-
-
Notifications
You must be signed in to change notification settings - Fork 2
plugin push
github-actions[bot] edited this page Apr 26, 2026
·
2 revisions
APNs + FCM push notification relay for iOS and Android. Free, MIT licensed.
nself plugin install pushRedis is auto-enabled when the push plugin is installed. If REDIS_ENABLED is unset in your env, nself build detects the installed plugin and adds the redis service automatically.
Provides a standardized APNs (iOS) and FCM v1 (Android) push notification pipeline:
- App code inserts a row into
np_push_outbox(or Hasura triggers do it automatically on events) - A Hasura event trigger fires a POST to
/push/dispatch - The push service dispatches to Apple or Google, tracks delivery state, and retries with exponential backoff
- Final status (delivered / failed) is written back to the outbox row
No per-app APNs/FCM bridge needed. One plugin handles all apps on the stack.
| Env Var | Default | Description |
|---|---|---|
PUSH_APNS_TEAM_ID |
Apple Developer Team ID (10-char string) | |
PUSH_APNS_KEY_ID |
APNs Auth Key ID (10-char string from developer.apple.com) | |
PUSH_APNS_KEY_PEM |
APNs Auth Key content (raw PEM or file path , see Credentials) | |
PUSH_APNS_BUNDLE_ID |
App Bundle ID (e.g. com.example.myapp) |
|
PUSH_APNS_SANDBOX |
0 |
Set to 1 for APNs sandbox (development) |
PUSH_FCM_PROJECT_ID |
Firebase project ID | |
PUSH_FCM_SERVICE_ACCOUNT_JSON |
FCM service account JSON (raw JSON or file path , see Credentials) | |
PUSH_RETRY_MAX_ATTEMPTS |
3 |
Maximum delivery attempts before marking a message failed |
PUSH_RETRY_BACKOFF_BASE_MS |
500 |
Base backoff in ms (doubles each retry, capped at 30s) |
- Go to developer.apple.com → Certificates, IDs & Profiles → Keys
- Create an APNs Auth Key (.p8 file)
- Note your Team ID, Key ID, and Bundle ID
- Set the env vars in
.env.secrets(never.env.dev):
PUSH_APNS_TEAM_ID=ABCDE12345
PUSH_APNS_KEY_ID=XYZ9876543
PUSH_APNS_BUNDLE_ID=com.example.myapp
# Preferred: paste PEM content directly (single-line with \n for newlines)
PUSH_APNS_KEY_PEM=-----BEGIN PRIVATE KEY-----\nMIGH...==\n-----END PRIVATE KEY-----
# Alternative: path to .p8 file mounted into container
# PUSH_APNS_KEY_PEM=/run/secrets/apns-key.p8- Go to Firebase Console → Project Settings → Service Accounts
- Generate a new private key (downloads a JSON file)
- Set the env var in
.env.secrets:
PUSH_FCM_PROJECT_ID=my-firebase-project-12345
# Preferred: paste JSON content directly
PUSH_FCM_SERVICE_ACCOUNT_JSON={"type":"service_account","project_id":"..."}
# Alternative: path to JSON file mounted into container
# PUSH_FCM_SERVICE_ACCOUNT_JSON=/run/secrets/fcm-sa.jsonSet up a Hasura event trigger that fires on INSERT to np_push_outbox:
# Hasura metadata — add to your tables configuration
- table:
name: np_push_outbox
schema: public
event_triggers:
- name: push_dispatch
definition:
enable_manual: true
insert:
columns: "*"
webhook: "http://push:8080/push/dispatch"
headers:
- name: Content-Type
value: application/json
retry_conf:
num_retries: 0 # push plugin handles its own retry
interval_sec: 10
timeout_sec: 60Or via Hasura Console: Tables → np_push_outbox → Events → Create Event Trigger.
