In your client app, attach a real-time listener: `onSnapshot(collection(db, 'orders'), (snapshot) => { snapshot.docChanges().forEach(change => console.log(change.type, change.doc.data())); });`
Write Firestore security rules that restrict read access: `allow read: if request.auth != null && request.auth.uid == resource.data.ownerId;` — this limits snapshots to documents the user owns.
Deploy updated rules with the Firebase CLI: `firebase deploy --only firestore:rules`.
Test rules in the Firebase console's Rules Playground before deploying to production — simulate authenticated and unauthenticated reads.
Detach listeners when no longer needed (e.g., on component unmount) by calling the unsubscribe function returned by `onSnapshot` to prevent memory leaks and unnecessary billing.
Known gotchas
Security rules are evaluated per document — a listener on a collection query only returns documents the requesting user has `read` permission on; documents failing the rule are silently excluded, not errored.
Real-time listeners count as read operations for billing purposes each time a document changes and is delivered to the client — high-churn collections can generate significant read costs.
Rules do not filter server-side in the traditional sense for queries — the query must be structured so that any document it could return would pass the security rule, or the entire query is rejected.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp