Skip to content

Firebase Phone Auth still failing with reCAPTCHA Enterprise / SMS Defense, iOS says reCAPTCHA SDK not linked #7264

Description

@stomri

Can we access your project?

  • I give permission for members of the FlutterFlow team to access and test my project for the sole purpose of investigating this issue.

Current Behavior

Hi FlutterFlow team,

This may be related to #6638, but I am opening a new report because the original issue was created in Oct 2025 and I would like to confirm whether this is still unresolved in current FlutterFlow builds.

We are seeing a very similar issue in our production FlutterFlow project and would like to confirm whether this bug has already been fixed, or if there is a recommended workaround for current FlutterFlow builds.

Context

Project type:

  • FlutterFlow app
  • Firebase Authentication
  • Built-in Phone Sign In action
  • Platforms affected/tested: Web and iOS TestFlight
  • Firebase project uses Identity Platform / Firebase Authentication

Firebase configuration:

  • Phone provider is enabled
  • SMS region policy is set to allowlist-only: Vietnam (VN)
  • reCAPTCHA SMS Defense was enabled following Firebase Support guidance
  • Phone authentication enforcement mode tested in AUDIT
  • SMS fraud risk threshold tested at 0.8 and 0.9
  • Platform site keys configured for Web, Android, and iOS
  • App Check is registered for Web, Android, and iOS

Observed behavior

Web:

  • Pressing the Phone Sign In / Send OTP action does not proceed to the OTP verification screen.
  • Cloud Logging confirms that the request reaches Identity Platform:
    • methodName: google.cloud.identitytoolkit.v1.AuthenticationService.SendVerificationCode
    • phoneNumber format is correct E.164, for example +84904***383
    • status.code: 13
    • status.message: Error code: 39
  • Cloud Monitoring shows:
    • reCAPTCHA verdict_count has data
    • reCAPTCHA token_count has data
    • verdict_state = failed_in_audit
    • sent_sms_count has no useful data
    • blocked_sms_count has no useful data

iOS TestFlight:

This looks related to the issue described here, where Firebase Phone Auth requires reCAPTCHA Enterprise after recent firebase_auth changes, but FlutterFlow generated apps may not fully include/configure the required reCAPTCHA Enterprise integration.

Questions

  1. Has this confirmed bug been fixed in current FlutterFlow builds?
  2. Do FlutterFlow managed builds currently support Firebase Phone Authentication with reCAPTCHA SMS Defense / reCAPTCHA Enterprise enabled?
  3. For iOS managed builds, does FlutterFlow include/link the required reCAPTCHA Enterprise iOS SDK? The error we see is:
    "The reCAPTCHA SDK is not linked to your app."
  4. If this is fixed, what FlutterFlow version / Firebase Auth package version / rebuild steps are required?
  5. If this is not fixed yet, is there any official workaround besides:
    • exporting code and manually adding the native reCAPTCHA Enterprise SDK, or
    • disabling Firebase Phone Auth and implementing custom OTP through Cloud Functions + an SMS provider?
  6. Is there a way inside FlutterFlow managed builds to pin/downgrade firebase_auth or add the required native iOS/Android reCAPTCHA Enterprise dependencies?

This is blocking phone-login production usage for our app. We can provide additional logs/screenshots if needed.

Thanks.

Expected Behavior

Firebase Phone Authentication should send the OTP successfully and trigger the normal FlutterFlow phone auth flow.

Expected behavior:

  • On Web, the built-in Phone Sign In action should request the SMS verification code and continue to the OTP verification screen.
  • On iOS TestFlight, the app should not fail with "The reCAPTCHA SDK is not linked to your app."
  • If reCAPTCHA SMS Defense / reCAPTCHA Enterprise is required by Firebase Auth, FlutterFlow managed builds should include and configure the required SDKs automatically for Web, Android, and iOS, or provide a documented way to enable them.