Insert a row into np_push_outbox from your application:
-- GraphQL mutation
mutation SendPush {
insert_np_push_outbox_one(object: {
device_token: "abc123...",
platform: "ios",
payload: {
"aps": {
"alert": {
"title": "New message",
"body": "You have a new message from Alice"
},
"badge": 1,
"sound": "default"
}
}
}) {
id
status
}
}For Android (FCM):
mutation SendAndroidPush {
insert_np_push_outbox_one(object: {
device_token: "fcm-registration-token...",
platform: "android",
payload: {
"notification": {
"title": "New message",
"body": "You have a new message from Alice"
},
"data": {
"thread_id": "thread-123"
}
}
}) {
id
status
}
}Register device tokens when a user grants push permission in your app:
curl -X POST http://push:8080/push/devices \
-H "Content-Type: application/json" \
-d '{
"device_token": "abc123...",
"platform": "ios",
"app_id": "myapp",
"user_id": "user-uuid-here"
}'Each outbox row progresses through these states:
| Status | Meaning |
|---|---|
pending |
Row inserted, waiting for Hasura event trigger to fire |
queued |
Dispatch accepted, delivery in progress |
delivered |
Provider confirmed delivery |
retrying |
First attempt failed, scheduled for retry |
failed |
All attempts exhausted; last_error has the provider error |
Query delivery status:
query CheckDelivery($id: uuid!) {
np_push_outbox_by_pk(id: $id) {
status
attempts
last_error
updated_at
}
}APNs keys and FCM service accounts rotate on your security schedule. To rotate:
- Generate the new key/service account from Apple / Firebase
- Update
PUSH_APNS_KEY_PEMorPUSH_FCM_SERVICE_ACCOUNT_JSONin.env.secrets - Restart the push container:
nself restart push
The plugin reloads credentials from env on every startup. No cache to flush.
Expired APNs key: the plugin logs a clear error (apns: credential error, ExpiredProviderToken) and marks affected outbox rows as failed. No silent delivery loss.
- Device tokens are stored in plain text in
np_push_devices. They are semi-public identifiers, not secrets. The real secrets (APNs PEM, FCM JSON) are in env vars only, never in the database. - FCM service account JSON is never logged. APNs JWT signing uses the loaded EC key without exposing it in any log line.
- The
/push/dispatchendpoint validates thatdevice_tokenis not a URL (SSRF guard). Tokens that look likehttp://...are rejected and the outbox row is marked failed. - APNs uses JWT signing (ES256) with a fresh token per request, no stale-token risk.
The notify plugin handles email (SMTP) and webhook delivery. The push plugin is its sibling for mobile push delivery. They are independent services that share the same np_notify_outbox-style pattern but operate on different tables and endpoints.
See: plugin-notify for email and webhook notification delivery.
ɳSelf CLI v1.0.9. MIT licensed. Docs CC BY 4.0.
GitHub · Issues · Discussions · nself.org · docs.nself.org
Getting Started
Commands
- Commands, Overview
- Lifecycle: cmd-init · cmd-build · cmd-start · cmd-stop · cmd-restart · cmd-dev
- Monitoring: cmd-status · cmd-logs · cmd-health · cmd-urls · cmd-doctor · cmd-monitor · cmd-alerts · cmd-watchdog · cmd-dogfood
- Data: cmd-db · cmd-backup · cmd-dr · cmd-queue · cmd-webhooks
- Config: cmd-config · cmd-service · cmd-env · cmd-promote
- Networking: cmd-ssl · cmd-trust · cmd-dns-setup
- Security: cmd-security · cmd-secrets · cmd-waf
- Tenancy: cmd-tenant · cmd-billing
- Plugins: cmd-plugin · cmd-license
- AI: cmd-ai · cmd-claw
