Firebase Auth Session Lost on Custom Domain

Firebase Auth login succeeded but session was lost on every page refresh after moving to a custom domain. Root cause: the custom domain was not added to Firebase Console's Authorized Domains list for the Authentication project. Session cookies and token refresh calls require the domain to be explicitly authorized.

March 5, 2026· 4 min read

#firebase #authentication #firebase-auth #custom-domain #session #configuration

ShareX LinkedIn

Generate post copy →

Quick FixHigh confidence · 95/100

Symptom: Firebase Auth login flow completes successfully but the user is logged out on every page refresh. Browser console shows auth/unauthorized-domain error. Works on localhost but fails on custom domain.
Root Cause: The custom domain (e.g., trustseal.asquaresolution.com) is not in Firebase Console → Authentication → Settings → Authorized Domains. Firebase Auth rejects session persistence and token refresh requests from unlisted domains.
Fix: Firebase Console → [project] → Authentication → Settings → Authorized Domains → Add Domain. Enter the custom domain exactly. No redeploy required — takes effect immediately.
Time to Resolve: 2 min

Resolution Steps

1Open browser DevTools on the custom domain while logged in
2Check the Console for auth/unauthorized-domain or similar Firebase Auth errors
3Go to Firebase Console → select the project → Authentication → Settings tab
4Scroll to 'Authorized domains' section
5Click 'Add domain' and enter the custom domain exactly (e.g., trustseal.asquaresolution.com)
6Save — no redeployment needed
7Refresh the app on the custom domain and verify session persists after page reload

What Happened

During TrustSeal's custom domain activation (March 2026), Firebase Auth appeared to work — users could log in through the email/password flow and the app showed the authenticated state. But refreshing the page immediately showed the login screen again. The session was not persisting.

The error only appeared in the browser DevTools console under the Network tab — a failed POST to https://identitytoolkit.googleapis.com/v1/accounts:lookup?key=... returned a 400 with UNAUTHORIZED_DOMAIN in the response body. The Firebase Auth SDK caught this silently and treated it as a sign-out event.

Before the custom domain was configured, all development and testing was done on localhost (which Firebase automatically includes in the authorized list) and the github.io subdomain. Neither revealed the issue because both were already authorized.

Why Sessions Fail

Firebase Auth uses a combination of:

IndexedDB — for storing the auth token locally in the browser
Token refresh calls — periodic requests to Google's identity service to get a fresh token

The token refresh call includes the origin header of the requesting domain. Firebase validates this against the Authorized Domains list. If the domain is not listed, the refresh is rejected, the token expires, and Firebase Auth fires the onAuthStateChanged callback with null — which the app interprets as "user logged out."

The login itself can complete because the login form's POST request origin may still be validated against localhost or the GitHub Pages domain. But the refresh fails the moment the custom domain tries to issue one.

The Configuration Requirement

Firebase Auth's Authorized Domains list is not automatically updated when a custom domain is configured on GitHub Pages, Vercel, or any other hosting provider. It is a separate Firebase Console configuration step that must be done explicitly.

Default authorized domains (always present):

localhost
[project-id].firebaseapp.com
[project-id].web.app

Must be added manually:

Any custom domain used in production
The GitHub Pages subdomain if testing before switching to custom domain ([username].github.io)

Resolution

Firebase Console → Authentication → Settings → Authorized Domains → Add Domain

Added trustseal.asquaresolution.com. No code changes, no redeploy — the setting takes effect server-side immediately.

For ScamCheck (scamcheck.asquaresolution.com), the same configuration was added during initial setup after learning from the TrustSeal incident. Both custom domains and the GitHub Pages testing subdomain were added before going live.

Prevention

Pre-launch checklist for any Firebase Auth deployment with custom domains:

Custom production domain added to Authorized Domains list
GitHub Pages testing subdomain added (if testing before DNS cutover)
Auth session persistence tested specifically on the custom domain, not just on the Firebase hosting URL
Browser DevTools Console checked for auth/unauthorized-domain errors after login
Test: log in → refresh page → confirm session persists

Pattern: This is a silent configuration failure — the app works completely in development and test environments, then fails in a specific production context (the custom domain) with no visible error in the UI. Same class as environment-variable-missing-production and Razorpay key mode mismatch: a credential or authorization that is scoped to one context is absent from another.

DEBUGGING INTELLIGENCE

Fix Confidence

High Confidence90/100

Recovery Complexity

Trivial· 2 confirmed instances

Pattern Family

◈ PatternRuntime Environment Scope Drift→

This failure belongs to a named recurring pattern. Other failures in this family share the same root cause structure — understanding the pattern prevents multiple failure types simultaneously.

Related Failures in Same Pattern

↳ FailureEdge Runtime Deployment Failure→↳ FailureEnvironment Variable Missing in Production→↳ FailureLiteSpeed Cache Ignores Client no-cache Headers→↳ FailureRazorpay Test/Live Key Mode Mismatch→↳ FailureFirebase Cloud Functions Crashing on Default Node Runtime→↳ FailureGemini API 429 Rate Limit Returns Hanging Spinner Instead of User Feedback→↳ FailureGA4 Production Analytics Contaminated by Vercel Preview Deployments→

Prevention Lessons

→ LessonDeployment Verification Checklist — A Square Solutions→

Completing these lessons would have prevented this failure.

Demonstrated In

▶ Case StudyTrustSeal — Architecture and Build→

This failure occurred in a real production context. These case studies show the full arc from incident to resolution.

View all failure patterns →

Related in Failure Archive

Razorpay Test/Live Key Mode Mismatch

Razorpay checkout modal opened and payment appeared to complete, but the webhook was never fired and the subscription wasn't activated. Root cause: client-side key was in test mode (rzp_test_) while the server-side Cloud Function key was in live mode (rzp_live_), or vice versa. Both keys must match modes simultaneously.

2026-02-20→

Firebase Functions 403 After Redeploy — Firestore Rules Deployment Order

Firebase Cloud Functions returned 403 errors with missing auth context for 12 minutes after a redeploy that included a Firestore rules update. Root cause: Functions were deployed before Rules, creating a window where new function code ran against stale IAM/rules state. Fix: always deploy Firestore rules before Cloud Functions when both change in the same release.

2026-05-24→

Firebase Cloud Functions Crashing on Default Node Runtime

Firebase Cloud Functions deployed and appeared active in the console but crashed on every invocation in production. Cold start succeeded but function execution failed with unhandled promise rejections and module resolution errors not present in local development. Root cause: default Node runtime version (Node 18) had known incompatibilities with the npm packages used. Migrating to Node 22 runtime resolved production crashes.

2026-02-01→

All Failure Archive