- Always configure CORS to specifically allow your production domain, not '*'.
- Verify ID tokens on the backend using firebase-admin instead of trusting client IDs.