Building a Push Notification Server for Progressive Web Apps

Overview

Progressive Web Apps (PWA) can send push notifications even when the browser is closed, thanks to the Web Push API and Service Workers. This guide covers building a complete push notification system.

Architecture

┌─────────────┐      ┌─────────────┐      ┌─────────────┐
│   Client    │ ───► │   Server    │ ───► │  Push      │
│  (Browser)  │      │  (Your API) │      │  Service    │
└─────────────┘      └─────────────┘      └─────────────┘

Components

Service Worker: Handles push events in the browser
Push API: Browser’s built-in push notification API
Application Server: Your backend that sends notifications
Push Service: Third-party service (Firebase Cloud Messaging, etc.)

Step 1: Client-Side Setup

Register Service Worker

// main.js
if ('serviceWorker' in navigator) {
  navigator.serviceWorker.register('/sw.js')
    .then(registration => {
      console.log('Service Worker registered:', registration);
      return registration;
    })
    .catch(error => {
      console.error('Service Worker registration failed:', error);
    });
}

Request Push Permission

async function requestNotificationPermission() {
  if (!('Notification' in window)) {
    console.log('This browser does not support notifications');
    return;
  }
  
  const permission = await Notification.requestPermission();
  
  if (permission === 'granted') {
    console.log('Notification permission granted');
    subscribeUserToPush();
  }
}

async function subscribeUserToPush() {
  const registration = await navigator.serviceWorker.ready;
  const subscription = await registration.pushManager.subscribe({
    userVisibleOnly: true,
    applicationServerKey: urlBase64ToUint8Array(VAPID_PUBLIC_KEY)
  });
  
  // Send subscription to your server
  await fetch('/api/push/subscribe', {
    method: 'POST',
    headers: { 'Content-Type': 'application/json' },
    body: JSON.stringify(subscription)
  });
}

Service Worker (sw.js)

self.addEventListener('push', event => {
  const data = event.data ? event.data.json() : {};
  const title = data.title || 'New Notification';
  const options = {
    body: data.body || 'You have a new message',
    icon: '/images/icon-192x192.png',
    badge: '/images/badge-72x72.png',
    vibrate: [100, 50, 100],
    data: {
      dateOfArrival: Date.now(),
      primaryKey: data.id || 1
    },
    actions: [
      { action: 'view', title: 'View' },
      { action: 'dismiss', title: 'Dismiss' }
    ]
  };
  
  event.waitUntil(self.registration.showNotification(title, options));
});

self.addEventListener('notificationclick', event => {
  event.notification.close();
  
  if (event.action === 'view') {
    clients.openWindow('/');
  }
});

Step 2: VAPID Keys

Generate VAPID keys for authentication:

# Using Node.js
npm install web-push
node -e "console.log(require('web-push').generateVAPIDKeys())"

Output:

{
  publicKey: 'BEl62iUYgUivxIkv69yViEuiBIa-Ib9-SkvMeAtA3LFgDzkrxZJjSgSnfckjBJuBkr3qBUYIHBQFLXYp5Nksh8U',
  privateKey: 'UUxI4O8-FbRouAf7-7OTt9GH4o-9PN5G9t3cY2xK8fA'
}

Step 3: Server Implementation (Node.js)

// server.js
const webpush = require('web-push');
const express = require('express');
const app = express();

// VAPID keys (generated earlier)
const publicKey = 'BEl62iUYgUivxIkv69yViEuiBIa-Ib9-SkvMeAtA3LFgDzkrxZJjSgSnfckjBJuBkr3qBUYIHBQFLXYp5Nksh8U';
const privateKey = 'UUxI4O8-FbRouAf7-7OTt9GH4o-9PN5G9t3cY2xK8fA';

webpush.setVapidDetails(
  'mailto:[email protected]',
  publicKey,
  privateKey
);

// Store subscriptions in database
const subscriptions = [];

// Subscribe endpoint
app.post('/api/push/subscribe', express.json(), (req, res) => {
  const subscription = req.body;
  subscriptions.push(subscription);
  res.status(201).json({});
});

