Auth/Network-Request-Failed Firebase | Causes And Fixes

Guide / By

Auth/Network-Request-Failed Firebase signals that the sign-in call could not reach the servers; fix by restoring connectivity and correcting app setup.

The error appears when a sign-in or credential refresh cannot complete a network round trip. It shows up during email-password sign-in, OAuth popup or redirect flows, and token refresh. The message looks generic, but the causes are specific: browser blocks, HTTPS issues, wrong allowed domains, clock drift, captive Wi-Fi, or a firewall that drops requests.

What The Error Means And When It Appears

Quick scope: The Firebase Auth Web SDK sends requests to Google endpoints to create sessions, exchange OAuth codes, and refresh tokens. When the browser fails to complete that trip, the SDK throws the auth/network-request-failed error. That includes timeouts, DNS failures, TLS problems, and cross-origin blocks. You will also see it when a popup or redirect flow is interrupted by blockers or when the page loses internet access during the handshake.

On slow links the failure can be transient; on locked-down networks it persists until the policy changes. Single Page Apps can raise it during a route change when requests get canceled. WebViews raise it more often, since cookie and popup settings are tighter.

Quick Checks That Clear Most Cases

  • Test A Plain Connection — Load a small https site in the same browser tab. If that stalls, you have a network problem, not an app problem.
  • Switch The Network — Move from office Wi-Fi to mobile data or a hotspot. Captive portals and filtered DNS often trigger this error.
  • Disable Blockers Temporarily — Turn off extensions that block popups, cookies, or trackers. Re-run the sign-in, then re-enable them.
  • Force HTTPS — Serve your app on https. Mixed content or http origins break tokens and secure cookies.

Auth/Network-Request-Failed Firebase: Causes In The Wild

Why it happens: The error clusters around a short list of root causes. Work through them in order. Each item explains what you will see and what to change.

Blocked Popups Or Third-Party Cookies

OAuth sign-in can run in a popup or a redirect. Popup blockers stop the window; strict cookie settings break the return trip. In Chrome, the message can follow a blank popup that closes instantly.

  • Allow The Popup — Trigger the popup inside a user click handler and keep it open until the promise resolves.
  • Relax Cookie Limits — For testing, allow cross-site cookies. In production, prefer redirect mode if your users block popups.
  • Use One Flow Per Click — Do not call signInWithPopup twice. Competing windows race and both fail.

HTTP Origin Or Mixed Content

Running on http during development or loading an http iframe from an https app causes TLS or cookie issues. Tokens are sent only over secure channels. Browsers also block many credentialed requests from an insecure origin.

  • Serve Local Dev Over HTTPS — Use localhost with a dev cert or the Vite/Next dev server with https enabled.
  • Remove Insecure Iframes — Do not embed http content on an https page that starts the sign-in flow.

Wrong Authorized Domains

Firebase Auth limits requests to the domains you list in the console. If your app runs on a new subdomain or a staging slot, the SDK call starts, then the backend rejects it, which can surface as a network failure on the client.

  • Add The Domain — In the console, add your host, including staging or preview hosts.
  • Keep One Canonical Host — Redirect alternate hosts to a single origin to avoid missing entries.

Corporate Firewall Or DNS Filter

Enterprises block some domains by default. Auth endpoints and OAuth providers may be on that list. The app works at home, fails at the office, and the message reads the same.

  • Ask For Allow-Lists — Your network team can allow the auth endpoints and your provider domains.

Configuration Checks In The Firebase Console And Code

Deeper fix: Once the quick checks pass, confirm the app and provider setup. Small mismatches can throw the same network error even when the line is healthy.

  • Match SDK And Config — Make sure the web app’s API key, project ID, and auth domain match the deployed project.
  • Enable Providers — Turn on Google, Apple, GitHub, or Email/Password in the console and complete the required fields.
  • Set Authorized Domains — Include local dev hosts, preview URLs, custom domains, and mobile deep-link hosts.
  • Use One Instance — Initialize the app once per page; multiple inits fight over listeners and popups.
  • Choose A Flow — Pick popup or redirect; do not mix them in the same user path.

