[GH-ISSUE #1663] Firefox Web Push: unexpected response (response_code=401) #1161

New issue

Open

opened 2026-05-07 00:30:42 +02:00 by BreizhHardware · 2 comments

BreizhHardware commented 2026-05-07 00:30:42 +02:00

Owner

Copy link

Originally created by @moll on GitHub (Mar 18, 2026).
Original GitHub issue: https://github.com/binwiederhier/ntfy/issues/1663

Hey,

Thanks for making Ntfy open-source and maintaining it.

I'm seeing the Web Push notifications failing on Firefox and haven't managed to track down why it happens. Maybe you've seen the same or know where to look.

First, this is with Ntfy v2.17 on Linux 64-bit with Firefox v148 on a self-hosted instance. Created new web push keys, enabled web push in Ntfy, enabled push in the browser, subscribed to a notification channel, and confirmed that there was a subscription present in the webpush SQLite database. Triggered a notification from another device (the mobile app in this case) and saw its delivery to the web push fail the logs. After that, as expected, the subscription gets removed from the web push cache as Ntfy probably considers it invalid.

In the logs, slightly anonymized: DEBUG Unable to publish web push message, unexpected response (message_body_size=125, message_event=message, message_id=ID123, message_sender=1.2.3.4, message_sequence_id=ID123, message_time=1773832676, message_user=u_ATXX, response_code=401, tag=webpush, ..., web_push_subscription_endpoint=https://updates.push.services.mozilla.com/wpush/v2/gAAAAAXXX, web_push_subscription_id=wps_XXX, ...

The trace log level doesn't log the response body either, so I'm not exactly sure what Mozilla's push service responds with the 401 response code.

After that line there's another warning line, but I presume that's just the debug message bubbling up and causing a 500 in Ntfy: WARN Unable to publish web push message (error=internal server error: unable to publish web push message, error_code=50004, http_status=500, message_body_size=125, message_event=message, ...)

I tested it on the hosted instance (https://ntfy.sh) a few minutes ago and there things seem to work. Unless it was something you fixed in the recent versions, though the release notes don't mention anything related to web push.

Checking about:serviceworkers on Firefox seems to nicely show the service worker for both my instance and ntfy.sh. One thing that's different from the hosted variant is that I'm running my instance on a non-standard HTTPS port. Without visibility or knowledge on how web push works, could that be the cause of some errors sending the push to Mozilla's service? I am using a WebPKI cert, so self-signed certs aren't involved either.

Thanks in advance!

Originally created by @moll on GitHub (Mar 18, 2026). Original GitHub issue: https://github.com/binwiederhier/ntfy/issues/1663 Hey, Thanks for making Ntfy open-source and maintaining it. I'm seeing the Web Push notifications failing on Firefox and haven't managed to track down why it happens. Maybe you've seen the same or know where to look. First, this is with Ntfy v2.17 on Linux 64-bit with Firefox v148 on a self-hosted instance. Created new web push keys, enabled web push in Ntfy, enabled push in the browser, subscribed to a notification channel, and confirmed that there was a subscription present in the webpush SQLite database. Triggered a notification from another device (the mobile app in this case) and saw its delivery to the web push fail the logs. After that, as expected, the subscription gets removed from the web push cache as Ntfy probably considers it invalid. In the logs, slightly anonymized: `DEBUG Unable to publish web push message, unexpected response (message_body_size=125, message_event=message, message_id=ID123, message_sender=1.2.3.4, message_sequence_id=ID123, message_time=1773832676, message_user=u_ATXX, response_code=401, tag=webpush, ..., web_push_subscription_endpoint=https://updates.push.services.mozilla.com/wpush/v2/gAAAAAXXX, web_push_subscription_id=wps_XXX, ...` The trace log level doesn't log the response body either, so I'm not exactly sure what Mozilla's push service responds with the 401 response code. After that line there's another warning line, but I presume that's just the debug message bubbling up and causing a 500 in Ntfy: `WARN Unable to publish web push message (error=internal server error: unable to publish web push message, error_code=50004, http_status=500, message_body_size=125, message_event=message, ...)` I tested it on the hosted instance (https://ntfy.sh) a few minutes ago and there things seem to work. Unless it was something you fixed in the recent versions, though the release notes don't mention anything related to web push. Checking `about:serviceworkers` on Firefox seems to nicely show the service worker for both my instance and ntfy.sh. One thing that's different from the hosted variant is that I'm running my instance on a non-standard HTTPS port. Without visibility or knowledge on how web push works, could that be the cause of some errors sending the push to Mozilla's service? I am using a WebPKI cert, so self-signed certs aren't involved either. Thanks in advance!

BreizhHardware added the

🪲 bug

label 2026-05-07 00:30:42 +02:00

BreizhHardware commented 2026-05-07 00:30:43 +02:00

Author

Owner

Copy link

@nihalgonsalves commented on GitHub (Mar 22, 2026):

I would regenerate the web push keys and double-check whether your origin is set correctly. My first guess would be that the origin doesn't match. For example if you rewrite the origin via a reverse proxy, it won't work.

