FCM Deprecated Authentication scheme

1,064 views
Skip to first unread message

Ramon Antonio Parada

unread,
Jun 9, 2023, 12:15:22 AM6/9/23
to Firebase Google Group


Since night of jun 7 I'm getting an error when sending some web push notifications. Around half of the notifications work just fine but others when sending the request return an HTTP 401 Unauthorized response with the following error message: "Sender is using deprecated Authentication scheme: unauthenticated" I would like to know what I'm using that is deprecated. I don't know what I'm using that is deprecated. 

I send to the https://fcm.googleapis.com/fcm/send/... endpoint, using GCM authentication and aesgcm content encoding. GCM authentication doesn't seem deprecated. 

The only recent changue I found was this hangue in Chrome "Remove support for Web Push Notifications using FCM Sender IDs" https://chromestatus.com/feature/5187711071158272 but this happened 2 month ago and I don't see the relation.





Ismael Ferrer

unread,
Jun 22, 2023, 8:24:18 AM6/22/23
to Firebase Google Group
I'm having the same problem since day 16. I try to authenticate with this request and authentication is ok.

% curl --header "Authorization: key=$api_key" \                                                                                                                                                                                        ✭
     --header Content-Type:"application/json" \
     https://fcm.googleapis.com/fcm/send \
     -d "{\"registration_ids\":[\"ABC\"]}"
{"multicast_id":5573686350227356174,"success":0,"failure":1,"canonical_ids":0,"results":[{"error":"InvalidRegistration"}]}% 


But if I make this other request the authentication does not work

curl --header "Authorization: key=$api_key" --header Content-Type:"application/json" "https://fcm.googleapis.com/fcm/send/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Sender is using deprecated Authentication scheme: unauthenticated

Do you have some new information about this problem?

Jeffrey Bahr

unread,
Jun 23, 2023, 9:36:04 AM6/23/23
to Firebase Google Group
Google has confirmed that all non-VAPID web pushes for these URLs are now deprecated. It should only represent very old browsers that were launched pre VAPID. I would suggest making your js code subscribe with your server's public key and issuing sends using the VAPID authentication scheme. 
Reply all
Reply to author
Forward
0 new messages