How I Built Secure Firebase Cloud Functions with Admin Permissions and Rate Limiting

If you're building an admin panel that talks to Firebase Cloud Functions, you need two things before anything else — permission checks and rate limiting. Without these, any authenticated user could call your admin endpoints, and a single bad actor could spam your functions into hitting billing limits. Here's how I set this up in a real admin panel, not a tutorial demo. The problem I was building an admin panel for a mobile app. The admin needed to send push notifications, search users, and moderate content. All of these were Cloud Functions callable from the client. The issue? Firebase callable functions don't have built-in admin role checks. Any authenticated user can call any callable function by default. That's terrifying. Step 1: Store admin roles in Firestore I keep a simple admins collection in Firestore: // Firestore structure // admins/{uid} { email : " admin@example.com " , role : " super_admin " , // or "moderator", "viewer" permissions : [ " send_notifications " , " manage_u