For web push to work, your ntfy base-url and the origin of the site that requests the web push keys have to match. (The origin is basically https://ntfy.example.com- protocol, hostname including domain/subdomain, and port number - 443 implied here).

<!-- gh-comment-id:4106208819 --> @nihalgonsalves commented on GitHub (Mar 22, 2026): I would regenerate the web push keys and double-check whether your origin is set correctly. My first guess would be that the origin doesn't match. For example if you rewrite the origin via a reverse proxy, it won't work. For web push to work, your ntfy `base-url` and the origin of the site that requests the web push keys have to match. (The origin is basically `https://ntfy.example.com`- protocol, hostname including domain/subdomain, and port number - 443 implied here).

BreizhHardware commented 2026-05-07 00:30:43 +02:00

Author

Owner

Copy link

@Karotte128 commented on GitHub (Mar 30, 2026):

Same issue on my instance. Tested on Chrome + Safari. The base-url is correct. I tried regenerating the keys a few times, did not help.

<!-- gh-comment-id:4156776497 --> @Karotte128 commented on GitHub (Mar 30, 2026): Same issue on my instance. Tested on Chrome + Safari. The base-url is correct. I tried regenerating the keys a few times, did not help.

BreizhHardware referenced this issue 2026-05-07 01:02:32 +02:00

[PR #1161] [MERGED] Updating Docs - configuration table, shoutrr, Scrutiny, etc #1529

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

dependabot/npm_and_yarn/web/fast-uri-3.1.2

email-verification

attachment-no-http2

attachment-fixes

attachment-s3

config-generator

postgres-replica

dockers-v2

postgres-support

postgres-webpush+user+message

postgres-webpush+user

postgres-webpush

1364-copy-action

crashfix

user-header

scalar-api-docs

cancel-scheduled

update-available

windows-server

303-update-notifications

postgres

admin-ui

require-login

http-clipboard

message-cache-lock

debian-stripe

predefined-users

busy-timeout

template-dir

ipv6

client-ip-header

apns-fix

feat_optional_require_login

security-updates

pg-message-cache

templating-disallow

templating-3

templating-2

message-size-limit+delay-limit

remove-rate-topics

html-emails

cf-priority

acl-underscores

auth-user-header

markdown

img-attach

web-improvements

utf8-headers

matrix-507-reject

http-response-writer

new-homepage-design

e2e

canary

windows

electron

update-messages

webhook-templating

v2.22.0

v2.21.0

v2.20.1

v2.20.0

v2.19.2

v2.19.1

v2.19.0

v2.18.0

v2.17.0

v2.16.0

v2.15.0

v2.14.0

v2.13.0

v2.12.0

v2.11.0

v2.10.0

v2.9.0

v2.8.0

v2.7.0

v2.6.2

v2.6.1

v2.6.0

v2.5.0

v2.4.0

v2.3.1

v2.3.0

v2.2.0

v2.1.2

v2.1.1

v2.1.0

v2.0.1

v2.0.0

v1.31.0

v1.30.1

v1.29.1

v1.29.0

v1.28.0

v1.27.2

v1.27.1

v1.26.0

v1.25.2

v1.25.1

v1.25.0

v1.24.0

v1.23.0

v1.22.0

v1.21.2

v1.21.1

v1.21.0

v1.20.0

v1.19.0

v1.18.1

v1.18.0

v1.17.1

v1.17.0

v1.16.0

v1.15.0

v1.14.1

v1.14.0

v1.13.0

v1.12.1

v1.12.0

v1.11.1

v1.11.2

v1.11.0

v1.10.0

v1.9.0

v1.8.0

v1.7.0

v1.6.1

v1.6.0

v1.5.3

v1.5.2

v1.5.1

v1.5.0

v1.4.8

v1.4.7

v1.4.6

v1.4.5

v1.4.4

v1.4.3

v1.4.2

v1.4.1

v1.4.0

v1.3.2

v1.3.3

v1.3.1

v1.3.0

v1.2.5

v1.2.4

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.0

v0.0.5

v0.0.4

v0.0.3

v0.0.2

v0.0.1

Labels

Clear labels   

ai-generated

  

android-app

  

android-app

  

android-app

  

🪲 bug

  

build

  

build

  

dependencies

  

docs

  

enhancement

  

enhancement

  

🔥 HOT

  

in-progress 🏃

  

ios

  

prio:low

  

prio:low

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

🔒 security

  

server

  

server

  

unified-push

  

web-app

  

website

No labels

ai-generated

android-app

android-app

android-app

🪲 bug

build

build

dependencies

docs

enhancement

enhancement

🔥 HOT

in-progress 🏃

ios

prio:low

prio:low

pull-request

question

🔒 security

server

server

unified-push

web-app

website

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/ntfy#1161

No description provided.