verifyGalleryPassword

Public (no auth) callable

Server-side check for a private-gallery password. No Firebase Auth required.

METHOD POST
PATH /verifyGalleryPassword
AUTH Public (no auth)

Backs the password gate on private galleries. The cleartext password is never on a publicly-readable doc; only a scrypt hash lives in events/{eventId}/private/gate (admin-read only). New writes use scrypt (memory-hard KDF, ~10ms per attempt). Legacy SHA-256 hashes and pre-fix cleartext passwords are migrated to scrypt on first successful verify. If the event has galleryPasswordEnabled=false, the function short-circuits ok=true.

AUTH NOTE

No authentication. Integrity is gated on a domain-specific check (uploader sessionId, gallery password, etc.). Rate-limited per IP.

Request

FieldTypeRequiredDescription
eventId string yes Your Fotowall event ID. Max 100 chars.
password string yes The password attempt. Max 200 chars.

EXAMPLE BODY

{
  "eventId": "spring-gala-2026",
  "password": "lighthouse2026"
}

Response

FieldTypeAlways presentDescription
ok boolean yes true if the password matches OR if galleryPasswordEnabled is false.

EXAMPLE BODY

{
  "ok": true
}

curl

curl -X POST https://us-central1-freedomgrc-photowall.cloudfunctions.net/verifyGalleryPassword \
  -H "Content-Type: application/json" \
  -d '{
    "data": {
      "eventId":  "spring-gala-2026",
      "password": "lighthouse2026"
    }
  }'

JavaScript

We don't ship a first-party JS SDK yet (it's on the roadmap). For callable endpoints, the Firebase Functions SDK is the recommended path — it handles ID-token attachment and payload framing. Plain fetch works too. 

const response = await fetch(
  'https://us-central1-freedomgrc-photowall.cloudfunctions.net/verifyGalleryPassword',
  {
    method: 'POST',
    headers: { 'Content-Type': 'application/json' },
    body: JSON.stringify({
      data: { eventId: 'spring-gala-2026', password: 'lighthouse2026' },
    }),
  },
);
const { result } = await response.json();
// result === { ok: true }   or   { ok: false }

Error cases

CodeWhen
invalid-argument eventId or password failed validation (length, regex).
not-found No event at events/{eventId}.
internal Firestore read/write failed.

Related endpoints

Need a different shape?

The API surface is small. Tell us what you need and we'll work backward from your integration.

Request an endpoint Back to API index