We’re happy to announce that Pushpad now supports VAPID (Voluntary Application Server Identification for Web Push).
The update will have effect on both new and existing projects.
The update has been rolled out automatically and you don’t need to take any action.
For legacy subscriptions, when you try to subscribe again from the same browser, you may see a message like the following printed in the browser developer console:
“A subscription with a different application server key already exists.”
Don’t worry! You can safely ignore that exception: legacy subscriptions will still work. When they expire they will be replaced automatically by a new subscription and that message will eventually disappear.
The new VAPID support:
- improves security: an attacker that obtains an endpoint cannot send push notifications to that device, unless it also knows the VAPID private key (Pushpad generates it automatically and you can find it in the sender settings)
- make it easier to create a sender: now you don’t need to configure GCM anymore because the application can authenticate itself with the browser push service automatically.
If you are interested in technical details about VAPID we suggest that you read one of these articles:
- Sending VAPID identified WebPush Notifications via Mozilla’s Push Service (Mozilla)
- Web Push Interoperability Wins (Google)
- Voluntary Application Server Identification for Web Push (IETF)