Push delivery is best-effort. A challenge can always be completed from inside your app without a
notification - the notification is only a prompt to open the app. If a send fails, the challenge is
not failed; the failure is recorded as a timeline event so you can monitor delivery.
Choosing a provider
When you enable push verification you choose a push notification provider. The managed options are Default and Firebase. (The Webhook and Airship options keep the existing self-hosted delivery behavior - see Push verification.)| Provider | How it delivers | When to use it |
|---|---|---|
| Default | Authsignal connects directly to APNs for iOS devices and FCM for Android devices. | You want Authsignal to talk to Apple and Google directly. Configure APNs for iOS, FCM for Android, or both. |
| Firebase | Authsignal sends every notification through Firebase Cloud Messaging only. | You already use FCM as a cross-platform solution (including for iOS). |
Portal setup
Enable push verification for your tenant, then choose a push notification provider.
Default provider
Select Default to have Authsignal connect directly to Apple’s and Google’s push services. Configure the credentials for the platforms you support.Apple Push Notification service (APNs)
Required for iOS. Authsignal uses token-based authentication with a.p8 auth key downloaded from the Apple Developer Console.
| Field | Description |
|---|---|
| Team ID | Your Apple Developer Team ID. |
| Key ID | The Key ID of the .p8 auth key. |
| App bundle ID | The bundle identifier of your app (for example com.acme.app). Used as the APNs topic. |
| APNs environment | Production or Sandbox. Sandbox routes to Apple’s sandbox push endpoint for development builds. |
| APNs auth key (.p8) | The contents of your .p8 private key. Paste the key, drop the file, or upload it. |
.p8 file when prompted, and note the Key ID shown alongside the key.
Firebase Cloud Messaging (FCM)
Required for Android. Authsignal uses the FCM HTTP v1 API with a service account JSON downloaded from the Firebase Console.| Field | Description |
|---|---|
| Service account JSON | The full service account JSON. Paste the JSON, drop the file, or upload it. |
Firebase provider
Select Firebase if you use FCM as a cross-platform solution. Authsignal sends every notification - including to iOS devices - through Firebase Cloud Messaging.
Registering push tokens
For Authsignal to deliver a notification, each enrolled device must have a push token registered against its credential. When you enroll a device for push verification with the Mobile SDK, pass the device’s push token toaddCredential. Authsignal stores the token with the credential and uses it, along with the device platform, to route the notification to the correct service.
Which token to register
The token you register must match the provider configured for your tenant:- Default provider - register the raw device push token. On iOS this is a raw APNs token, on Android it is an FCM token. Authsignal sends to APNs directly on iOS and FCM on Android.
- Firebase provider - register an FCM registration token on both platforms, including iOS.
Passing the token to the SDK
Pass the token you obtained toaddCredential:
Passing the push token is supported on the iOS SDK from
v2.7.1, the Android SDK from v3.8.1, the React Native SDK from v2.12.0, and the Flutter SDK from v2.6.0.Keeping the token current
Push tokens rotate over time - on reinstall, restore, or expiry - and a notification sent to a stale token is silently dropped. Both Apple and Google recommend registering the new token with your server as soon as the OS hands it to you. With Authsignal, register it (typically from a token-refresh callback and on app launch) using the SDK’s Update credential method, which refreshes the token on the existing credential without re-enrolling the device.Updating a credential’s push token requires the iOS SDK
v2.11.0, the Android SDK v4.1.0, or the React Native SDK v3.1.0 (or later).What gets sent
The notification payload is intentionally minimal. It carries a generic alert and thechallengeId of the pending challenge:
- APNs - an
alertnotification with a default sound, plus thechallengeIdin the payload. - FCM - a notification with the title
Authentication request, plus thechallengeIdin the message data.
challengeId to fetch the pending challenge with the Mobile SDK’s Get Challenge method, then presents the approve/reject prompt as described in Push verification.
Monitoring delivery
Because delivery is best-effort, failed sends never fail a challenge. Instead, Authsignal records a timeline event when a send fails - including the downstream provider name, status code, and an error description from APNs or FCM - so you can monitor and debug delivery issues. A successful send is also recorded as aPUSH_SENT event.
You can see these events on the user’s event timeline in the portal. Expand View more on a failed send to see the provider, status code, and error description returned by APNs or FCM.

Next steps
- Push verification - The full push verification flow, including enrollment and adaptive MFA
- Enrollment lifecycle - When to add credentials and register push tokens in your app
- Adaptive MFA - Trigger push verification based on risk

