The firebase.User object has a getIdToken() method that, as you might have guessed, returns the auth token. It's an async method that returns a Promise, but the resolved value can be used to authenticate the remote calls made from a user's browser. Specifically, it can be attached as a bearer token in the Authentication header of remote calls.
To convert the Promise-based method to an Observable and use the value in a remote call, you can use code like this.
from(user.getIdToken()).pipe(
mergeMap(token => {
http.get(url, {headers: {
Authentication: `Bearer ${token}`,
}});
}),
)
Backend code can then validate the token using Firebase SDKs to confirm the authenticity and validity of incoming HTTP calls.