When sending a Firebase ID token from your React frontend to your Node API, the browser preflight request often fails with a CORS error.
This prevents your backend from verifying the token using firebase-admin.
CORS errors with Firebase and Node happen when the frontend domain isn't authorized in Firebase or when your Express API lacks the correct headers.
Quick Fix Summary
- 1Add your frontend domain (localhost or Vercel URL) to Firebase Authorized Domains.
- 2Use the cors() middleware in your Express.js application.
- 3Send tokens using Authorization: Bearer <token>.
Root Causes
Missing Express CORS Headers
Your Node.js API is rejecting requests from a different origin (port) because CORS is not explicitly allowed.
Unauthorized Firebase Domain
Firebase will reject Google OAuth and link requests if the requesting domain is not explicitly whitelisted.
Step-by-Step Fix Guide
Install and configure CORS in Express
You must whitelist your specific frontend domains inside your backend server.
const express = require('express');
const cors = require('cors');
const app = express();
app.use(cors({
origin: ['http://localhost:3000', 'https://your-production-app.vercel.app'],
credentials: true
}));Add domains to Firebase Console
Go to Firebase Console -> Authentication -> Settings -> Authorized domains and add your Vercel/Netlify URL.
Database returning permission denied?
I can audit your Firestore rules, fix CORS errors, and secure your authentication flow.
Get Firebase HelpRelated Errors
Missing or insufficient permissions
Ensure your Firestore rules check for request.auth.uid != null.
Prevention Strategy
- Always configure CORS to specifically allow your production domain, not '*'.
- Verify ID tokens on the backend using firebase-admin instead of trusting client IDs.
Still Stuck With This Issue?
Send your exact error message or deployment issue. I'll respond with a targeted fix.
Need a Deeper Fix?
Describe your full project issue below and I'll get back to you with a targeted fix.