Targeting Specific Users with Web Push Notifications

Pushpad allows you to send web push notifications directly to specific users or groups of users.
This is especially useful for websites and web applications where users sign up or log in, and where transactional notifications need to be sent via the API.

Associating a User ID

When a user subscribes to your web push notifications, you can attach a User ID (uid) to that subscription.
Once set, notifications can be sent to all browsers associated with that uid.

  • You can update the user ID at any time.
  • Each subscription can only have one user ID at a time.
  • When the user logs out, you can remove the associated user ID.

This setup ensures that notifications are sent to the correct individual without requiring data synchronization between your system and Pushpad.

Security with Signatures

To prevent impersonation, Pushpad uses HMAC-SHA256 signatures by default.
The signature ensures that only authorized systems can associate a user ID with a browser subscription.

  • Always generate signatures using restricted-access tokens for security.
  • Signatures are only checked before setting the user ID.
  • Once set, user IDs can be removed or tags altered without a signature.

Sending Notifications

Once user IDs are associated with subscriptions:

  • You can target one user for direct notifications.
  • You can target groups of users (thousands at once) in a single API call.
  • If a user has multiple browsers, all of them will receive the notification.
  • If a user is not subscribed, they are simply ignored.

This makes user targeting both efficient and scalable.

Disabling Signature Verification

If you prefer not to generate signatures:

  1. You can disable signature verification in the project settings.
  2. Use long, random tokens or UUIDs as user IDs for security.
  3. Avoid predictable IDs like usernames or numeric database IDs.
  4. You can revoke a user's notifications by changing their token in the database.

Disabling signatures can be acceptable for general marketing notifications, but it is not recommended for sensitive or personal notifications.

Checking Subscription Status

There are several ways to verify if a user is subscribed:

  • On the website, use the Pushpad SDK’s status check to detect if the current browser receives notifications.
  • When sending notifications, check the API response for the list of users who actually received it.
  • Use the dashboard or API to retrieve subscriptions for a specific user ID.

Key Takeaways

  • User IDs make it easy to send targeted, secure, and efficient notifications.
  • Signatures prevent unauthorized subscriptions.
  • Random tokens should be used when signature verification is disabled.
  • Pushpad handles scaling so you can reach thousands of users with a single API call.

With the right setup, you can ensure your push notifications are relevant, secure, and effective.