Skip to content

Firebase Deployment

This guide covers deploying PSI to Firebase (Hosting + Cloud Functions). This is the primary deployment mode.

Prerequisites

  • Node.js 22+
  • pnpm 10+
  • Firebase CLI (npm install -g firebase-tools)
  • A Google account with Firebase access

Setup Steps

1. Create a Firebase Project

  1. Go to the Firebase Console
  2. Click Create a Project
  3. Enter a project name, press Continue
  4. Decline Google Analytics, press Create Project
  5. Connect the project to your local checkout: 
    firebase use --add
# Enter your project ID, alias: production

2. Enable Billing

Firebase Cloud Functions require the Blaze (pay-as-you-go) plan:

  1. Click the Spark icon next to your project name
  2. Follow the prompts to set up the Blaze plan

3. Set Up Authentication

  1. In the Firebase Console, navigate to Build > Authentication > Get Started
  2. Enable Google sign-in
  3. Enter the product name for the Google Sign-In UI
  4. Click Save

4. Enable SSO Permissions

To support SSO with custom login tokens:

  1. Enable the IAM Service Account Credentials API for your project
  2. In the IAM page, give the App Engine default service account the Service Account Token Creator role
  3. Run: 
    gcloud auth login
gcloud config set project YOUR_PROJECT_ID
gcloud iam service-accounts add-iam-policy-binding \
  YOUR_PROJECT_ID@appspot.gserviceaccount.com \
  --member="serviceAccount:YOUR_PROJECT_ID@appspot.gserviceaccount.com" \
  --role="roles/iam.serviceAccountTokenCreator"

5. Initialize the Database

firebase init database
# Choose region (e.g. europe-west1)
# Decline overwriting database.rules.json

6. Configure the Server

Create server/.env.production with required variables. See Configuration reference for all options.

Key variables:

Variable Required Description
AUTH_SECRET Yes Secret key for auth encryption
DATABASE_URL Yes Firebase RTDB URL
HOSTING_DOMAIN Yes Public domain (e.g. https://your-project.web.app)
OPENAI_KEY Recommended For AI moderation
PERSPECTIVE_API_KEY Recommended For toxicity scoring

7. Configure the Client

Add your deployment to client/psi.config.ts:

export const deploymentConfigMap = {
    // ... existing entries
    "your-alias": {
        firebaseConfig: {
            apiKey: "...",
            authDomain: "your-project.firebaseapp.com",
            databaseURL: "https://your-project-default-rtdb.europe-west1.firebasedatabase.app",
            projectId: "your-project",
            storageBucket: "your-project.appspot.com",
            messagingSenderId: "...",
            appId: "..."
        },
        host: "your-project.web.app",
        siloConfig: { /* per-silo settings */ },
        allowedSilos: ["your-silo"]
    },
};

8. Build and Deploy

# Build client and server
(cd client && pnpm run webbuild)
(cd server && pnpm run build)

# Deploy
firebase use your-alias
firebase deploy --project your-alias

Tip

For client-only changes, use firebase deploy --only hosting for faster deploys.

9. Set Up Admin Rights

In the Firebase Console > Realtime Database, add:

{
    "silo": {
        "your-silo": {
            "module": {
                "admin": {
                    "userRoles": {
                        "you@yourdomain%dorg": ["Owner"]
                    }
                }
            }
        }
    }
}

Note

Replace . with %d in email addresses (Firebase key requirement). Once you're admin, you can grant access to others via the admin UI.

CI/CD Deployment

For automated deployments, create a service account with these roles:

  • Cloud Functions Developer
  • Cloud RuntimeConfig Admin
  • Firebase Hosting Admin
  • Firebase Realtime Database Admin
  • Service Account User

See CI/CD Pipeline for GitHub Actions workflows.

Further Reading