Custom Push Notifications: allowed user api push urls

I am keen to do some modifications to the Discourse Mobile app to get push notifications working for our self-hosted installation of Discourse, particularly on iOS. From reading the What if I want to white-label the Discourse Mobile apps? thread, it seems that I would need to configure the allowed user api push urls setting to a URL which can receive the notifications, and then re-publish the notification, for example, to the Apple Push Notification Service.

I had a few questions about the notifications:

  1. Is there any information about the format of the request which would be sent to the URL defined in the allowed user api push urls setting, and capabilities required on that server to receive the request?

  2. Does each user need to opt-in for push notifications, for the notifications to be sent to the on-forwarding server (defined in the URL above)? The only setting I could find was Enable Push Notifications in the user profile, but below the button it talks about having to change that setting on every browser…which is a bit confusing, since the notifications would be sent to an app rather than a browser, so I am not sure what that means? Also, when I click the button nothing happens - and it says Permission Denied in the console as I blocked browser notifcations, but again I am unsure how that is relevant to push notifications (and different from the Desktop Notifications setting further up in the user settings).

EDIT: I also just noticed that Enable Push Notifications is not present in my self-hosted installation of Discourse, only in my meta account (hosted installation).


1 Like

I did a bit of trawling through the Discourse source code, and found the following in the post_alerter.rb file:

This adds another question to the list above: does each user who wants to opt-in for push notifications need a user-based API key?

I am still not sure about the workflow of how a user would start an iOS app, agree to receive push notifications, and then all the stuff on the backend of Discourse happens to allow the push notifications for that user.

Perhaps @sam could advise about how this works with the Discourse Mobile app and the hosted installations of Discourse?


When you create your user api key and “approve” the app to read access, push access is implied. This can be controlled by your mobile phone anyway cause you can later on disallow push notifications.

You are going to have to look at the tests and try it out yourself, totally open to having some public information out there, so go ahead and draft a topic!

1 Like

Thanks for the info @sam

Okay, so I am still a bit confused here…

  1. Am I correct that users cannot create their own API keys? Does that mean an admin would have to create the keys for each individual user who wants push? I am guessing this is not the case, since Discourse hosted instances provide push (in fact, I got a push notification to my iPhone for your reply to this thread) and you are probably not setting up the keys for each individual user!

  2. What is the sequence of events for creating the user API key and approving the app? I have created an API key for my own user, and then logged into Discourse Mobile and authorized my phone (so it appears under “Apps” in my user profile). Is that it? I am a bit confused about when the user API key comes into play / is used?

  3. Is the allowed user api push urls setting the only place I need to specify the URL to which notifications should be pushed, or is that somehow worked into the user API key?

More than happy to, once I get my head around this myself :slight_smile:

1 Like

No that is 100% incorrect.

api keys and user api keys are two completely different things, see (which may need a bit of updating):

see: read to end of file.

No, it needs to be hardcoded here as well:


Righto, I am now starting to understand.

So am I correct in saying that when a user logs into the Discourse Mobile app, and goes through the authorisation screen (to authorise the Discourse Mobile app / device to their Discourse account), it automatically creates a user API key for the Discourse Mobile app - as the app is displayed in the “Apps” section of the user’s profile page?

Is there any way to set that through the UI at the moment, or must it be hardcoded? If it must be hardcoded, a totally basic question for you - how can I get that into my production instance?

I also noticed in site_manager.js that the scopes does not include push by default.

…which concurs with what is displayed in the “Apps” section of my profile page:

  • Read and clear notifications
  • Read user session info

Do I also need to hardcode in the push scope?

I am not following your question at all, I linked to source code for the mobile app you are planning on re-branding…

You are looking at the source code for the mobile application that is shipped…

read and clear notifications implies push

Sorry, my bad. I have been looking at the Discourse source code all morning and I didn’t notice that was the mobile app. Makes far more sense now :slight_smile:

One last thing. With the allowed user api push urls in the Discourse settings, I am guessing that’s a way to allow the Discourse admin to control/limit where pushes can be sent regardless of what an external app registered? I also assume that needs to be the full URL for the push destination (e.g.

Thanks for the advice, will report back with how it goes and look at writing-up a howto (assuming it goes well).

Correct, that is the point, end users have only limited control over where push notifications go. This is required for security, cause a rogue app could then make you leak information without you knowing it.

1 Like

Thanks @sam. Appreciate your help :slight_smile:


@skoota Just stumbled upon this. I am trying to do something similar for our own discourse. Were you able to get push notifications working?

I’m also interested in that. Is it possible to set this notification at the same time as sending an email with this notification to the person concerned?

1 Like