Steps to Reproduce

  1. Create or open a FlutterFlow project with Firebase Authentication enabled.
  2. Enable Firebase Phone Authentication in Firebase Console.
  3. In FlutterFlow, add a phone number input page.
  4. Add FlutterFlow's built-in Firebase Phone Sign In / Send OTP action.
  5. Configure the app to send the phone number in E.164 format, for example +84904305383.
  6. In Firebase Console, enable reCAPTCHA SMS Defense for Firebase Authentication as advised by Firebase Support.
  7. Set Phone authentication enforcement mode to AUDIT.
  8. Configure the SMS fraud risk threshold, tested with both 0.8 and 0.9.
  9. Configure platform site keys for Web, Android, and iOS.
  10. Set SMS region policy to allowlist-only with Vietnam (VN).
  11. Run the app on Web and press the Send OTP button.
  12. Observe that the app does not proceed to the OTP verification screen.
  13. Check Google Cloud Logs Explorer:
    • methodName: google.cloud.identitytoolkit.v1.AuthenticationService.SendVerificationCode
    • status.code: 13
    • status.message: Error code: 39
  14. Check Cloud Monitoring:
    • reCAPTCHA verdict_count has data
    • reCAPTCHA token_count has data
    • verdict_state = failed_in_audit
    • sent_sms_count has no useful data
  15. Build and test the iOS app via TestFlight.
  16. Press the Send OTP button.
  17. Observe the iOS error:
    "The reCAPTCHA SDK is not linked to your app. See https://cloud.google.com/recaptcha-enterprise/docs/instrument-ios-apps"

Reproducible from Blank

  • The steps to reproduce above start from a blank project.

Bug Report Code (Required)

IT4OheflzItOtbxY15PpbcdvoDwRNj8na4ZMl8JuUQs3JZ/NGu4MPsneVFRuZry7S2xheGeKgmAx1vfqv/HDCfFdaC6VG5hH1bVxWgHNQTilVqqTDbq3fW1SAtFgCkC91p67phNDBNZiLFY96jmlffKvcCvtN77MDDM0D8+LKdeK2SrDX1iXc2URm05KZDPz

Visual documentation

Additional evidence:

Firebase Support advised us to enable reCAPTCHA SMS Defense because real Vietnamese phone numbers were failing with Firebase Auth SMS error codes 39 and 13.

After enabling reCAPTCHA SMS Defense:

  • Web requests reach Identity Platform but fail with Error code 39.
  • Cloud Monitoring shows reCAPTCHA verdict_state = failed_in_audit.
  • iOS TestFlight fails with "The reCAPTCHA SDK is not linked to your app."

This suggests FlutterFlow managed builds may not fully support Firebase Phone Auth with reCAPTCHA Enterprise / SMS Defense requirements.

Image Image Image

Environment

- FlutterFlow version:
  Current FlutterFlow web editor / managed build as of July 2026

- Platform:
  Web Preview / FlutterFlow Test Mode
  iOS TestFlight build
  Firebase Authentication / Identity Platform
  Firebase Phone Authentication
  reCAPTCHA SMS Defense / reCAPTCHA Enterprise enabled

- Browser name and version:
  Microsoft Edge / Chrome-based browser on Windows 10
  User agent observed in Cloud Logging:
  Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/149.0.0.0 Safari/537.36 Edg/149.0.0.0

- Operating system and version affected:
  Windows 10 for Web testing
  iOS TestFlight build on iPhone

- Firebase / Google Cloud configuration:
  Phone Authentication provider enabled
  SMS region policy: allowlist-only, Vietnam (VN)
  reCAPTCHA SMS Defense enabled
  Phone authentication enforcement mode tested in AUDIT
  SMS fraud risk threshold tested at 0.8 and 0.9
  Web, Android, and iOS reCAPTCHA platform site keys configured
  App Check registered for Web, Android, and iOS

Additional Information

This issue is blocking production phone login for our app.

Firebase Support advised us to enable reCAPTCHA SMS Defense because real Vietnamese phone numbers were failing with Firebase Auth SMS error codes 39 and 13.

After enabling reCAPTCHA SMS Defense, the behavior is:

Web:

  • The FlutterFlow built-in Phone Sign In action does not proceed to the OTP verification screen.
  • Cloud Logging confirms that the request reaches Identity Platform:
    methodName: google.cloud.identitytoolkit.v1.AuthenticationService.SendVerificationCode
    phoneNumber format received by Firebase is correct E.164, e.g. +84904***383
    status.code: 13
    status.message: Error code: 39
  • Cloud Monitoring shows:
    reCAPTCHA verdict_count has data
    reCAPTCHA token_count has data
    verdict_state = failed_in_audit
    sent_sms_count has no useful data
    blocked_sms_count has no useful data

iOS TestFlight:

We also tested in Incognito and the issue persists.

This looks related to Firebase Phone Auth now requiring reCAPTCHA Enterprise / SMS Defense support, but FlutterFlow managed builds may not be fully linking or configuring the required SDKs, especially on iOS.

We need to confirm whether FlutterFlow managed builds currently support Firebase Phone Auth with reCAPTCHA SMS Defense / reCAPTCHA Enterprise enabled, and whether there is an official workaround if not.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions