By default, push verification relies on a webhook: when a challenge starts, Authsignal calls your endpoint and you are responsible for sending the push notification to the user’s device.
Instead, you can have Authsignal send the notification for you. You connect your Apple Push Notification service (APNs) and/or Firebase Cloud Messaging (FCM) credentials in the portal, and Authsignal delivers the notification directly to Apple’s and Google’s push services. There is no webhook to build or host.
Push delivery is best-effort. A challenge can always be completed from inside your app without a
notification - the notification is only a prompt to open the app. If a send fails, the challenge is
not failed; the failure is recorded as a timeline event so you can monitor delivery.
Choosing a provider
When you enable push verification you choose a push notification provider. The managed options are Default and Firebase. (The Webhook and Airship options keep the existing self-hosted delivery behavior - see Push verification.)
| Provider | How it delivers | When to use it |
|---|
| Default | Authsignal connects directly to APNs for iOS devices and FCM for Android devices. | You want Authsignal to talk to Apple and Google directly. Configure APNs for iOS, FCM for Android, or both. |
| Firebase | Authsignal sends every notification through Firebase Cloud Messaging only. | You already use FCM as a cross-platform solution (including for iOS). |
Portal setup
Enable push verification for your tenant, then choose a push notification provider.
Default provider
Select Default to have Authsignal connect directly to Apple’s and Google’s push services. Configure the credentials for the platforms you support.
Apple Push Notification service (APNs)
Required for iOS. Authsignal uses token-based authentication with a .p8 auth key downloaded from the Apple Developer Console.
| Field | Description |
|---|
| Team ID | Your Apple Developer Team ID. |
| Key ID | The Key ID of the .p8 auth key. |
| App bundle ID | The bundle identifier of your app (for example com.acme.app). Used as the APNs topic. |
| APNs environment | Production or Sandbox. Sandbox routes to Apple’s sandbox push endpoint for development builds. |
| APNs auth key (.p8) | The contents of your .p8 private key. Paste the key, drop the file, or upload it. |
.p8 file when prompted, and note the Key ID shown alongside the key.
Apple lets you download the .p8 file only once. Store it securely, you cannot retrieve it again later.
Firebase Cloud Messaging (FCM)
Required for Android. Authsignal uses the FCM HTTP v1 API with a service account JSON downloaded from the Firebase Console.
| Field | Description |
|---|
| Service account JSON | The full service account JSON. Paste the JSON, drop the file, or upload it. |
Firebase provider
Select Firebase if you use FCM as a cross-platform solution. Authsignal sends every notification - including to iOS devices - through Firebase Cloud Messaging.
Upload a service account JSON downloaded from the Firebase Console. This is the only credential required. Go to Project settings > Service accounts and click Generate new private key to download it.
Registering push tokens
For Authsignal to deliver a notification, each enrolled device must have a push token registered against its credential. When you enroll a device for push verification with the Mobile SDK, pass the device’s push token to addCredential. Authsignal stores the token with the credential and uses it, along with the device platform, to route the notification to the correct service.
Which token to register
The token you register must match the provider configured for your tenant:
- Default provider - register the raw device push token. On iOS this is a raw APNs token, on Android it is an FCM token. Authsignal sends to APNs directly on iOS and FCM on Android.
- Firebase provider - register an FCM registration token on both platforms, including iOS.
Your app obtains the token from the OS push APIs:
// Default provider: the raw APNs device token, delivered to your AppDelegate
// after registering for remote notifications.
func application(
_ application: UIApplication,
didRegisterForRemoteNotificationsWithDeviceToken deviceToken: Data
) {
let pushToken = deviceToken.map { String(format: "%02x", $0) }.joined()
}
// Firebase provider: the FCM registration token.
Messaging.messaging().token { token, error in
let pushToken = token
}
Passing the token to the SDK
Pass the token you obtained to addCredential:
await authsignal.push.addCredential(
token: "eyJhbGciOiJ...",
pushToken: "<APNs device token>"
)
Passing the push token is supported on the iOS SDK from v2.7.1, the Android SDK from v3.8.1, and the React Native SDK from v2.12.0.
What gets sent
The notification payload is intentionally minimal. It carries a generic alert and the challengeId of the pending challenge:
- APNs - an
alert notification with a default sound, plus the challengeId in the payload.
- FCM - a notification with the title
Authentication request, plus the challengeId in the message data.
Your app uses the challengeId to fetch the pending challenge with the Mobile SDK’s Get Challenge method, then presents the approve/reject prompt as described in Push verification.
Monitoring delivery
Because delivery is best-effort, failed sends never fail a challenge. Instead, Authsignal records a timeline event when a send fails - including the downstream provider name, status code, and an error description from APNs or FCM - so you can monitor and debug delivery issues. A successful send is also recorded as a PUSH_SENT event.
Next steps
