firebase
diff --git a/‎common/api-review/auth.api.md‎
Lines changed: 12 additions & 9 deletions b/‎common/api-review/auth.api.md‎
Lines changed: 12 additions & 9 deletions
diff --git a/‎docs-devsite/_toc.yaml‎
Lines changed: 4 additions & 2 deletions b/‎docs-devsite/_toc.yaml‎
Lines changed: 4 additions & 2 deletions
diff --git a/‎docs-devsite/auth.auth.md‎
Lines changed: 39 additions & 13 deletions b/‎docs-devsite/auth.auth.md‎
Lines changed: 39 additions & 13 deletions
diff --git a/‎docs-devsite/auth.firebasetoken.md‎
Lines changed: 0 additions & 40 deletions b/‎docs-devsite/auth.firebasetoken.md‎
Lines changed: 0 additions & 40 deletions
diff --git a/‎docs-devsite/auth.md‎
Lines changed: 2 additions & 1 deletion b/‎docs-devsite/auth.md‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎docs-devsite/auth.refreshidptokenresult.md‎
Lines changed: 48 additions & 0 deletions b/‎docs-devsite/auth.refreshidptokenresult.md‎
Lines changed: 48 additions & 0 deletions
diff --git a/‎docs-devsite/auth.tokenrefreshhandler.md‎
Lines changed: 43 additions & 0 deletions b/‎docs-devsite/auth.tokenrefreshhandler.md‎
Lines changed: 43 additions & 0 deletions
diff --git a/‎packages/auth/demo/src/index.js‎
Lines changed: 5 additions & 4 deletions b/‎packages/auth/demo/src/index.js‎
Lines changed: 5 additions & 4 deletions
@@ -88,13 +88,13 @@ export interface Auth {
     readonly config: Config;
     readonly currentUser: User | null;
     readonly emulatorConfig: EmulatorConfig | null;
-    readonly firebaseToken: FirebaseToken | null;
     languageCode: string | null;
     readonly name: string;
     onAuthStateChanged(nextOrObserver: NextOrObserver<User | null>, error?: ErrorFn, completed?: CompleteFn): Unsubscribe;
     onIdTokenChanged(nextOrObserver: NextOrObserver<User | null>, error?: ErrorFn, completed?: CompleteFn): Unsubscribe;
     setPersistence(persistence: Persistence): Promise<void>;
     readonly settings: AuthSettings;
+    setTokenRefreshHandler(tokenRefreshHandler: TokenRefreshHandler): void;
     signOut(): Promise<void>;
     readonly tenantConfig?: TenantConfig;
     tenantId: string | null;
@@ -389,14 +389,6 @@ export const FactorId: {
 // @public
 export function fetchSignInMethodsForEmail(auth: Auth, email: string): Promise<string[]>;
 
-// @public (undocumented)
-export interface FirebaseToken {
-    // (undocumented)
-    readonly expirationTime: number;
-    // (undocumented)
-    readonly token: string;
-}
-
 // @public
 export function getAdditionalUserInfo(userCredential: UserCredential): AdditionalUserInfo | null;
 
@@ -743,6 +735,12 @@ export class RecaptchaVerifier implements ApplicationVerifierInternal {
     verify(): Promise<string>;
     }
 
+// @public
+export interface RefreshIdpTokenResult {
+    idpConfigId: string;
+    idToken: string;
+}
+
 // @public
 export function reload(user: User): Promise<void>;
 
@@ -815,6 +813,11 @@ export interface TenantConfig {
     tenantId: string;
 }
 
+// @public
+export interface TokenRefreshHandler {
+    refreshIdpToken(): Promise<RefreshIdpTokenResult>;
+}
+
 // @public
 export interface TotpMultiFactorAssertion extends MultiFactorAssertion {
 }
 
@@ -310,8 +310,6 @@ toc:
     path: /docs/reference/js/auth.emulatorconfig.md
   - title: FacebookAuthProvider
     path: /docs/reference/js/auth.facebookauthprovider.md
-  - title: FirebaseToken
-    path: /docs/reference/js/auth.firebasetoken.md
   - title: GithubAuthProvider
     path: /docs/reference/js/auth.githubauthprovider.md
   - title: GoogleAuthProvider
@@ -368,10 +366,14 @@ toc:
     path: /docs/reference/js/auth.recaptchaparameters.md
   - title: RecaptchaVerifier
     path: /docs/reference/js/auth.recaptchaverifier.md
+  - title: RefreshIdpTokenResult
+    path: /docs/reference/js/auth.refreshidptokenresult.md
   - title: SAMLAuthProvider
     path: /docs/reference/js/auth.samlauthprovider.md
   - title: TenantConfig
     path: /docs/reference/js/auth.tenantconfig.md
+  - title: TokenRefreshHandler
+    path: /docs/reference/js/auth.tokenrefreshhandler.md
   - title: TotpMultiFactorAssertion
     path: /docs/reference/js/auth.totpmultifactorassertion.md
   - title: TotpMultiFactorGenerator
 
