I have a PHP backend and an Android client. With the client the users can log into my app using either Google or Facebook, both via Firebase. I get the token from the
Okay, so I dug into the source of the Firebase Server SDK and found the location of the public keys: https://email@example.com
Don't really know why they just couldn't put it on their website...
Anyways, I'm not sure, but I guess that these keys change on a daily basis (just like the OAuth2 keys do), so you must check and re-cache them on your server every now and then.
Also, you have to check the following values:
alg == "RS256"
Found these at this similar question (just scroll to the bottom of the answer), which was found by searching for that specific googleapis.com URL.