I have the following Firestore rules:

service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
        allow read: if true;
    }
    match /institutions/{institution}/watches/{watch} {
      allow read, update, delete: if request.auth.email == resource.data.email;
      allow create: if request.auth.email != null;
    }
  }
}

Essentially, I'd like it such that any document under /institutions/{institution}/watches is read/update/deleteable if and only if the email on the document is identical to the email of the user. When I run this through the simulator with an example document, however, I can't get the access control to work and I also get a permission denied error on the API client.

Is there any way to debug this further/is something missing from my above rules?

I believe that request.auth.email should be request.auth.token.email. See https://firebase.google.com/docs/reference/rules/rules.firestore.Request#auth .