php - Verify a Firebase ID-token vs. fetching user data

one text

Solution:

A REST request to identitytoolkit API should be sufficient.

The SDK provides a lot of method that you can utilize for managing user data, such as updating name, managing database access/etc. If your app does not need to do any of it - your code should work just fine with REST Calls.

Moreover, the SDK's simple method of verifying tokens does not check for revoked tokens as it requires a call to Firebase Backend. In case of REST call though, it would be verified.

And finally as your app makes a call only once (and maintains session thereafter), the overhead shouldn't be much.