IBM Push Notifications: Change to API Authentication Type

1 min read

IBM Cloud Push Notifications helps deliver timely and relevant notifications to mobile devices and browsers.

Notifications can be targeted to all application users or to a specific set of users and devices using tags. Insights can be obtained on delivery and receipt of notifications to the targeted users.

IBM Push Notifications offers a rich set of APIs that can be accessed from your backend server applications or client applications to consume some of the capabilities, such as tags, subscriptions, and web hooks.

The Push Notifications APIs are secured using one of the following two methods:

  • clientSecret: The clientSecret protects APIs that are typically started by mobile client applications. The clientSecret is allocated to every service instance at the time of binding an application with Push Notifications service.
  • API Keys: Application programming interface keys (API keys) are available through Cloud IAM for you to use in order to authenticate. These API keys are provided through Cloud IAM.

REST API documentation provides information on the APIs that use clientSecret versus the APIs which use Cloud IAM-based authentication tokens.

Change in authentication type

In order to improve the security for our APIs, we are announcing the change of the authentication type from clientSecret to Cloud IAM based authentication for the following APIs.

  1. GET /apps/{applicationId}/settings/webpushServerKey
  2. GET /apps/{applicationId}/devices 
  3. GET /apps/{applicationId}/messages/{messageId}/deliverystatus 

Note: The three APIs mentioned above currently support the use of both clientSecret as well as IAM-based tokens for authentication. Due to security considerations, we will deprecate the use of clientSecret as an authentication type for these APIs as of August 30, 2020.

Action required

Review your usage of the Push Notification service APIs to check if you are using any of the three APIs mentioned above.

If you are still using clientSecret for authentication with these APIs,  you should immediately move to use IAM-based tokens for authentication as the clientSecret will be removed as an authentication option.

Be the first to hear about news, product updates, and innovation from IBM Cloud