@@ -28,7 +28,6 @@ export interface Auth
 |  [config](./auth.auth.md#authconfig) | [Config](./auth.config.md#config_interface) | The [Config](./auth.config.md#config_interface) used to initialize this instance. |
 |  [currentUser](./auth.auth.md#authcurrentuser) | [User](./auth.user.md#user_interface) \| null | The currently signed-in user (or null). |
 |  [emulatorConfig](./auth.auth.md#authemulatorconfig) | [EmulatorConfig](./auth.emulatorconfig.md#emulatorconfig_interface) \| null | The current emulator configuration (or null). |
-|  [firebaseToken](./auth.auth.md#authfirebasetoken) | [FirebaseToken](./auth.firebasetoken.md#firebasetoken_interface) \| null | The token response initialized via [exchangeToken()](./auth.md#exchangetoken_b6b1871) endpoint. |
 |  [languageCode](./auth.auth.md#authlanguagecode) | string \| null | The [Auth](./auth.auth.md#auth_interface) instance's language code. |
 |  [name](./auth.auth.md#authname) | string | The name of the app associated with the <code>Auth</code> service instance. |
 |  [settings](./auth.auth.md#authsettings) | [AuthSettings](./auth.authsettings.md#authsettings_interface) | The [Auth](./auth.auth.md#auth_interface) instance's settings. |
@@ -44,6 +43,7 @@ export interface Auth
 |  [onAuthStateChanged(nextOrObserver, error, completed)](./auth.auth.md#authonauthstatechanged) | Adds an observer for changes to the user's sign-in state. |
 |  [onIdTokenChanged(nextOrObserver, error, completed)](./auth.auth.md#authonidtokenchanged) | Adds an observer for changes to the signed-in user's ID token. |
 |  [setPersistence(persistence)](./auth.auth.md#authsetpersistence) | Changes the type of persistence on the <code>Auth</code> instance. |
+|  [setTokenRefreshHandler(tokenRefreshHandler)](./auth.auth.md#authsettokenrefreshhandler) | Registers a handler for refreshing third-party identity provider (IDP) tokens.<!-- -->When the Firebase access token is expired, the SDK will automatically invoke the provided handler's <code>refreshIdpToken()</code> method to obtain a new IDP token. This new token will then be exchanged for a fresh Firebase token, streamlining the authentication process. |
 |  [signOut()](./auth.auth.md#authsignout) | Signs out the current user. This does not automatically revoke the user's ID token. |
 |  [updateCurrentUser(user)](./auth.auth.md#authupdatecurrentuser) | Asynchronously sets the provided user as [Auth.currentUser](./auth.auth.md#authcurrentuser) on the [Auth](./auth.auth.md#auth_interface) instance. |
 |  [useDeviceLanguage()](./auth.auth.md#authusedevicelanguage) | Sets the current language to the default device/browser preference. |
@@ -88,18 +88,6 @@ The current emulator configuration (or null).
 readonly emulatorConfig: EmulatorConfig | null;
 ```
 
-## Auth.firebaseToken
-
-The token response initialized via [exchangeToken()](./auth.md#exchangetoken_b6b1871) endpoint.
-
-This field is only supported for [Auth](./auth.auth.md#auth_interface) instance that have defined [TenantConfig](./auth.tenantconfig.md#tenantconfig_interface)<!-- -->.
-
-<b>Signature:</b>
-
-```typescript
-readonly firebaseToken: FirebaseToken | null;
-```
-
 ## Auth.languageCode
 
 The [Auth](./auth.auth.md#auth_interface) instance's language code.
@@ -285,6 +273,44 @@ auth.setPersistence(browserSessionPersistence);
 