- Utilities: cmd-exec · cmd-clean · cmd-reset · cmd-update · cmd-upgrade · cmd-version · cmd-admin · cmd-migrate · cmd-completion
Features
- Features, Overview
- Feature-Auth
- Feature-Storage
- Feature-Search
- Feature-Functions
- Feature-Email
- Feature-Monitoring
- Feature-Plugins
- Feature-ɳClaw, AI Assistant
- Feature-ɳChat, Messaging
- Feature-ɳTV, Media Player
- Feature-ɳFamily, Family Social
- Feature-ɳCloud, Managed Hosting
- Feature-Memory-Rooms, Knowledge Organization
- Feature-Agent-Dashboard, Agent Metrics
- Feature-Image-Generation, AI Image Generation
Configuration
- Configuration, Overview
- Config-Env-Vars
- Config-Postgres
- Config-Hasura
- Config-Auth
- Config-Nginx
- Config-Optional-Services
- Config-Custom-Services
- Config-System
Plugins (87 + 10 monitoring)
Free (25)
- plugin-backup
- plugin-content-acquisition
- plugin-content-progress
- plugin-cron
- plugin-donorbox
- plugin-feature-flags
- plugin-github
- plugin-github-runner
- plugin-invitations
- plugin-jobs
- plugin-link-preview
- plugin-mdns
- plugin-mlflow
- plugin-monitoring
- plugin-notifications
- plugin-notify
- plugin-paypal
- plugin-search
- plugin-shopify
- plugin-stripe
- plugin-subtitle-manager
- plugin-tokens
- plugin-torrent-manager
- plugin-vpn
- plugin-webhooks
Pro (62)
- plugin-access-controls
- plugin-activity-feed
- plugin-admin-api
- plugin-ai
- plugin-analytics
- plugin-auth
- plugin-backup-pro
- plugin-bots
- plugin-browser
- plugin-calendar
- plugin-cdn
- plugin-chat
- plugin-claw
- plugin-claw-budget
- plugin-claw-news
- plugin-claw-web
- plugin-cloudflare
- plugin-cms
- plugin-compliance
- plugin-cron-pro
- plugin-ddns
- plugin-devices
- plugin-documents
- plugin-donorbox-pro
- plugin-entitlements
- plugin-epg
- plugin-file-processing
- plugin-game-metadata
- plugin-geocoding
- plugin-geolocation
- plugin-google
- plugin-home
- plugin-idme
- plugin-knowledge-base
- plugin-linkedin
- plugin-livekit
- plugin-media-processing
- plugin-meetings
- plugin-moderation
- plugin-mux
- plugin-notify-pro
- plugin-object-storage
- plugin-observability
- plugin-paypal-pro
- plugin-photos
- plugin-podcast
- plugin-post
- plugin-realtime
- plugin-recording
- plugin-retro-gaming
- plugin-rom-discovery
- plugin-shopify-pro
- plugin-social
- plugin-sports
- plugin-stream-gateway
- plugin-streaming
- plugin-stripe-pro
- plugin-support
- plugin-tmdb
- plugin-voice
- plugin-web3
- plugin-workflows
Planned (26)
plugin-auditplugin-blogplugin-checkoutplugin-commerceplugin-drmplugin-exportplugin-flowplugin-importplugin-ldapplugin-mailgunplugin-mediaplugin-oauth-providersplugin-pagesplugin-postmarkplugin-rate-limitplugin-reportsplugin-samlplugin-schedulerplugin-sendgridplugin-ssoplugin-subscriptionplugin-thumbplugin-transcoderplugin-twilioplugin-wafplugin-watermark
Guides
- Guide-Production-Deployment
- Guide-SSL-Setup
- Guide-Multi-Tenancy
- Guide-Security-Hardening
- Guide-Monitoring-Setup
- Guide-Backup-Restore
- Guide-Custom-Services
- Guide-Migration-from-v1
Architecture
Reference
- API-Reference
- reference-error-codes, Error Codes
Licensing
Security
Brand
Operations
- operations/release-cascade, Release Cascade
- operations/self-healing, Self-Healing Schema
- operations/redis-tuning, Redis Pool Tuning
- operations/meilisearch-warmup, MeiliSearch Warm-Up
- operations/jwt-rotation, JWT Key Rotation
- operations/windows-wsl2-setup, Windows / WSL2 Setup
- operations/gemini-oauth-reauth, Gemini OAuth Reauth
Contributing