How to verify FCM registration token on server?

Question

I got my Firebase Cloud Messaging registration token for web push. And I sent this to my server to save in database for later push. But how can I verify this token is valid or fake?

I have tried this but I think this is for Auth tokens not for web push.

Someone else can send request of a random fake token to my server. I want to prevent this before save in db.

Edit: It's solved and I wrote a simple class to use FCM for web push quickly. https://github.com/emretekince/fcm-web-push

Answer 1

With go and adminsdk account credential

ctx := context.Background()
opt := option.WithCredentialsJSON([]byte(credential))
app, err := firebase.NewApp(ctx, nil, opt)
if err != nil {
    t.Error(err)
}

msg := &messaging.Message{
    Notification: &messaging.Notification{
        Title: "Hi",
        Body:  fmt.Sprintf("Welcome at %d", time.Now().Unix()),
    },
    Token: pushToken,
}

fcmClient, err := app.Messaging(ctx)
run, err := fcmClient.SendDryRun(ctx, msg)
if err != nil {
    t.Error(err)
}
fmt.Println(run)

Answer 2

Using Node Admin SDK

If anyone using firebase Admin SDK for node.js, there is no need to manually send the request using the server_key explicitly. Admin SDK provide sending dry_run push message to verify the fcm_token.

function verifyFCMToken (fcmToken) => {
    return admin.messaging().send({
        token: fcmToken
    }, true)
}

Use this method like following

verifyFCMToken("YOUR_FCM_TOKEN_HERE")
.then(result => {
    // YOUR TOKEN IS VALID
})
.catch(err => {
    // YOUR TOKEN IS INVALID
})

Using Java Admin SDK

You can use following function

public Boolean isValidFCMToken(String fcmToken) {
        Message message = Message.builder().setToken(fcmToken).build();
        try {
            FirebaseMessaging.getInstance().send(message);
            return true;
        } catch (FirebaseMessagingException fme) {
            logger.error("Firebase token verification exception", fme);
            return false;
        }
    }

Answer 3

You can refer to doc for using HTTP v1 of the firebase endpoint URL

After that, you could use this request body with "validate_only": true for testing the request without actually delivering the message.

{
    "validate_only": true,
    "message": {
        "token": "your fcm token"
    }
}

Answer 4

According to the docs, you can use validate_only for testing the request without actually delivering the message.

https://firebase.google.com/docs/reference/fcm/rest/v1/projects.messages/send

Answer 5

One way is to send a message with the dry_run option = true, as is described by AL. in the other answer.

Another way is to use the InstanceId server API:
https://developers.google.com/instance-id/reference/server

Answer 6

When sending to an invalid registration token, you'll should receive 200 + error:InvalidRegistration:

Check the format of the registration token you pass to the server. Make sure it matches the registration token the client app receives from registering with Firebase Notifications. Do not truncate or add additional characters.

This is the response when you try to send a simple cURL request where the registration token is just randomly made:

curl --header "Authorization: key=$[your_server_key_here]" \
       --header Content-Type:"application/json" \
       https://fcm.googleapis.com/fcm/send \
       -d "{\"registration_ids\":[\"ABC\"]}"

Notice that I added in "ABC", in the registration_ids parameter. If ever it is a valid registration token, but is not associated to your project, you'll probably receive 200 + error:NotRegistered.

You can try sending a test message from your server to see the response without sending an actual message towards the device by using the dry_run parameter:

This parameter, when set to true, allows developers to test a request without actually sending a message.