How to trigger push notification from device?


I don’t really get the concept of triggering a push notification directly from the app :confused:

My goal is to trigger push notifications directly from the devices that run my app.
For example, if a user creates a new “event”, all other users should get a notification.

My questions are:

  • What is the best way to trigger push notification directly from the app?
  • Is it possible to use the push api directly from the app?
  • What is the concept of using another backend server that communicates with the push api?

I’m using Firebase as the data backend.

Thanks a lot,

1 Like

I could be wrong, but since Firebase is a JSON data store and not a server, you probably won’t be able to make POST requests via the Ionic Push API. Read the Sending Push doc for reference about how to use the Push API.

That means you might need to build a Node server hosted it on Heroku that’s wired up with your Ionic app in order to send POST requests on a user triggered action.

I have been using, which is a service that has recipes for APIs. So if you connect your Firebase account, you might be able to use Parse or Pushwoosh or another push notification service to trigger push notifications. I haven’t been able to successfully do this myself, but it might be worth exploration.

Meanwhile, I just trigger the push by using an http request to the Ionic Push API directly from the device.
Angular $http docs

It’s working fine - how come, this is not a common solution?
Is anything wrong with that solution?
I don’t see the point of having another server in between?

1 Like

I mean, that’s great. I’m actually trying to figure out how to do the same thing. Would you be able to post your code and comments on how you accomplished it? has a rest API you can use to create push notifications.
You can use Angular’s $http method to create requests against
Here is an example you could use.
$'', { "user_ids": ["Your", "user", "ids"], "notification": { "alert":"Hello World!" } }, {"headers" : {"X-Ionic-Application-Id": "<APP_ID>", "Authorization": "Basic <PRIVATE_KEY>"}});
This has not been tested as I don’t use, but its a start for you.

I would have to recommend against this, as if someone looks through our app’s source code, they will be able to push notifications using your service, to your users, through your app.

1 Like

This is super helpful. Thank you @EffakT!

What I would suggest, is creating an intermediary server, that the your app posts to. This server then is the one that communicates with Therefore your App ID and Private Key is secure.
This still poses a threat though, so you need to check if the request was made with Ajax before handling the content and pushing it to (this will stop people creating a server to submit, they will have to do it using Ajax aswell. You can also reply with a fake success if its not Ajax, the hacker would then believe it was successful).
You can also log the information, and IP of the user submitting it in a database of some sort, then if your app gets hacked, you then have the IP, and information to block from submitting push notifications.

Thanks again for your comments. I was able to successfully send a push notification through the dashboard today, tomorrow I will try your $ function and see if that works.

Regarding reading through the app’s source code—if the github repo is private and because the app is complied to a native build for iOS and released through the App Store, how would a person get to the source code? It’s not the same as a web browser where a person can open their console and inspector and see all of the code on the client.

This makes me think that perhaps an intermediary server is overkill for a developer who is making an app for a smaller audience.

Would love your thoughts.

You can never be too safe.
I’m not sure about IOS.
But with android, you can download an APK from the play store, export the compressed APK file, and view the HTML, JS, CSS source of the application.

I would suggest researching as to whether you can do this with IPA files in the App Store.

1 Like

So, here’s the answer:

Unbeknownst to many PhoneGap/Cordova developers, the HTML/JavaScript/CSS assets that make up your mobile app are not compiled or otherwise obfuscated when the final app package is built. Unlike the true native bits of the app (i.e. the Cordova framework and custom plugins), which do get compiled into byte code, the core HTML5 assets exist, as they are delivered, inside the app package.


I’m going to figure out if I can use something like Telerik’s Cloud Functions to return the API keys.

Here’s a related thread on obfuscating secret keys for services like Firebase: App security: Store Api secret key for using remote REST service

Thanks again for the heads up.

Regarding your example, just want to note for others reading this that instead of “user_ids”, which is for users registered through your Ionic Users service, you could use “tokens” to target device tokens.

Here is an example you could use.
$‘’, {
“user_ids”: [“Your”, “user”, “ids”],
“notification”: {
“alert”:“Hello World!”
}, {“headers” : {“X-Ionic-Application-Id”: “<APP_ID>”, “Authorization”: “Basic <PRIVATE_KEY>”}});

Also, for another example of an Angular push via the API:

Hey guys,
thanks for your feedback so far!
I am actually using the exact code posted by @EffakT.
The security issue is probably a contra, but on the other hand - will it not be the same by using an intermediate server? There has to be an authentication somehow in either way, which would be accessible through the source code? Or how would it be safer to authenticate with the intermediate server instead of the ionic one?

If you authenticate in the frontend, the user has a possibility of finding all your authentication informtaion. Running it server side, your information is protected by the back end (its never displayed in code the user can find), Server Side also means you can log the hacker’s information. Although, you might run into CORS (Cross-Origin Resource Sharing) issues (I am unable to test this, so if anyone can shed light if blocks CORS).

Hi there,

If you want the app to trigger a notification on the same device, then you should be looking at the local notification plugin here:

If you want the app to trigger a push notification on somebody else’s device then check out my response to this post: Push notifications problem as of february 2016 new problem because of updating

If you look at my code in that post reply you will see that I send the Google Cloud Messaging ID along with device information … etc to my RESTful API … which is Firebase in your case. ( I use custom API written with NodeJS and ExpressJS). The RESTful API takes care of delivering the appropriate message to the appropriate user(s)

If you authenticate in the frontend, the user has a possibility of finding all your authentication informtaion. Running it server side, your information is protected by the back end (its never displayed in code the user can find), Server Side also means you can log the hacker’s information.

I think I’m still not getting the advantage :disappointed:
If I set up my own backend - doesn’t that mean I should also have some authentication between the device and this (my own) backend? As a result I will have authentication between the device and my backend and then my backend authenticates with the ionic push backend. Otherwise I will just expose my own backend to everybody?