Queuing functions on Firebase & Security Concerns

So I’m planning on implementing a queued function call using Firebase RTDB and Cloud Functions.

The plan being for a user to write arguments to a Firebase location (via my app), and have the cloud function call the function via the Particle API when the device comes online after a sleep cycle (it publishes an “alive” event).

I think this should be relatively easy to implement but I’m wondering if anyone has any security tips for ensuring only appropriate/valid users are able to call functions on any particular device? Like perhaps a private key system? This is as much to protect against bugs as it is against actual nefarious intent.

EDIT: I should add that only authenticated users can write to the DB, and furthermore that this is more of a firebase question than a Particle one… hopefully that’s okay with the community!

What am I missing? Without any further action only users in possession of a valid access token can call functions.
For product devices you can choose some other authentication methods too.

I realise now that this questions is far too broad without more specifics for my use-case. I really appreciate you taking the time to read it!

The biggest issue is I plan on letting multiple accounts see the data from a single device BUT not necessarily have the rights to call a function. I was contemplating having a passcode displayed on the hardware itself which must be passed with any function call as an argument (perhaps in a obfuscated way).

In the meantime perhaps I’ll try and get my head around queuing function calls via Firebase Cloud Functions and worry about the security side more later!