Introducing VAPID

We’re happy to announce that Pushpad now supports VAPID (Voluntary Application Server Identification for Web Push).

The update will have effect on both new and existing projects.

The update has been rolled out automatically and you don’t need to take any action.

For legacy subscriptions, when you try to subscribe again from the same browser, you may see a message like the following printed in the browser developer console:

“A subscription with a different application server key already exists.”

Don’t worry! You can safely ignore that exception: legacy subscriptions will still work. When they expire they will be replaced automatically by a new subscription and that message will eventually disappear.

The new VAPID support:

  • improves security: an attacker that obtains an endpoint cannot send push notifications to that device, unless it also knows the VAPID private key (Pushpad generates it automatically and you can find it in the sender settings)
  • make it easier to create a sender: now you don’t need to configure GCM anymore because the application can authenticate itself with the browser push service automatically.

If you are interested in technical details about VAPID we suggest that you read one of these articles:

 

2 thoughts on “Introducing VAPID”

  1. Thanks for this update. A few questions.

    For Pushpad Pro, can we get rid of gcm_sender_id and gcm_user_visible_only in the manifest.json of the web app? Even if we already have subscriptions?

    1. can we get rid of gcm_sender_id and gcm_user_visible_only in the manifest.json of the web app? Even if we already have subscriptions?

      I’m pretty sure (99%) that it works even if you remove gcm_sender_id and gcm_user_visible_only (or the manifest itself). However I suggest that you keep the manifest and its data for legacy projects, because we have better tested this scenario. Leaving the manifest there has no side effect: all new subscriptions will use VAPID anyway and the manifest is ignored.
      Moreover there are some legacy browser versions that support only GCM.

      For new projects you don’t need to add the manifest.

      N.B. DO NOT REMOVE the GCM sender ID and API key from the sender settings! Otherwise we won’t be able to send notifications to the legacy subscriptions created with GCM.

Leave a Reply

Your email address will not be published. Required fields are marked *