How does Firebase Authentication work with custom tokens?

Custom tokens allow integrating Firebase Authentication with external authentication systems (LDAP, legacy auth, custom SSO). Flow: (1) User authenticates with your existing auth system (server-side); (2) Your server mints a Firebase custom token using the Firebase Admin SDK: const token = await admin.auth().createCustomToken(userId, { role: "admin", department: "engineering" }); (3) Return token to client; (4) Client signs into Firebase: await signInWithCustomToken(auth, token). The custom token is a short-lived JWT (valid for 1 hour). Once signed in, Firebase issues a standard Firebase ID token that the client can use to authenticate to Firestore and other Firebase services. Custom claims ({ role: "admin" }) are embedded in the token and accessible in Firestore rules: request.auth.token.role == "admin". This pattern bridges existing identity systems with Firebase without requiring users to create new accounts.