VAPID Keys for Push Notifications
Generate a secure VAPID key pair for web push notifications. Keys are created in your browser and never leave your device.
This tool generates keys client-side using WebCrypto. Store keys securely in your backend for production use.
Web Push Developer Tools
Free tools to help you get started with web push notifications.
VAPID Keys for Push Notifications
Generate a secure VAPID key pair for web push notifications.
Web Push Test for PWA & Websites
Test web-push notifications in your browser without any setup.
What are VAPID Keys?
VAPID (Voluntary Application Server Identification) is a protocol that allows your application server to identify itself to push services when sending web push notifications.
VAPID keys are a public-private key pair used to authenticate your server with push services like Firebase Cloud Messaging (FCM), Apple Push Notification service, and others. They ensure that only authorized servers can send push notifications to your users.
Public Key
Shared with the browser when a user subscribes to push notifications. It identifies your application to the push service and is included in the subscription object.
Private Key
Kept secret on your server. Used to sign requests when sending push notifications, proving that the requests come from your authorized application server.
Why VAPID Keys are Required
- Authenticates your server with push services, preventing unauthorized notifications
- Required by most modern push services including FCM and browser vendors
- Provides a secure way to identify your application without sharing credentials
- Enables push services to contact you if there are issues with your notifications
Security Note: Store your private key securely on your backend server. Never expose it in client-side code or public repositories. The keys generated on this page are created entirely in your browser and never leave this page.
VAPID Key Questions
Common questions about generating and using VAPID keys for web push notifications.
What are VAPID keys used for?
VAPID keys authenticate your application server with browser push services like FCM and Mozilla's autopush. The public key is shared with the browser during subscription, and the private key signs each push request so the push service can verify the sender.
How do I generate VAPID keys?
Use the generator above to create a key pair instantly in your browser. You can also generate them with the web-push npm package or any library that supports the ECDSA P-256 curve. The output is a Base64-URL-encoded public key and a matching private key.
Are VAPID keys the same as API keys?
No. API keys are symmetric secrets shared between your app and a service. VAPID keys are an asymmetric key pair based on elliptic-curve cryptography. The public key identifies your server, while the private key proves ownership without ever being shared.
Do I need new VAPID keys for each app?
You can reuse one VAPID key pair across multiple apps, but most teams generate a separate pair per project. Using distinct keys makes it easier to rotate credentials and isolate push traffic if an issue occurs.
Learn more about Web Push & VAPID
VAPID (Voluntary Application Server Identification) authenticates your server with push services. These links cover the fundamentals and best practices.
Web Push Notifications Service
MagicBell can have you sending web push notifications in minutes.