 ```
 
+## Auth.setTokenRefreshHandler()
+
+Registers a handler for refreshing third-party identity provider (IDP) tokens.
+
+When the Firebase access token is expired, the SDK will automatically invoke the provided handler's `refreshIdpToken()` method to obtain a new IDP token. This new token will then be exchanged for a fresh Firebase token, streamlining the authentication process.
+
+<b>Signature:</b>
+
+```typescript
+setTokenRefreshHandler(tokenRefreshHandler: TokenRefreshHandler): void;
+```
+
+#### Parameters
+
+|  Parameter | Type | Description |
+|  --- | --- | --- |
+|  tokenRefreshHandler | [TokenRefreshHandler](./auth.tokenrefreshhandler.md#tokenrefreshhandler_interface) | An object that implements the <code>TokenRefreshHandler</code> interface, providing the logic to refresh the IDP token. |
+
+<b>Returns:</b>
+
+void
+
+### Example
+
+
+```javascript
+class TokenRefreshHandlerImpl {
+  refreshIdpToken() {
+    // Logic to fetch a new token from your custom IDP.
+    // Returns a Promise that resolves with a RefreshIdpTokenResult.
+  }
+}
+
+const tokenRefreshHandler = new TokenRefreshHandlerImpl();
+auth.setTokenRefreshHandler(tokenRefreshHandler);
+
+```
+
 ## Auth.signOut()
 
 Signs out the current user. This does not automatically revoke the user's ID token.
 
@@ -118,7 +118,6 @@ Firebase Authentication
 |  [ConfirmationResult](./auth.confirmationresult.md#confirmationresult_interface) | A result from a phone number sign-in, link, or reauthenticate call. |
 |  [Dependencies](./auth.dependencies.md#dependencies_interface) | The dependencies that can be used to initialize an [Auth](./auth.auth.md#auth_interface) instance. |
 |  [EmulatorConfig](./auth.emulatorconfig.md#emulatorconfig_interface) | Configuration of Firebase Authentication Emulator. |
-|  [FirebaseToken](./auth.firebasetoken.md#firebasetoken_interface) |  |
 |  [IdTokenResult](./auth.idtokenresult.md#idtokenresult_interface) | Interface representing ID token result obtained from [User.getIdTokenResult()](./auth.user.md#usergetidtokenresult)<!-- -->. |
 |  [MultiFactorAssertion](./auth.multifactorassertion.md#multifactorassertion_interface) | The base class for asserting ownership of a second factor. |
 |  [MultiFactorError](./auth.multifactorerror.md#multifactorerror_interface) | The error thrown when the user needs to provide a second factor to sign in successfully. |
@@ -139,7 +138,9 @@ Firebase Authentication
 |  [PopupRedirectResolver](./auth.popupredirectresolver.md#popupredirectresolver_interface) | A resolver used for handling DOM specific operations like [signInWithPopup()](./auth.md#signinwithpopup_770f816) or [signInWithRedirect()](./auth.md#signinwithredirect_770f816)<!-- -->. |
 |  [ReactNativeAsyncStorage](./auth.reactnativeasyncstorage.md#reactnativeasyncstorage_interface) | Interface for a supplied <code>AsyncStorage</code>. |
 |  [RecaptchaParameters](./auth.recaptchaparameters.md#recaptchaparameters_interface) | Interface representing reCAPTCHA parameters.<!-- -->See the [reCAPTCHA docs](https://developers.google.com/recaptcha/docs/display#render_param) for the list of accepted parameters. All parameters are accepted except for <code>sitekey</code>: Firebase Auth provisions a reCAPTCHA for each project and will configure the site key upon rendering.<!-- -->For an invisible reCAPTCHA, set the <code>size</code> key to <code>invisible</code>. |
+|  [RefreshIdpTokenResult](./auth.refreshidptokenresult.md#refreshidptokenresult_interface) | The result of a third-party IDP token refresh operation.<!-- -->This object contains the new IDP token and the Idp Config ID of the provider that issued it. |
 |  [TenantConfig](./auth.tenantconfig.md#tenantconfig_interface) | The tenant config that can be used to initialize a Regional [Auth](./auth.auth.md#auth_interface) instance. |
+|  [TokenRefreshHandler](./auth.tokenrefreshhandler.md#tokenrefreshhandler_interface) | An interface for handling the refresh of Firebase tokens. |
 |  [TotpMultiFactorAssertion](./auth.totpmultifactorassertion.md#totpmultifactorassertion_interface) | The class for asserting ownership of a TOTP second factor. Provided by [TotpMultiFactorGenerator.assertionForEnrollment()](./auth.totpmultifactorgenerator.md#totpmultifactorgeneratorassertionforenrollment) and [TotpMultiFactorGenerator.assertionForSignIn()](./auth.totpmultifactorgenerator.md#totpmultifactorgeneratorassertionforsignin)<!-- -->. |
 |  [TotpMultiFactorInfo](./auth.totpmultifactorinfo.md#totpmultifactorinfo_interface) | The subclass of the [MultiFactorInfo](./auth.multifactorinfo.md#multifactorinfo_interface) interface for TOTP second factors. The <code>factorId</code> of this second factor is [FactorId](./auth.md#factorid)<!-- -->.TOTP. |
 |  [User](./auth.user.md#user_interface) | A user account. |
 
