This Firebase Cloud Messaging error occurs when Firebase cannot authenticate with Apple Push Notification service (APNs) using the provided certificate or with web push services using the provided auth key. The error indicates authentication failures with third-party push notification services that Firebase relies on for message delivery.
The "messaging/THIRD_PARTY_AUTH_ERROR" in Firebase Cloud Messaging (FCM) indicates that Firebase failed to authenticate with a third-party push notification service required for message delivery. This error specifically relates to authentication issues with: 1. **Apple Push Notification service (APNs)**: For iOS/macOS devices, Firebase uses APNs certificates or authentication keys to send push notifications. When these credentials are invalid, expired, or misconfigured, Firebase cannot authenticate with Apple's servers. 2. **Web Push Authentication**: For web browsers using Push API, Firebase requires valid VAPID (Voluntary Application Server Identification) keys for authentication with browser push services. This error occurs during the authentication handshake between Firebase and the third-party service. Firebase acts as a proxy between your application and the platform-specific push services, and when the authentication credentials fail, message delivery to affected platforms is blocked entirely. The error typically appears when: - Sending messages to iOS devices with invalid APNs credentials - Sending web push notifications with invalid VAPID keys - After certificate expiration or key rotation - When credentials are corrupted or malformed
First, verify your APNs certificate status in the Apple Developer portal:
1. Access Apple Developer Account:
- Go to [developer.apple.com](https://developer.apple.com)
- Navigate to Certificates, Identifiers & Profiles
- Check your iOS/macOS Push Services certificates
2. Check certificate expiration:
- APNs certificates are valid for 1 year
- Look for expiration dates in the certificate list
- Renew expired certificates immediately
3. Verify certificate type:
- Development certificates (for development/testing)
- Production certificates (for App Store distribution)
- Ensure you're using the correct type for your environment
# Check certificate expiration using openssl (if you have the .p12 or .pem file)
openssl pkcs12 -in your_certificate.p12 -nodes -passin pass:yourpassword | openssl x509 -noout -dates
# Output shows:
# notBefore=Jan 1 00:00:00 2024 GMT
# notAfter=Jan 1 00:00:00 2025 GMTIf the certificate is expired or nearing expiration, create a new one in Apple Developer portal.
If using APNs authentication keys (recommended over certificates), check their configuration:
1. Access Apple Developer Account Keys:
- Go to Certificates, Identifiers & Profiles → Keys
- Find your APNs authentication key
2. Verify key details:
- Key ID (10-character identifier)
- Team ID (from your Apple Developer account)
- Ensure "Apple Push Notifications service (APNs)" is enabled
3. Check Firebase configuration:
- In Firebase Console, go to Project Settings → Cloud Messaging
- Verify APNs authentication key is uploaded
- Check Key ID and Team ID match Apple Developer portal
// When using Firebase Admin SDK with APNs auth key
const admin = require('firebase-admin');
admin.initializeApp({
credential: admin.credential.applicationDefault(),
// APNs configuration for auth key
apns: {
headers: {
'apns-topic': 'com.yourcompany.yourapp' // Your app bundle ID
},
authKey: {
keyId: 'ABC123DEFG', // Your 10-character Key ID
teamId: 'DEF456GHIJ', // Your Team ID
// Private key is loaded from file or environment variable
privateKey: process.env.APNS_PRIVATE_KEY
}
}
});Ensure the private key is correctly formatted (PEM format without passphrase).
For web push notifications, verify your VAPID (Voluntary Application Server Identification) keys:
1. Generate or retrieve VAPID keys:
# Generate new VAPID keys using web-push library
npx web-push generate-vapid-keys
# Output:
# Public Key: BP4z9Ks... (base64 URL safe)
# Private Key: M12n... (keep this secret!)2. Configure in Firebase Console:
- Go to Project Settings → Cloud Messaging → Web configuration
- Add your VAPID public key
- Ensure it matches the key used in your web app
3. Verify in your web application:
// In your service worker registration
const registration = await navigator.serviceWorker.register('/sw.js');
// Get subscription with VAPID public key
const subscription = await registration.pushManager.subscribe({
userVisibleOnly: true,
applicationServerKey: urlBase64ToUint8Array('BP4z9Ks...') // Your public key
});4. Check Firebase Admin SDK configuration:
const admin = require('firebase-admin');
admin.initializeApp({
credential: admin.credential.applicationDefault(),
// Web push configuration
vapidKey: 'BP4z9Ks...' // Your VAPID public key
});If keys are invalid, generate new ones and update both Firebase Console and your application.
