The messaging/third-party-auth-error occurs when Firebase Cloud Messaging cannot authenticate with third-party push services like Apple Push Notification service (APNs) or Web Push services. This prevents notifications from being delivered to iOS devices or web browsers.
The messaging/third-party-auth-error indicates that Firebase Cloud Messaging (FCM) failed to authenticate with a third-party push service while attempting to send a notification. This error typically appears when trying to deliver push notifications to iOS devices via APNs or to web browsers via Web Push service. FCM acts as an intermediary between your application server and Apple or Web Push infrastructure. When FCM cannot successfully authenticate with these external services, it cannot deliver the notification, resulting in this error. The root cause is usually invalid, expired, or misconfigured credentials in your Firebase project settings, though intermittent service issues or configuration mismatches can also trigger this error. Unlike Android notifications which use FCM directly, iOS and web notifications require additional authentication steps with third-party services, making credential management more complex.
Check the status and validity of your APNs credentials:
1. Open [Firebase Console](https://console.firebase.google.com/)
2. Select your project
3. Go to Project Settings (gear icon) > Cloud Messaging tab
4. Scroll to Apple app configuration section
5. Look for your iOS app and check the APNs credential status
6. If the status shows "Expired", "Invalid", or "Missing", you need to upload new credentials
If credentials appear missing or invalid, proceed to the next steps to generate and upload new credentials.
Create a fresh APNs authentication key which never expires:
1. Log in to [Apple Developer Portal](https://developer.apple.com/account/)
2. Navigate to Certificates, Identifiers & Profiles > Keys
3. Click the + button to create a new key
4. Give it a descriptive name (e.g., "Firebase FCM Key")
5. Check the box for Apple Push Notifications service (APNs)
6. Click Continue, then Register
7. Click Download to get the .p8 file (you can only download once)
8. Important: Save this file securely - Apple doesn't allow re-downloading
During or after creation, note:
- Your Key ID (displayed on the confirmation page)
- Your Team ID (from Account > Membership page)
Upload your new .p8 key to Firebase Console:
1. Return to Firebase Console > Project Settings > Cloud Messaging tab
2. Under Apple app configuration, find your iOS app
3. Click Upload button next to "APNs authentication key"
4. Select your .p8 file
5. Paste your Key ID from Apple Developer Portal
6. Paste your Team ID from Apple Developer Portal
7. Click Upload
Firebase will validate the key. Once successful, the status should show as "Active" or "Valid". Your iOS app can now receive push notifications again.
Ensure consistency between Apple Developer Portal, Firebase, and your iOS app:
1. In Apple Developer Portal, find the App ID associated with your APNs key:
- Go to Certificates, Identifiers & Profiles > Identifiers
- Find your app and note its Bundle ID (e.g., com.company.appname)
- Verify it matches the Team ID on your key
2. In Firebase Console > Project Settings > General:
- Under "Your apps", find your iOS app
- Verify the Bundle ID matches your Apple App ID exactly
3. In Xcode:
- Select your project > Signing & Capabilities
- Confirm the Bundle Identifier matches exactly
If any of these don't match, update them to be consistent. You may need to delete and re-add the app in Firebase if the Bundle ID changed significantly.
Confirm that push notifications now work:
1. Send a test notification from Firebase Console:
- Go to Engage > Messaging
- Click New campaign > Firebase Notification messages
- Enter a title and message
- Click Send test message
- Enter an iOS device FCM token
- Click Test
2. Alternatively, test programmatically using the Admin SDK:
const admin = require('firebase-admin');
const message = {
notification: {
title: 'Test Notification',
body: 'Testing APNs authentication'
},
token: 'YOUR_DEVICE_FCM_TOKEN'
};
admin.messaging().send(message)
.then((response) => {
console.log('Successfully sent message:', response);
})
.catch((error) => {
console.log('Error sending message:', error);
});If the notification arrives on your iOS device, the credentials are now properly configured.
For web notifications, ensure Web Push service credentials are properly set:
1. In Firebase Console > Project Settings > Cloud Messaging
2. Look for Web API Key or Web Credential section
3. For some setups, you may need to configure a VAPID key pair:
// Generate VAPID keys (one-time setup)
const webpush = require('web-push');
const vapidKeys = webpush.generateVAPIDKeys();
console.log('Public key:', vapidKeys.publicKey);
console.log('Private key:', vapidKeys.privateKey);
// Configure in your server
webpush.setVapidDetails(
'mailto:[email protected]',
PUBLIC_KEY,
PRIVATE_KEY
);Ensure your Firebase config in the client includes the correct VAPID public key. Test sending a notification to a subscribed web client to verify it works.
Intermittent Failures: This error can occur sporadically even with correct credentials configured. One hypothesis is a race condition where an APNs key expires and is being refreshed at the exact moment a notification is sent. If you experience intermittent failures, verify your key hasn't expired and consider uploading a fresh key even if the current one appears valid.
App Migration: If you migrated an app from one Firebase project to another, the old project's APNs credentials won't work in the new project. You must upload valid APNs credentials specific to the new project. Interestingly, some developers found that moving the app back to the original Firebase project restored functionality.
Certificate vs Key: Firebase accepts both older APNs certificates (.p12, .cer files) and newer authentication keys (.p8 files). Authentication keys never expire and are recommended, but certificates expire annually and must be renewed. If using certificates and notifications suddenly stop working, check if the certificate expired.
iOS Environment Mismatch: Apps built locally via Xcode or via TestFlight use sandbox APNs tokens, while App Store builds use production tokens. A universal APNs authentication key works for both environments. However, if you upload only a production key and test with TestFlight, notifications will fail. Use universal keys or upload both development and production credentials.
Browser Compatibility: Firefox and some other browsers may have specific requirements for Web Push that differ from Chrome. If notifications work in Chrome but fail in Firefox, test with Web Push service credentials and check browser-specific push notification requirements.
API Versions: Older Firebase Admin SDK versions may have issues with newer APNs key formats. If using an old SDK version, consider upgrading to the latest stable version which has better support for modern APNs authentication keys.
Callable Functions: INTERNAL - Unhandled exception
How to fix "Callable Functions: INTERNAL - Unhandled exception" in Firebase
auth/invalid-hash-algorithm: Hash algorithm doesn't match supported options
How to fix "auth/invalid-hash-algorithm: Hash algorithm doesn't match supported options" in Firebase
Hosting: CORS configuration not set up properly
How to fix CORS configuration in Firebase Hosting
auth/reserved-claims: Custom claims use reserved OIDC claim names
How to fix "reserved claims" error when setting custom claims in Firebase
Callable Functions: UNAUTHENTICATED - Invalid credentials
How to fix "UNAUTHENTICATED - Invalid credentials" in Firebase Callable Functions