[GH-ISSUE #735] OAuth to generate token #535

New issue

Open

opened 2026-05-07 00:25:12 +02:00 by BreizhHardware · 4 comments

BreizhHardware commented 2026-05-07 00:25:12 +02:00

Owner

Copy link

Originally created by @darkdragon-001 on GitHub (May 18, 2023).
Original GitHub issue: https://github.com/binwiederhier/ntfy/issues/735

💡 Idea
It would be great if OAuth was implemented to generate tokens.
The workflow should look as follows:

• App redirects to ntfy web app with special path/query parameters (including redirect URI)
• ntfy asks user to login if not done already
• ntfy asks user to authorize an application (create a token)
• ntfy redirects back to application (using redirect URI) with a generated auth code
• App queries ntfy access token by providing auth code

I suggest to use the "Single-Page Apps" workflow which does not require the app to register and maintain a secret.

💻 Target components
web app

Originally created by @darkdragon-001 on GitHub (May 18, 2023). Original GitHub issue: https://github.com/binwiederhier/ntfy/issues/735 :bulb: **Idea** It would be great if OAuth was implemented to generate tokens. The workflow should look as follows: - App redirects to ntfy web app with special path/query parameters (including redirect URI) - ntfy asks user to login if not done already - ntfy asks user to authorize an application (create a token) - ntfy redirects back to application (using redirect URI) with a generated auth code - App queries ntfy access token by providing auth code I suggest to use the ["Single-Page Apps" workflow](https://aaronparecki.com/oauth-2-simplified/#single-page-apps) which does _not_ require the app to register and maintain a secret. :computer: **Target components** web app

BreizhHardware added the

enhancement

server

labels 2026-05-07 00:25:12 +02:00

BreizhHardware commented 2026-05-07 00:25:13 +02:00

Author

Owner

Copy link

@binwiederhier commented on GitHub (May 22, 2023):

1. What s a use case for this?
2. ntfy access tokens are full user tokens, i.e. they do not have permission scope such as "can subscribe to topics" or "can change password". So there's a lot of work regarding this.

<!-- gh-comment-id:1557932985 --> @binwiederhier commented on GitHub (May 22, 2023): 1. What s a use case for this? 2. ntfy access tokens are full user tokens, i.e. they do not have permission scope such as "can subscribe to topics" or "can change password". So there's a lot of work regarding this.

BreizhHardware commented 2026-05-07 00:25:13 +02:00

Author

Owner

Copy link

@darkdragon-001 commented on GitHub (May 23, 2023):

1. This would provide an easy way to share tokens with apps to send notifications to protected accounts.
2. For a first implementation, I think it would be totally fine if only one scope is available (full user scope). Additional scopes can be added later when seen fit.

<!-- gh-comment-id:1558628907 --> @darkdragon-001 commented on GitHub (May 23, 2023): 1. This would provide an easy way to share tokens with apps to send notifications to protected accounts. 2. For a first implementation, I think it would be totally fine if only one scope is available (full user scope). Additional scopes can be added later when seen fit.

BreizhHardware commented 2026-05-07 00:25:13 +02:00

Author

Owner

Copy link

@binwiederhier commented on GitHub (May 23, 2023):

While I don't dismiss the idea entire, I think this is not very high up on my list now. It's a lot of complexity, and right now you're the only requestor. Maybe over time more 👍 will come.

<!-- gh-comment-id:1559861499 --> @binwiederhier commented on GitHub (May 23, 2023): While I don't dismiss the idea entire, I think this is not very high up on my list now. It's a lot of complexity, and right now you're the only requestor. Maybe over time more :+1: will come.

