Firebase only sends already expired email verification links

Question

I'm clicking on the verification links immediately after getting the verification mail, but still the answer is only:

Try verifying your email again Your request to verify your email has expired or the link has already been used

The current code to send off the verification mail looks like this and is run right after the registration.

firebase.auth().onAuthStateChanged(function(user) {
    user.sendEmailVerification();
});

And the required firebase scripts are included like this:

<script src="https://www.gstatic.com/firebasejs/3.6.1/firebase.js"></script>
<script>
  function init(){
    var config = {
      apiKey: "<asdf>",
      authDomain: "<asdf>.firebaseapp.com",
      databaseURL: "<asdf>.firebaseio.com"
    };
    firebase.initializeApp(config);
  }
</script>
<script src="https://www.gstatic.com/firebasejs/3.6.1/firebase-app.js"></script>
<script src="https://www.gstatic.com/firebasejs/3.6.1/firebase-auth.js"></script>
<script src="https://www.gstatic.com/firebasejs/3.6.1/firebase-database.js"></script>

And Email/Password is enabled as a sign-in method. I compared the setup with another Firebase project that has working verifications mails and can't find a difference.

Anyone have an idea what could be the issue?

Answer 1

The answer is here: stackoverflow.com/a/38274531/213156 Thanks a lot, Travis Christian!

If you've listed any HTTP referrers for your app's API key in the Google API console, you need to include the app itself which is where the emails originate: [app-name].firebaseapp.com. Otherwise this domain is not valid for your app's key."

Answer 2

If you have multiple apiKeys you may want to check this.

I had multiple apiKeys. I was using each of them for different client applications.

As mentioned in other answers, the email verification link includes an apiKey. In my case that apiKey was different from the one I used for the specific client application.

So, the solution was figuring out which apiKey is sent in the email verification and adding <app-name>.firebaseapp.com in the Application Restrictions > HTTP reference.

I wasted several hours, and it ruined my demo to a customer. Hopefully this solution saves someone else time and $

It is obvious the error message is very vague. Pretty much any answer here may lead you to a solution. So, be patient, get a coffee, and see which one applies to your case. I am saying all these because I got burned and stressed out for hours, hopefully you don't have to.

Summary:

If you have multiple apiKeys and you are doing Application Restrictions with HTTP reference, make sure <app-name>.firebaseapp.com is added to each apiKey.