Firebase MCP Server
MCP server for interacting with Firebase Authentication, Firestore, and Storage services
Score Breakdown
Server Info
- Package
- @gannonh/firebase-mcp
- Registry
- npm
- Repository
- gannonh/firebase-mcp
- Maintainer
- Community
- Category
- Cloud & Infrastructure
- Tags
- firebasedatabaseauth
- Last Scanned
- 7 Apr 2026
Findings
5 issuesAuthentication & Identity
MEDIUMHTTP/SSE transport supports per-request credentials
Supports both stdio and HTTP (StreamableHTTPServerTransport) transports. Authentication uses a Firebase service account key file path via SERVICE_ACCOUNT_KEY_PATH env var. No MCP OAuth implementation. The HTTP transport has no authentication layer itself; anyone who can reach the HTTP endpoint gets full Firebase service account access. Session management via mcp-session-id headers.
Implement the MCP OAuth spec so users authenticate directly without platform mediation.
Tool Schema Quality
MEDIUMOnly 2 of 12 schemas have parameter constraints
Most schemas lack maxLength, enum, or pattern constraints on string parameters.
Add constraints to string parameters, especially on write operations.
Data Exposure
LOWNo field selection on responses
Responses return full records rather than projected fields.
Implement field selection to return only relevant fields.
Maintenance & Trust
LOWCommunity-maintained by Gannon Hall (@gannonh)
No official vendor backing.
Seek vendor verification.
HIGH27 dependency vulnerabilities (2 critical, 10 high)
npm audit found 2 critical and 10 high severity CVEs.
Run `npm audit fix` and update vulnerable dependencies.
Tools
12 total| Name | Description | Risk |
|---|---|---|
| firestore_add_document | Add a document to a Firestore collection | write |
| firestore_list_documents | List documents from a Firestore collection with filtering and ordering | read |
| firestore_get_document | Get a document from a Firestore collection | read |
| firestore_update_document | Update a document in a Firestore collection | write |
| firestore_delete_document | Delete a document from a Firestore collection | admin |
| auth_get_user | Get a user by ID or email from Firebase Authentication | read |
| storage_list_files | List files in a given path in Firebase Storage | read |
| storage_get_file_info | Get file information including metadata and download URL | read |
| storage_upload | Upload a file to Firebase Storage. Supports local file paths (preferred for binary files), base64 data, or plain text. | write |
| storage_upload_from_url | Upload a file to Firebase Storage from an external URL. Perfect for images, documents, or any file accessible via URL. | write |
| firestore_list_collections | List root collections in Firestore | read |
| firestore_query_collection_group | Query documents across all subcollections with the same name (collection group query) | read |
Deploy Firebase MCP Server securely
CompleteFlow adds per-user authentication, permission scoping, and audit logging to any MCP server out of the box.
Deploy on CompleteFlow