This error occurs when Firebase Cloud Messaging cannot authenticate with Apple Push Notification service because the APNs certificate or authentication key is missing, expired, or invalid.
This error indicates that Firebase Cloud Messaging (FCM) is unable to authenticate with Apple Push Notification service (APNs) to deliver push notifications to iOS devices. FCM acts as a middleman between your server and APNs, but it requires valid APNs credentials uploaded to your Firebase project to establish this connection. APNs credentials come in two forms: certificates (.p12 files) that expire annually, or authentication keys (.p8 files) that never expire. When these credentials are missing, expired, revoked, or misconfigured in the Firebase Console, FCM cannot prove to Apple that it has permission to send notifications on behalf of your app, resulting in this error. The error typically surfaces when attempting to send push notifications to iOS devices, either during development testing or in production. Unlike Android's FCM tokens which work immediately, iOS requires this additional APNs authentication layer, making proper credential configuration critical for iOS push notification functionality.
Navigate to your Firebase project and check the credential status:
1. Open [Firebase Console](https://console.firebase.google.com/)
2. Select your project
3. Go to Project Settings (gear icon) > Cloud Messaging tab
4. Scroll to Apple app configuration section
5. Check the status next to your APNs certificate or authentication key
If you see "Expired", "Invalid", or no credentials listed, you need to upload new credentials. Continue to the next steps.
APNs authentication keys never expire and are simpler to manage than certificates:
1. Log in to [Apple Developer Portal](https://developer.apple.com/account/)
2. Navigate to Certificates, Identifiers & Profiles > Keys
3. Click the + button to create a new key
4. Enter a descriptive name (e.g., "Firebase FCM Production Key")
5. Check the box for Apple Push Notifications service (APNs)
6. Click Continue, then Register
7. Download the .p8 file immediately (you can only download it once)
8. Note the Key ID displayed on the confirmation page
9. Note your Team ID from Account > Membership
Important: Store the .p8 file securely. Apple does not allow re-downloading it.
Upload your new authentication key to Firebase:
1. Return to Firebase Console > Project Settings > Cloud Messaging
2. Under Apple app configuration, find your iOS app
3. Click Upload next to "APNs Authentication Key"
4. Upload the .p8 file you downloaded
5. Enter your Key ID (from Apple Developer Portal)
6. Enter your Team ID (from Apple Developer Portal > Account > Membership)
7. Click Upload
Firebase will validate the key. If successful, you'll see the key status as "Active". Your app can now receive push notifications.
Ensure the bundle ID in Firebase matches your Xcode project:
1. In Firebase Console > Project Settings > General tab
2. Under "Your apps", find your iOS app
3. Verify the Bundle ID matches your Xcode project's bundle identifier
4. In Xcode, select your project > Signing & Capabilities tab
5. Confirm the Bundle Identifier matches exactly
If they don't match, you either need to:
- Update the bundle ID in Firebase (delete and re-add the app), or
- Generate new APNs credentials for the correct bundle ID
Verify notifications work after uploading credentials:
1. Send a test notification from Firebase Console:
- Go to Engage > Messaging
- Click Create your first campaign > Firebase Notification messages
- Enter a notification title and text
- Click Send test message
- Enter your device's FCM token
- Click Test
2. Alternatively, test via your server or code:
const admin = require('firebase-admin');
const message = {
notification: {
title: 'Test Notification',
body: 'Testing APNs credentials'
},
token: 'DEVICE_FCM_TOKEN'
};
admin.messaging().send(message)
.then((response) => {
console.log('Successfully sent message:', response);
})
.catch((error) => {
console.log('Error sending message:', error);
});If the notification arrives on your iOS device, the credentials are configured correctly.
Authentication Keys vs Certificates: Apple introduced APNs authentication keys as a modern alternative to certificates. Keys never expire, work across all your apps under the same Team ID, and support both development and production environments. Certificates expire annually and must be renewed, requiring manual regeneration and re-uploading to Firebase. Unless you have a specific reason to use certificates, authentication keys are the recommended approach.
Environment-Specific vs Universal Keys: As of February 2025, Apple introduced new APNs key types with finer-grained control: environment-specific keys (development or production only) and topic-specific keys tied to a single bundle ID. When creating keys in Apple Developer Portal, you'll choose between universal keys (work everywhere) and these restricted keys. For most Firebase projects, universal keys remain the simplest choice unless you need to restrict key usage for security compliance.
Sandbox vs Production APNs: iOS apps generate different APNs tokens depending on the build environment. Apps installed via Xcode or TestFlight use sandbox APNs tokens, while App Store builds use production tokens. Firebase automatically detects which environment a token belongs to and uses the appropriate credentials. However, if you only upload a production authentication key and test with a TestFlight build, notifications will fail. Upload both development and production keys, or use a universal authentication key that works in both environments.
Certificate Revocation: If you revoke an APNs certificate in Apple Developer Portal (even accidentally), it becomes invalid immediately across all services using it, including Firebase. Revocation cannot be undoneβyou must generate a new certificate or authentication key and re-upload it to Firebase. This is another advantage of authentication keys: they're harder to accidentally invalidate.
Bundle ID Wildcards: Explicit App IDs (com.example.myapp) require specific APNs credentials. Wildcard App IDs (com.example.*) can share a single APNs certificate, but authentication keys cannot use wildcard bundle IDs. Each key is tied to a specific Team ID and works across all apps in that team when using the universal key type.
Callable Functions: INTERNAL - Unhandled exception
How to fix "Callable Functions: INTERNAL - Unhandled exception" in Firebase
auth/invalid-hash-algorithm: Hash algorithm doesn't match supported options
How to fix "auth/invalid-hash-algorithm: Hash algorithm doesn't match supported options" in Firebase
Hosting: CORS configuration not set up properly
How to fix CORS configuration in Firebase Hosting
auth/reserved-claims: Custom claims use reserved OIDC claim names
How to fix "reserved claims" error when setting custom claims in Firebase
Callable Functions: UNAUTHENTICATED - Invalid credentials
How to fix "UNAUTHENTICATED - Invalid credentials" in Firebase Callable Functions