DecryptAndUse.js

const { KeyManagementServiceClient } = require('@google-cloud/kms');

const projectId = <YourProjectID>;
const locationId = <YourPreferedStorageLocationID>; //Based on the google cloud regions e.g. us-central1
const keyRingId = <KeyRingID>;
const keyId = <YourKeyId>;

const kmsClient = new KeyManagementServiceClient();

const locationName = kmsClient.locationPath(projectId, locationId);

admin.initializeApp({
    credential: admin.credential.applicationDefault()
});
const db = admin.firestore();

const collection = <YourCollectId>

async function getToken() {
    const docRef = db.collection(collection).doc(<YourDocId>);
    const value = docRef.get().then(async doc => {
        const data = doc.data();
        if (!doc.exists || !data) {
            return
        }
        const [resultAccess] = await kmsClient.decrypt({
            name: keyName,
            ciphertext: Buffer.from(data.api_tokens.access_token)
        });

        const plaintextAccess = resultAccess.plaintext.toString('utf8');

        const [resultRefresh] = await kmsClient.decrypt({
            name: keyName,
            ciphertext: Buffer.from(data.api_tokens.refresh_token)
        });

        const plainTextRefresh = resultRefresh.plaintext.toString('utf8');
        return {
            access_token: plaintextAccess,
            expiry_date: data.api_tokens.expiry_date,
            refresh_token: plainTextRefresh,
            scope: data.api_tokens.scope,
            token_type: data.api_tokens.token_type
        };
    })
        .catch(err => {
            console.log('Error getting document', err);
            return
        });
    return value
}