JWT for sending iOS push messages from the server

Question

I'm currently developing server-side support for sending iOS push messages (the server's in Java if that's relevant). Apple developer documentation "Communicating with APNs" claims that one can either use a certificate or a JWT token that is just inserted into the header if HTTP/2 protocol is used. Again, as far as I understood certificates should be manually renewed every year (which seems error-prone to me) while JWTs have all the parts to be regenerated automatically over indefinitely long periods (or not?). If that's the case, I'd definitely want to try using JWT.

Now, having zero experience with iOS development, no registration in iOS dev program and even no iOS devices, I have a hard time understanding how exactly to concoct the correct JWT. Namely, I don't get what are

• "A 10-character key identifier (kid) key, obtained from your developer account"
• "The issuer (iss) registered claim key, whose value is your 10-character Team ID, obtained from your developer account"
• "After you create the token, you must sign it with a private key."

In the last sentence I don't understand what this private key is.

iOS developers I'm working with are not very enthusiastic about researching this topic, having given me the p12 certificate the way they always had done in the past. So, if I could point them to the right place (preferably pictures or working "paths") saying "send me this and this", my problem will hopefully be solved. If any of these are not readily available in any developer's account and should be arrived at by some process, I'm afraid I'll need these instructions as well (a working reference to docs or your own description would be perfect).

I would be very grateful if you could confirm my assumptions about JWT in general and clarify the missing details to me.

Answer 1

The Key ID and Key is obtained from the Apple Developer account portal. The process is described in the Xcode help and can be found by searching the help for “Configure push notifications.”.

You create a new Push Notification Authentication key in the Developer portal:

1. Go to Certificates, Identifiers & Profiles, and under Certificates, select All or APNs Auth Key.

2. Click the Add button (+) in the upper-right corner.

3. Under Production, select the “Apple Push Notification Authentication Key (Sandbox & Production)” checkbox, and click Continue.

Once you click Continue, you will see the following screen:

The Key ID is the KID referred to in the documentation and when you click Download you will get the private key that is associated with this key ID.

You can use this to generate the token, which is a JSON document with the following format:

{
    "alg": "ES256",
    "kid": "ABC123DEFG"
}
{
    "iss": "DEF123GHIJ",
    "iat": 1437179036
}

where kid is the Key ID and iss the team identifier, also from the Developer portal. iat is the issued at time for this token, which is the number of seconds since Epoch, in UTC

After you create the token, you must sign it with the private key that was downloaded from the portal when the kid was generated. You must then encrypt the token using the Elliptic Curve Digital Signature Algorithm (ECDSA) with the P-256 curve and the SHA-256 hash algorithm.

To ensure security, APNs requires new tokens to be generated periodically. A new token has an updated issued at claim key, whose value indicates the time the token was generated. If the timestamp for token issue is not within the last hour, APNs rejects subsequent push messages, returning an ExpiredProviderToken (403) error.