API Usage
You can use any Firebase Realtime Database URL as a REST endpoint. All you need to do is append .json to the end of the URL and send a request from your favorite HTTPS client.
HTTPS is required. Firebase only responds to encrypted traffic so that your data remains safe.
GET - Reading Data
Data from your Realtime Database can be read by issuing an HTTP GET request to an endpoint. The following example demonstrates how you might retrieve a user's name that you had previously stored in Realtime Database.
curl'https://[PROJECT_ID].firebaseio.com/users/jack/name.json'
A successful request is indicated by a 200 OK HTTP status code. The response contains the data associated with the path in the GET request.
{ "first": "Jack", "last": "Sparrow" }PUT - Writing Data
You can write data with a PUT request.
curl-XPUT-d'{ "first": "Jack", "last": "Sparrow" }'\'https://[PROJECT_ID].firebaseio.com/users/jack/name.json'
A successful request is indicated by a 200 OK HTTP status code. The response contains the data specified in the PUT request.
{ "first": "Jack", "last": "Sparrow" }POST - Pushing Data
To accomplish the equivalent of the JavaScript push() method (see Lists of Data), you can issue a POST request.
curl-XPOST-d'{"user_id" : "jack", "text" : "Ahoy!"}'\'https://[PROJECT_ID].firebaseio.com/message_list.json'
A successful request is indicated by a 200 OK HTTP status code. The response contains the child name of the new data specified in the POST request.
{ "name": "-INOQPH-aV_psbk3ZXEX" }PATCH - Updating Data
You can update specific children at a location without overwriting existing data using a PATCH request. Named children in the data being written with PATCH are overwritten, but omitted children are not deleted. This is equivalent to the JavaScript update() function.
curl-XPATCH-d'{"last":"Jones"}'\'https://[PROJECT_ID].firebaseio.com/users/jack/name/.json'
A successful request is indicated by a 200 OK HTTP status code. The response contains the data specified in the PATCH request.
{ "last": "Jones" }DELETE - Removing Data
You can delete data with a DELETE request:
curl-XDELETE\'https://[PROJECT_ID].firebaseio.com/users/jack/name/last.json'
A successful DELETE request is indicated by a 200 OK HTTP status code with a response containing JSON null.
Method Override
If you make REST calls from a browser that does not support the preceding methods, you can override the request method by making a POST request and setting your method by using the X-HTTP-Method-Override request header.
curl-XPOST-H"X-HTTP-Method-Override: DELETE"\'https://[PROJECT_ID].firebaseio.com/users/jack/name/last.json'
You can also use the x-http-method-override query parameter.
curl-XPOST\'https://[PROJECT_ID].firebaseio.com/users/jack/name/last.json?x-http-method-override=DELETE'
Conditional Requests
Conditional requests, the REST equivalent of SDK transaction operations, update data according to a certain condition. See an overview of the workflow and learn more about conditional requests for REST in Saving Data.
Firebase ETag
The Firebase ETag is the unique identifier for the current data at a specified location. If the data changes at that location, the ETag changes, too. The Firebase ETag must be specified in the header for the initial REST request (typically a GET, but can be anything other than PATCH).
curl-i'https://[PROJECT_ID].firebaseio.com/posts/12345/upvotes.json'-H'X-Firebase-ETag: true'
if-match
The if-match condition specifies the ETag value for the data you want to update. If you use the condition, Realtime Database only completes requests where the ETag specified in the write request matches the ETag of the existing data in the database. Fetch the ETag at a location with a Firebase ETag request. If you want to overwrite any location that's null, use null_etag.
curl-iXPUT-d'11''https://[PROJECT_ID].firebaseio.com/posts/12345/upvotes.json'-H'if-match: [ETAG_VALUE]'
Expected responses
The following table provides an overview of the expected responses for each request type, based on the ETag match.
| Request Type | ‘X-Firebase-ETag: true' | ETag matches if_match: <matching etag> | ETag doesn't match if_match: <no matching etag> | |
|---|---|---|---|---|
| GET | Response Status/Content | 200: "<data_at_path>" | 400: "...not supported.." | 400: "...not supported.." |
| Added Headers | ETag: <ETag_of_data> | N/A | N/A | |
| PUT | Response Status/Content | 200: "<put_data>" | 200: "<put_data>" | 412: "...ETag mismatch.." |
| Added Headers | ETag: <ETag_of_put_data> | N/A | ETag: <database_ETag> | |
| POST | Response Status/Content | 200: "<post_data>" | 400: "...not supported.." | 400: "...not supported.." |
| Added Headers | ETag: <ETag_of_post_data> | N/A | N/A | |
| PATCH | Response Status/Content | 400: "...not supported.." | 400: "...not supported.." | 400: "...not supported.." |
| Added Headers | N/A | N/A | N/A | |
| DELETE | Response Status/Content | 200: null | 200: "<data_after_put>" | 412: "...ETag mismatch.." |
| Added Headers | ETag: <ETag_of_null> | N/A | ETag: <database_ETag> | |
Query Parameters
The Firebase Database REST API accepts the following query parameters and values:
access_token
Supported by all request types. Authenticates this request to allow access to data protected by Firebase Realtime Database Security Rules. See the REST authentication documentation for details.