HTTPS, App Check, And reCAPTCHA

Phone Auth and App Check add checks that magnify small setup mistakes. If App Check blocks the request or reCAPTCHA fails to render, the call never reaches the backend, and the SDK reports a network failure.

  • Verify App Check — If enabled, register the site key for each origin and watch the debug console during tests.
  • Render reCAPTCHA Properly — Place the container in the DOM before calling the verifier APIs.
  • Stay On HTTPS — Phone Auth and reCAPTCHA expect https even during development.

Token Persistence And Storage

When storage is blocked or full, the SDK thrashes between states and drops the redirect result. The visible symptom is the same network failure during the return trip.

  • Pick Persistence Explicitly — Set setPersistence(auth, browserLocalPersistence) or a safe fallback.
  • Handle The Redirect Result — On reload, call getRedirectResult before mounting routes that navigate away.

Network Request Failed In Firebase Auth Diagnostics

What to capture: You can confirm a network-level cause using tools in the browser and at the edge. Limit guesswork by recording concrete signals during one run of the failing flow.

  • Open DevTools Network — Watch requests to auth endpoints. A stalled request with 0 B transferred suggests DNS, TLS, or a block.
  • Check The Console — Note CORS, cookie, or popup messages. These usually pinpoint the misstep.
  • Collect HAR — Export a HAR for one failing run. You can share it with a network admin to show exactly where it stops.

Symptom To Cause Map

Symptom Likely Cause Fix
Blank popup closes fast Popup blocked or cookie denied Allow popup; use redirect
Works at home, fails at office Firewall or DNS filter Ask for allow-lists
Only http builds fail Insecure origin or mixed content Serve https everywhere
Stalls with 0 B transferred DNS or TLS handshake issue Change network; fix clock
Breaks in private mode Storage or cookie limits Use redirect; adjust persistence

Platform Notes: WebViews, React Native, And Mobile

Context: In embedded browsers and mobile runtimes, more rules apply. Many teams see the error only on these targets even when the desktop site is fine.

WebViews And Embedded Browsers

In-app browsers often block third-party cookies and popups by default. Some also strip the Referer header or freeze background tabs during the OAuth bounce.

  • Prefer System Browser — Kick the OAuth flow to the device browser and handle the return URL.
  • Use Redirect Mode — Popups in embedded views fail more often than full page redirects.

React Native And Expo

React Native apps use different libraries for OAuth and deep linking. A mismatch between the redirect URI you register and the scheme you handle in the app breaks the handshake and throws the same network failure.

  • Align Redirect URIs — Register the exact scheme and host you handle in the app.
  • Use Secure Storage — Store session data in a provider suited for the platform to avoid mid-flow loss.

Android And iOS

Custom tabs and SFSafariViewController respect system cookie settings and content blockers. Weak connectivity during the bounce produces the same error text you see on desktop.

  • Handle Deep Links — Test Universal Links and App Links on device, not only in simulators.

Troubleshooting Flow That Teams Can Reuse

One pass: Use a repeatable sequence so you fix the cause without masking symptoms. The sequence below works for most web apps and for hybrid shells that host web content.

  1. Reproduce Cleanly — Sign out, clear site data for your origin only, then run the flow once with DevTools open.
  2. Validate The Origin — Confirm https, correct host, and a matching entry in Authorized Domains.
  3. Choose The Flow — Pick popup or redirect and keep it consistent. Remove duplicate calls.
  4. Check Providers — Confirm the provider is enabled and the OAuth client IDs match the environment.
  5. Test Without Extensions — Use an incognito window with extensions off to detect blockers.
  6. Capture A HAR — Save a trace from the start click to the final callback.
  7. Try A Fresh Network — Hotspot the device or switch to a clean Wi-Fi to rule out filtering.

Keep a short runbook with the key steps and the table above. When the error returns, you can triage in minutes instead of hours. The fastest wins come from https, clean domains, a single flow, and clear browser storage rules. With that baseline in place, Auth/Network-Request-Failed Firebase turns into a rare edge case rather than a daily support ticket. This saves time during support and cuts repeat incidents.