29

I've just learned about VAPID recently and have been looking around for the reasoning why it exists and what its purpose is. Mozilla's blog post explains that "including VAPID information will let us contact you if we see a problem", but I'm not exactly sure what they mean by this. Are they doing some sort of monitoring to prevent other people from mimicking your service?

mattrick
  • 3,580
  • 6
  • 27
  • 43

2 Answers2

35

The abstract of the VAPID specification explains everything:

An application server can voluntarily identify itself to a push service using the described technique. This identification information can be used by the push service to attribute requests that are made by the same application server to a single entity. This can used to reduce the secrecy for push subscription URLs by being able to restrict subscriptions to a specific application server. An application server is further able to include additional information that the operator of a push service can use to contact the operator of the application server.

So there are two reasons for VAPID.

The first is to restrict the validity of a subscription to a specific application server (so, by using VAPID, only your server will be able to send notifications to a subscriber).

The second is to add more information to the push notification, so that the push service operator knows who is sending the notifications. If something is going wrong with your notifications, the operator knows who you are and can contact you. Moreover, they can offer you some kind of interface to monitor your push notifications.

Community
  • 1
  • 1
Marco Castelluccio
  • 10,152
  • 2
  • 33
  • 48
  • Thanks for the answer! What exactly would a push service be looking for to go wrong when monitoring a subscription? – mattrick Nov 03 '16 at 16:38
  • For example, if you start sending a lot of push notifications, more than usual, because there's a bug in your code, the push service can detect that and let you know. – Marco Castelluccio Nov 03 '16 at 18:52
  • Is the email address in the claim ever confirmed? How does Mozilla or Google know that the email address belongs to the person sending the claim? – Flimm May 10 '17 at 13:42
  • 1
    It doesn't need to be confirmed, if you are using VAPID you are signing your push message, so it was definitely sent by you (unless someone stole your secret key). – Marco Castelluccio Jun 15 '17 at 10:22
3

Your VAPID keys allow your server to send web push message to browsers without using a service like Firebase Cloud Messaging or AWS.

For Example: Python Django. You can use Django-Webpush

pip3 install django-webpush

https://pypi.org/project/django-webpush/

vuesajs
  • 93
  • 1
  • 1
  • 7
  • I read that too, except that I have sent myself a push notification with no vapid keys, and not service like firebase cloud messaging or aws... So I think something might be missing with this comparison. – Alex028502 Jan 17 '22 at 05:52