@@ -0,0 +1,48 @@
+Project: /docs/reference/js/_project.yaml
+Book: /docs/reference/_book.yaml
+page_type: reference
+
+{% comment %}
+DO NOT EDIT THIS FILE!
+This is generated by the JS SDK team, and any local changes will be
+overwritten. Changes should be made in the source code at
+https://github.com/firebase/firebase-js-sdk
+{% endcomment %}
+
+# RefreshIdpTokenResult interface
+The result of a third-party IDP token refresh operation.
+
+This object contains the new IDP token and the Idp Config ID of the provider that issued it.
+
+<b>Signature:</b>
+
+```typescript
+export interface RefreshIdpTokenResult 
+```
+
+## Properties
+
+|  Property | Type | Description |
+|  --- | --- | --- |
+|  [idpConfigId](./auth.refreshidptokenresult.md#refreshidptokenresultidpconfigid) | string | The configuration ID of the third-party identity provider. |
+|  [idToken](./auth.refreshidptokenresult.md#refreshidptokenresultidtoken) | string | The new Id Token from the 3rd party Identity Provider. |
+
+## RefreshIdpTokenResult.idpConfigId
+
+The configuration ID of the third-party identity provider.
+
+<b>Signature:</b>
+
+```typescript
+idpConfigId: string;
+```
+
+## RefreshIdpTokenResult.idToken
+
+The new Id Token from the 3rd party Identity Provider.
+
+<b>Signature:</b>
+
+```typescript
+idToken: string;
+```
@@ -0,0 +1,43 @@
+Project: /docs/reference/js/_project.yaml
+Book: /docs/reference/_book.yaml
+page_type: reference
+
+{% comment %}
+DO NOT EDIT THIS FILE!
+This is generated by the JS SDK team, and any local changes will be
+overwritten. Changes should be made in the source code at
+https://github.com/firebase/firebase-js-sdk
+{% endcomment %}
+
+# TokenRefreshHandler interface
+An interface for handling the refresh of Firebase tokens.
+
+<b>Signature:</b>
+
+```typescript
+export interface TokenRefreshHandler 
+```
+
+## Methods
+
+|  Method | Description |
+|  --- | --- |
+|  [refreshIdpToken()](./auth.tokenrefreshhandler.md#tokenrefreshhandlerrefreshidptoken) | Refreshes the third-party IDP token.<!-- -->This method should contain the logic to obtain a new, valid IDP token from your identity provider. |
+
+## TokenRefreshHandler.refreshIdpToken()
+
+Refreshes the third-party IDP token.
+
+This method should contain the logic to obtain a new, valid IDP token from your identity provider.
+
+<b>Signature:</b>
+
+```typescript
+refreshIdpToken(): Promise<RefreshIdpTokenResult>;
+```
+<b>Returns:</b>
+
+Promise&lt;[RefreshIdpTokenResult](./auth.refreshidptokenresult.md#refreshidptokenresult_interface)<!-- -->&gt;
+
+A promise that resolves with a `RefreshIdpTokenResult` object containing the new IDP token and its corresponding Idp Config ID.
+
@@ -2094,15 +2094,16 @@ function initApp() {
   });
 
   const firebaseTokenStatus = document.getElementById('firebase-token-status');
-  setTimeout(() => {
-    if (regionalAuth.firebaseToken) {
+  setTimeout(async () => {
+    const firebaseToken = await regionalAuth.getFirebaseAccessToken();
+    if (firebaseToken) {
       firebaseTokenStatus.textContent =
-        '✅ Firebase token is set: ' + regionalAuth.firebaseToken.token;
+        '✅ Firebase token is set: ' + firebaseToken;
     } else {
       firebaseTokenStatus.textContent =
         'No CIAM token found. User not logged in.';
     }
-    console.log('firebaseToken after delay: ', regionalAuth.firebaseToken);
+    console.log('firebaseToken after delay: ', firebaseToken);
   }, 1000);
 
   tempApp = initializeApp(