curl'https://[PROJECT_ID].firebaseio/users/jack/name.json?access_token=CREDENTIAL'
shallow
This is an advanced feature, designed to help you work with large datasets without needing to download everything. Set this to true to limit the depth of the data returned at a location. If the data at the location is a JSON primitive (string, number or boolean), its value will simply be returned. If the data snapshot at the location is a JSON object, the values for each key will be truncated to true.
| Arguments | REST Methods | Description |
|---|---|---|
| shallow | GET | Limit the depth of the response. |
curl'https://[PROJECT_ID].firebaseio/.json?shallow=true'
Note that shallow cannot be mixed with any other query parameters.
Formats the data returned in the response from the server.
| Arguments | REST Methods | Description |
|---|---|---|
| pretty | GET, PUT, POST, PATCH, DELETE | View the data in a human-readable format. |
| silent | GET, PUT, POST, PATCH | Used to suppress the output from the server when writing data. The resulting response will be empty and indicated by a 204 No Content HTTP status code. |
curl'https://[PROJECT_ID].firebaseio.com/users/jack/name.json?print=pretty'
curl-XPUT-d'{ "first": "Jack", "last": "Sparrow" }'\'https://[PROJECT_ID].firebaseio.com/users/jack/name.json?print=silent'
callback
Supported by GET only. To make REST calls from a web browser across domains, you can use JSONP to wrap the response in a JavaScript callback function. Add callback= to have the REST API wrap the returned data in the callback function you specify.
<script>functiongotData(data){console.log(data);} </script> <scriptsrc="https://[PROJECT_ID].firebaseio.com/.json?callback=gotData"></script>
format
If set to export, the server will encode priorities in the response.
| Arguments | REST Methods | Description |
|---|---|---|
| export | GET | Include priority information in the response. |
curl'https://[PROJECT_ID].firebaseio.com/.json?format=export'
download
Supported by GET only. If you would like to trigger a file download of your data from a web browser, add download=. This causes the REST service to add the appropriate headers so that browsers know to save the data to a file.
curl'https://[PROJECT_ID].firebaseio/.json?download=myfilename.txt'
timeout
Use this to limit how long the read takes on the server side. If a read request doesn't finish within the allotted time, it terminates with an HTTP 400 error. This is particularly useful when you expect a small data transfer and don't want to wait too long to fetch a potentially huge subtree. Actual read time might vary based on data size and caching.
Specify timeouts using the following format: 3ms, 3s, or 3min, with a number and a unit. If not specified, the maximum timeout of 15min will be applied. If the timeout is not positive, or exceeds the maximum, the request will be rejected with an HTTP 400 error.
writeSizeLimit
To limit the size of a write, you can specify the writeSizeLimit query parameter as tiny (target=1s), small (target=10s), medium (target=30s), large (target=60s). Realtime Database estimates the size of each write request and aborts requests that will take longer than the target time.
If you specify unlimited, exceptionally large writes (with up to 256MB payload) are allowed, potentially blocking subsequent requests while the database processes the current operation. Writes cannot be canceled once they reach the server.
curl -X DELETE 'https://docs-examples.firebaseio.com/rest/delete-data.json?writeSizeLimit=medium'
You will see the following error message if the write is too big:
Error:WRITE_TOO_BIG:Datatowriteexceedsthemaximumsizethatcanbemodifiedwithasinglerequest.
Additionally, you can set the defaultWriteSizeLimit for the whole database instance using the Firebase CLI. This limit applies to all requests, including those from SDKs. New databases are created with defaultWriteSizeLimitset to large. You can't set defaultWriteSizeLimit to tiny using the Firebase CLI.
firebase database:settings:set defaultWriteSizeLimit large
orderBy
See the section in the guide on ordered data for more information.
limitToFirst, limitToLast, startAt, endAt, equalTo
See the section in the guide on filtering data for more information.
