调用 verifyIdToken 时，Admin SDK使用公共密钥对令牌进行解码并验证签名是否有效.它会从Google的服务器下载此密钥，但已缓存了24小时(因为它几乎从未更改过).验证令牌后，它将检查令牌是否已被吊销，这需要再次调用Firebase身份验证服务器.每次调用 verifyIdToken 都会发生此请求.

When you call verifyIdToken, the Admin SDK decodes the token with the public key and verifies that the signature is valid. It downloads this key from Google's servers, but it's cached for 24 hours (since it hardly ever changes). After verifying the token, it checks whether the token was revoked, which requires another call to the Firebase Authentication servers. This request happens for each call to verifyIdToken.

您可以对照源代码.

• verifyIdToken 代码>
• fetchPublicKeys
• verifyJWT
• verifyDecodedJWTNotRevoked 代码>