Replying to Avatar Vitor Pamplona

There are app tokens and API tokens. Google gives your app a specific JSON that ships inside your app to activate push for a valid sequence of tokens. Then there is a token from the device+app that you need to register with a pubkey in your server to know which device+app wants notif from which keys. Your service will have a copy of the API key for your app to tell FCM you are an authorized pusher. Your server then needs to listen to notifications from those keys and send each key to each token. When the notification reaches the phone, the OS knows which app it should send it to.

So, in theory, the server needs the firebase keys of all apps it is pushing notifications for.
Avatar
hodlbod 7mo ago

> Your service will have a copy of the API key for your app to tell FCM you are an authorized pusher.

Ah, there it is. Would it be feasible to just tell relays your app key or would Google ban you for that? Anyway, seems ripe for abuse.

Reply to this note

Please Login to reply.

Discussion

Avatar
Vitor Pamplona 7mo ago

Google is pretty by the book. I remember moving things around in the JSON, and they blocked the release :)

Avatar
hodlbod 7mo ago

Ah, right, forgot about the walled garden