Ensure proper credentials are uploaded to Firebase Console:
1. For APNs Certificate:
- Export certificate as .p12 file from Keychain Access
- Go to Firebase Console → Project Settings → Cloud Messaging
- Under "iOS app configuration", upload the .p12 file
- Enter the certificate password
2. For APNs Authentication Key:
- Download .p8 file from Apple Developer portal
- In Firebase Console, select "Authentication Key"
- Upload the .p8 file
- Enter Key ID and Team ID
3. For Web Push:
- Add VAPID public key in Web Configuration section
- No private key upload needed (keep it server-side)
4. Verify environment:
- Development vs Production credentials
- Use development credentials for debug builds
- Use production credentials for App Store/TestFlight builds
// Test credential validation with a simple message
const admin = require('firebase-admin');
async function testCredentials() {
try {
const testMessage = {
token: 'test_token', // Use a valid test token
notification: {
title: 'Test',
body: 'Testing credentials'
},
apns: {
payload: {
aps: {
alert: {
title: 'Test',
body: 'Testing APNs credentials'
}
}
}
}
};
const response = await admin.messaging().send(testMessage);
console.log('Credentials test successful:', response);
} catch (error) {
console.error('Credentials test failed:', error.message);
console.error('Full error:', error);
}
}Verify there are no environment or configuration mismatches:
1. Development vs Production mismatch:
- Development builds must use development credentials
- Production builds must use production credentials
- Check your Xcode project settings and build configurations
2. Bundle ID verification:
// Ensure bundle ID matches in all places
const correctBundleId = 'com.yourcompany.yourapp';
// In Firebase Console, check:
// - iOS app configuration bundle ID
// - APNs certificate bundle ID
// - Xcode project bundle identifier
// In Admin SDK configuration:
const apnsConfig = {
headers: {
'apns-topic': correctBundleId // Must match exactly
}
};3. Firebase project linking:
- Ensure your Firebase project is linked to correct Apple Developer account
- Verify Team ID consistency across all configurations
- Check that the Apple Developer account has push notifications enabled
4. Credential file integrity:
- Download and re-upload credentials to ensure no corruption
- Verify file formats (.p12, .p8, .pem)
- Check for special characters or encoding issues in private keys
5. Firebase Admin SDK version:
- Update to latest Firebase Admin SDK
- Check for known issues with credential handling
npm update firebase-admin### APNs Certificate vs Authentication Key
Certificates (Legacy Method):
- Valid for 1 year, requires annual renewal
- Two types: Development and Production
- Must be uploaded as .p12 file with password
- Simpler to set up but less flexible
Authentication Keys (Recommended):
- No expiration (but can be revoked)
- Single key works for both development and production
- More secure, can be revoked without affecting other apps
- Requires Key ID and Team ID configuration
### Migration Considerations
From Certificate to Authentication Key:
1. Create new APNs key in Apple Developer portal
2. Download .p8 file immediately (can't be retrieved later)
3. Update Firebase Console configuration
4. Update server-side configuration (Admin SDK)
5. Both methods can work simultaneously during transition
Certificate Renewal Process:
1. Create new certificate before old one expires
2. Download and upload to Firebase Console
3. Update server configurations if using certificate directly
4. Keep old certificate active until new one is verified
5. Monitor for delivery failures during transition
### Web Push Specifics
VAPID Key Best Practices:
- Generate unique keys per environment (dev/staging/prod)
- Store private key securely (environment variables, secret manager)
- Public key is safe to expose in client code
- Regenerate keys if compromised or during security audits
Browser Compatibility:
- Different browsers may have varying VAPID requirements
- Test with Chrome, Firefox, Safari, Edge
- Some browsers require specific VAPID key formats
### Debugging and Monitoring
Enable Detailed Logging:
// Firebase Admin SDK debug logging
process.env.DEBUG = 'firebase-admin:*';
// Or enable specific logging
const admin = require('firebase-admin');
admin.logger.logLevel = 'debug';Monitor Delivery Metrics:
- Use Firebase Console → Cloud Messaging → Analytics
- Check platform-specific delivery rates
- Set up alerts for authentication failures
- Monitor certificate expiration dates
Testing Strategies:
1. Test with development credentials first
2. Verify with a small subset of devices
3. Use dryRun mode for validation
4. Implement gradual rollout for credential changes
### Security Considerations
- Never commit certificate files or private keys to version control
- Use environment variables or secret management services
- Implement key rotation policies
- Monitor for unauthorized credential usage
- Set up alerts for authentication failures
Callable Functions: INTERNAL - Unhandled exception
How to fix "Callable Functions: INTERNAL - Unhandled exception" in Firebase
auth/invalid-hash-algorithm: Hash algorithm doesn't match supported options
How to fix "auth/invalid-hash-algorithm: Hash algorithm doesn't match supported options" in Firebase
Hosting: CORS configuration not set up properly
How to fix CORS configuration in Firebase Hosting
auth/reserved-claims: Custom claims use reserved OIDC claim names
How to fix "reserved claims" error when setting custom claims in Firebase
Callable Functions: UNAUTHENTICATED - Invalid credentials
How to fix "UNAUTHENTICATED - Invalid credentials" in Firebase Callable Functions