BreizhHardware commented 2026-05-07 00:25:13 +02:00

Author

Owner

Copy link

@caplam commented on GitHub (Feb 6, 2026):

hello,
i'm currently setting up a notification stack with apprise and ntfy (self hosted).
Almost every service i add on my server which needs user authentication goes through authentik.
Oauth would be great but i guess we could use forward auth on the reverse proxy and use a proxy provider in authentik.
of course we still would have to create user locally but at least we could map authentik user with ntfy user.
I'll try to do that when i'm sure to understand how i can route my different notifications to different users/topics

<!-- gh-comment-id:3861738950 --> @caplam commented on GitHub (Feb 6, 2026): hello, i'm currently setting up a notification stack with apprise and ntfy (self hosted). Almost every service i add on my server which needs user authentication goes through authentik. Oauth would be great but i guess we could use forward auth on the reverse proxy and use a proxy provider in authentik. of course we still would have to create user locally but at least we could map authentik user with ntfy user. I'll try to do that when i'm sure to understand how i can route my different notifications to different users/topics

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

dependabot/npm_and_yarn/web/fast-uri-3.1.2

email-verification

attachment-no-http2

attachment-fixes

attachment-s3

config-generator

postgres-replica

dockers-v2

postgres-support

postgres-webpush+user+message

postgres-webpush+user

postgres-webpush

1364-copy-action

crashfix

user-header

scalar-api-docs

cancel-scheduled

update-available

windows-server

303-update-notifications

postgres

admin-ui

require-login

http-clipboard

message-cache-lock

debian-stripe

predefined-users

busy-timeout

template-dir

ipv6

client-ip-header

apns-fix

feat_optional_require_login

security-updates

pg-message-cache

templating-disallow

templating-3

templating-2

message-size-limit+delay-limit

remove-rate-topics

html-emails

cf-priority

acl-underscores

auth-user-header

markdown

img-attach

web-improvements

utf8-headers

matrix-507-reject

http-response-writer

new-homepage-design

e2e

canary

windows

electron

update-messages

webhook-templating

v2.22.0

v2.21.0

v2.20.1

v2.20.0

v2.19.2

v2.19.1

v2.19.0

v2.18.0

v2.17.0

v2.16.0

v2.15.0

v2.14.0

v2.13.0

v2.12.0

v2.11.0

v2.10.0

v2.9.0

v2.8.0

v2.7.0

v2.6.2

v2.6.1

v2.6.0

v2.5.0

v2.4.0

v2.3.1

v2.3.0

v2.2.0

v2.1.2

v2.1.1

v2.1.0

v2.0.1

v2.0.0

v1.31.0

v1.30.1

v1.29.1

v1.29.0

v1.28.0

v1.27.2

v1.27.1

v1.26.0

v1.25.2

v1.25.1

v1.25.0

v1.24.0

v1.23.0

v1.22.0

v1.21.2

v1.21.1

v1.21.0

v1.20.0

v1.19.0

v1.18.1

v1.18.0

v1.17.1

v1.17.0

v1.16.0

v1.15.0

v1.14.1

v1.14.0

v1.13.0

v1.12.1

v1.12.0

v1.11.1

v1.11.2

v1.11.0

v1.10.0

v1.9.0

v1.8.0

v1.7.0

v1.6.1

v1.6.0

v1.5.3

v1.5.2

v1.5.1

v1.5.0

v1.4.8

v1.4.7

v1.4.6

v1.4.5

v1.4.4

v1.4.3

v1.4.2

v1.4.1

v1.4.0

v1.3.2

v1.3.3

v1.3.1

v1.3.0

v1.2.5

v1.2.4

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.0

v0.0.5

v0.0.4

v0.0.3

v0.0.2

v0.0.1

Labels

Clear labels   

ai-generated

  

android-app

  

android-app

  

android-app

  

🪲 bug

  

build

  

build

  

dependencies

  

docs

  

enhancement

  

enhancement

  

🔥 HOT

  

in-progress 🏃

  

ios

  

prio:low

  

prio:low

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

🔒 security

  

server

  

server

  

unified-push

  

web-app

  

website

No labels

ai-generated

android-app

android-app

android-app

🪲 bug

build

build

dependencies

docs

enhancement

enhancement

🔥 HOT

in-progress 🏃

ios

prio:low

prio:low

pull-request

question

🔒 security

server

server

unified-push

web-app

website

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/ntfy#535

No description provided.