2025 UPDATE

1. Open the Cloud Functions page in the Google Cloud Console: https://console.cloud.google.com/functions/list.
2. Click the checkbox next to the function to which you want to grant access.
3. Click Permissions at the top of the screen. The Permissions panel opens.
4. Click Add principal.
5. In the New principals field, type allUsers.
6. Select the role Cloud Functions > Cloud Functions Invoker from the Select a role drop-down menu.
7. Click Save.

It must be solved at your GCP Console (not Firebase). Just follow these steps:

1. Go to your GCP Console and login
2. On the top menu, select the corresponding Firebase project
3. On the left menu go to Cloud Functions Click the checkbox of your function (not the name of the function)
4. Once selected, on the right menu select "Add member"
5. On "New member" type allUsers
6. On the Select function bar, select Cloud Functions -> Cloud functions invoker
7. Click on "Save" and then "Allow public access" on the pop-up warning And you're good to go!

I ran into this error when deploying several functions and there was an issue during the upload where it seems the deployment got corrupted .. perhaps network related, not sure

After deleting the offending cloud functions in the Firebase console, and then doing a fresh successful deploy for them, the "FirebaseFunctionsException UNAUTHENTICATED" error went away

First I tried to just redeploy the functions, but that was not enough, the error continued this way

From the documentation for 2nd gen Cloud Functions:

1. Go to the Google Cloud console
2. Click the linked name of the function to which you want to grant access.
3. Click the Powered By Cloud Run link in the top right corner of the Function details overview page.
4. Click Trigger and select Allow unauthenticated invocations.
5. Click Save.

Took me forever to find this after trying to add allUsers and getting "Principals of type allUsers and allAuthenticatedUsers cannot be added to this resource".

If you are using Cloud Functions Gen2, which is built on top of Cloud Run, you must assign the invoker role (roles/run.invoker)

1. Goto Cloud run,
2. Check the box next to your function,
3. Click the button "PERMISSION",
4. In the side bar, click on "ADD PRINCIPAL"
5. write "allUsers" and give them "cloud run invoker" permission.

Note: If you want to achieve the equivalent of assigning the Cloud Functions 'admin' or 'developer' role to a 1st gen function, you need to assign Cloud Functions 'admin' or 'developer' to the 2nd gen function and assign 'Cloud Run invoker' to the Cloud Run service. $ gcloud functions add-invoker-policy-binding api \ --region="asia-southeast1" \ --member="MEMBER_NAME" 

Not sure if this did the trick but it seemed to work. I had the allUsers permission set in Google Cloud Console for my function with the Role "Cloud Functions Invoker" set by default, but it was not working - UNAUTHENTICATED error.

I commented out my new function locally, deployed again, was asked if I want to delete it from the CLI - Said yes..

Then uncommented the function and deployed again. (I tried deleting from Firebase too but that didnt work.)

I then went back to Google Cloud Console (Function Details -> Permissions) and edited the allUsers permission and added an additional Role ("Cloud Functions Admin"). As below..

Tested and it worked.

Then I deleted the "Cloud Functions Admin" Role (for safety) and just left the "Cloud Functions Invoker" Role. Now it works. Dont know why this happened, hopefully doesnt happen again...

I faced the same issue, i fixed it by adding this in my index.js file

const admin = require("firebase-admin"); admin.initializeApp(); 

also in the function in the frontend, i made sure to check firebase is initailized

I was also struggling with that same error message [firebase_functions/unauthenticated] >UNAUTHENTICATED. In my case, there was a policy at the organization level that required all calls to Cloud Run functions to be authenticated by IAM and for users to belong to the organization, so I could not add the allUsers principal to the function. Instead, I had to turn off the IAM authentication for the function, which can be done by selecting the function and in the security tab, uncheck "Use IAM to authenticate incoming requests.

Note that during deployment of the function, you may still get an error message that the IAM could not be changed to public, this is fine, the function is deployed, you just need to apply that change afterwards.

Official Google documentation and thanks to Tom Elliott for pointing me towards the solution.

Uncheck IAM Authentication in the Security tab of the function

This was a very frustrating and mysterious issue. This manifested as a CORS issue that broke things that were once working. They broke after a force deployment and it took me a long time to figure out what the problem was. In my case, the cloud functions index.ts file MUST call

import { initializeApp } from "firebase-admin/app"; // Initialize Firebase Admin SDK FIRST initializeApp(); 

BEFORE exporting the cloud functions.

If you export the cloud functions before calling initializeApp(), they deploy just fine but subtly behind the scenes the cloud functions get deployed with wonky permissions. Specifically they're set to "require authentication" rather than "allow unauthenticated" as they're supposed to.

I just found this can also happen if you have an org policy blocking the ability to add "allUsers" to an IAM permission. In my case it was the org policy iam.managed.allowedPolicyMembers

Basically the issue here is that it deploys the functions, tries and fails to set permissions on those functions (for whatever reason you happen to hit) but it leaves those functions deployed. Then, the next time you go to deploy, it sees the functions there and deployed and decides to report "success" on subsequent deployments, even if the IAM permissions never get set correctly.

It can drive you crazy because it appears like an intermittent deploy failure, combined with the fact that newly deployed functions are failing and old functions with the exact same config are working inexplicably. It turns out some IAM policy changed at some point in time so things deployed before then worked and after then are silently not working.

Mine solved by:
Old:

const { onCall, HttpsError } = require('firebase-functions/v2/https'); exports.testAuth = onCall(async (data, context) => { console.log('Context.auth:', context.auth); // ❌ undefined if (!context.auth) { throw new HttpsError('unauthenticated', 'User must be logged in'); } return { uid: context.auth.uid }; }); 

Working new one:

const { onCall } = require('firebase-functions/v2/https'); exports.testAuth = onCall(async (request) => { // 👈 Single parameter! const uid = request.auth.uid; // ✅ Auth is in request.auth const data = request.data; // ✅ Data is in request.data }); 

The permissions changing to allUsers all that above answers didn't worked for me because in latest v all that were already configured as said above. Write your functions with debug logs. I was able to solve by using GCP function logs into Claude AI, that helped me!

Hope u solve yours too!!

For my issue, it was a mistake in my local development setup, so I’m posting it here in case someone else faces the same problem.

In my case, the functions were deployed correctly (Cloud Functions v2) and had the proper permissions in the Google Console.

However, I made two mistakes:

1. In my app, I was calling the function using the URL instead of the function name.
   This caused different URLs between dev and prod. I recommend using the function name for callable functions instead of hardcoding URLs.

2. In my Cloud Function, I wasn’t using the default credentials in production — I was mistakenly using my local dev credentials.

To fix it, just let the runtime handle authentication automatically. For example:

logger.info("Running in production environment - using default credentials") # Use default credentials (automatically provided by Cloud Functions runtime) return initialize_app()