Streaming from the REST API
Firebase REST endpoints support the EventSource / Server-Sent Events protocol. To stream changes to a single location in your Realtime Database, you need to do a few things:
- Set the client's Accept header to
"text/event-stream" - Respect HTTP Redirects, in particular HTTP status code 307
- If the location requires permission to read, you must include the
authparameter
In return, the server will send named events as the state of the data at the requested URL changes. The structure of these messages conforms to the EventSource protocol.
event:eventnamedata:JSONencodeddatapayload
The server may send the following events:
put
The JSON-encoded data is an object with two keys: path and data. The path key points to a location relative to the request URL. The client should replace all of the data at that location in its cache with data.
patch
The JSON-encoded data is an object with two keys: path and data. The path key points to a location relative to the request URL. For each key in data, the client should replace the corresponding key in its cache with the data for that key in the message.
keep-alive
The data for this event is null. No action is required.
cancel
Some unexpected errors can send a `cancel` event and terminate the connection. The cause is described in the data provided for this event. Some potential causes are as follows: 1. The Firebase Realtime Database Security Rules no longer allow a read at the requested location. The `data` description for this cause is "Permission denied." 2. A write triggered an event streamer that sent a large JSON tree that exceeds our limit, 512MB. The `data` for this cause is "The specified payload is too large, please request a location with less data."
auth_revoked
The data for this event is a string indicating that a the credential has expired. This event is sent when the supplied auth parameter is no longer valid.
Here's an example set of events that the server may send:
// Set your entire cache to {"a": 1, "b": 2}event:putdata:{"path":"/","data":{"a":1,"b":2}}// Put the new data in your cache under the key 'c', so that the complete cache now looks like:// {"a": 1, "b": 2, "c": {"foo": true, "bar": false}}event:putdata:{"path":"/c","data":{"foo":true,"bar":false}}// For each key in the data, update (or add) the corresponding key in your cache at path /c,// for a final cache of: {"a": 1, "b": 2, "c": {"foo": 3, "bar": false, "baz": 4}}event:patchdata:{"path":"/c","data":{"foo":3,"baz":4}}
Priorities
Priority information for a location can be referenced with a "virtual child" named .priority. You can read priorities with GET requests and write them with PUT requests. For example, the following request retrieves the priority of the users/tom node:
curl'https://[PROJECT_ID].firebaseio/users/tom/.priority.json'
To write priority and data at the same time, you can add a .priority child to the JSON payload:
curl-XPUT-d'{"name": {"first": "Tom"}, ".priority": 1.0}'\'https://[PROJECT_ID].firebaseio/users/tom.json'
To write priority and a primitive value (e.g. a string) at the same time, you can add a .priority child and put the primitive value in a .value child:
curl-XPUT-d'{".value": "Tom", ".priority": 1.0}'\'https://[PROJECT_ID].firebaseio/users/tom/name/first.json'
This writes "Tom" with a priority of 1.0. Priorities can be included at any depth in the JSON payload.
Server Values
You can write server values at a location using a placeholder value which is an object with a single .sv key. The value for that key is the type of server value you wish to set. For example, the following request sets the node's value to the Firebase server's current timestamp:
curl-XPUT-d'{".sv": "timestamp"}'\'https://[PROJECT_ID].firebaseio/users/tom/startedAtTime.json'
You can also write priorities using server values, using the "virtual child" path noted above.
Supported server values include:
| Server Value | |
|---|---|
| timestamp | The time since UNIX epoch, in milliseconds. |
| increment | Provide an integer or floating point delta value, in the form { ".sv": {"increment": <delta_value> }}, with which to atomically increment the current database value. If the data does not yet exist, the update will set the data to the delta value. If either of the delta value or the existing data are floating point numbers, both values will be interpreted as floating point numbers and applied on the back-end as a double value. Double arithmetic and representation of double values follow IEEE 754 semantics. If there is positive/negative integer overflow, the sum is calculated as a double. |
Retrieving and Updating Firebase Realtime Database Security Rules
The REST API can also be used to retrieve and update the Firebase Realtime Database Security Rules for your Firebase project. You'll need your Firebase project's secret, which you can find under the Service Accounts panel of your Firebase project's setting.
curl'https://[PROJECT_ID].firebaseio/.settings/rules.json?auth=FIREBASE_SECRET'curl-XPUT-d'{ "rules": { ".read": true } }''https://[PROJECT_ID].firebaseio/.settings/rules.json?auth=FIREBASE_SECRET'
Authenticate requests
By default, REST requests are executed with no authentication and will only succeed if the Realtime Database Rules allow public read or write access to the data. To authenticate your request, use the access_token= or auth= query parameters.
Learn more about authentication through the REST API in Authenticate REST Requests.
Error Conditions
The Firebase Database REST API can return the following error codes.
| HTTP Status Codes | |
|---|---|
| 400 Bad Request | One of the following error conditions:
|
| 401 Unauthorized | One of the following error conditions:
|
| 404 Not Found | The specified Realtime Database was not found. |
| 500 Internal Server Error | The server returned an error. See the error message for further details. |
| 503 Service Unavailable | The specified Firebase Realtime Database is temporarily unavailable, which means the request was not attempted. |
| 412 Precondition Failed | The request's specified ETag value in the if-match header did not match the server's value. |
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-04-21 UTC.