// Send notification to all subscribers
app.post('/api/push/send', express.json(), async (req, res) => {
  const notification = {
    title: req.body.title || 'Notification',
    body: req.body.body || 'You have a new message',
    id: req.body.id || Date.now()
  };
  
  const notifications = subscriptions.map(sub => 
    webpush.sendNotification(sub, JSON.stringify(notification))
      .catch(err => {
        console.error('Error sending notification:', err);
        if (err.statusCode === 410) {
          // Remove expired subscription
          const index = subscriptions.indexOf(sub);
          subscriptions.splice(index, 1);
        }
      })
  );
  
  await Promise.all(notifications);
  res.json({ success: true });
});

app.listen(3000, () => console.log('Server started on port 3000'));

Step 4: Testing

Test with Chrome DevTools

Open DevTools (F12)
Go to Application > Service Workers
Check “Update on reload”
Test push from your API

Using CLI Tools

# Send a test notification
curl -X POST http://localhost:3000/api/push/send \
  -H "Content-Type: application/json" \
  -d '{"title": "Test", "body": "Hello World"}'

Security Considerations

Use HTTPS: Push notifications only work on HTTPS (except localhost)
Validate Subscriptions: Always validate incoming subscription data
Rate Limiting: Implement rate limiting to prevent abuse
VAPID Authentication: Use VAPID keys for sender verification
Encrypt Payloads: The push service encrypts the notification body

Modern Implementation (2026)

Using VAPID with web-push

// server.js - Modern web-push implementation
const webpush = require('web-push');

// VAPID keys - generate once and keep secret
const vapidKeys = {
  publicKey: 'BEl62iUYgUivxIkv69yViEuiBIa-Ib9-SkvMeApAIDgDsdO3ytj31wutf8j6X7Y9y4rj6aN9oxbVKrM16N2w',
  privateKey: 'UUxI4O8-FbRouAf7-7OT9lPKaeS96xRBt1r5p9Dk8'
};

webpush.setVapidDetails(
  'mailto:[email protected]',
  vapidKeys.publicKey,
  vapidKeys.privateKey
);

// Store subscriptions in database
const subscriptions = [];

// Send notification
async function sendNotification(subscription, payload) {
  try {
    await webpush.sendNotification(
      subscription,
      JSON.stringify(payload)
    );
  } catch (error) {
    if (error.statusCode === 410) {
      // Remove expired subscription
      removeSubscription(subscription);
    }
  }
}

Firebase Cloud Messaging (FCM)

// Using FCM for push notifications
const admin = require('firebase-admin');
admin.initializeApp({
  credential: admin.credential.cert(serviceAccount)
});

async function sendFCM(tokens, title, body) {
  const message = {
    notification: { title, body },
    tokens
  };
  
  return admin.messaging().sendEachForMulticast(message);
}

Node.js with Express

// Complete push notification API
const express = require('express');
const webpush = require('web-push');
const app = express();

app.use(express.json());

// In-memory (use database in production)
let subscriptions = [];

// Subscribe endpoint
app.post('/subscribe', (req, res) => {
  const subscription = req.body;
  subscriptions.push(subscription);
  res.status(201).json({});
});

// Send to all
app.post('/broadcast', async (req, res) => {
  const { title, body, icon, data } = req.body;
  
  const notifications = subscriptions.map(sub => 
    webpush.sendNotification(sub, JSON.stringify({ title, body, icon, data }))
      .catch(err => {
        if (err.statusCode === 410) return null; // Gone
        throw err;
      })
  );
  
  await Promise.all(notifications);
  res.json({ sent: subscriptions.length });
});

app.listen(3000);

Client-Side (Modern)

// service-worker.js (2026)
self.addEventListener('push', event => {
  const data = event.data?.json() || {};
  
  const options = {
    body: data.body || 'New notification',
    icon: data.icon || '/icon-192.png',
    badge: '/badge-72.png',
    vibrate: [100, 50, 100],
    data: {
      url: data.url || '/'
    },
    actions: [
      { action: 'open', title: 'Open' },
      { action: 'close', title: 'Close' }
    ],
    tag: data.tag || 'default',
    renotify: true
  };
  
  event.waitUntil(
    self.registration.showNotification(data.title || 'Notification', options)
  );
});

self.addEventListener('notificationclick', event => {
  event.notification.close();
  
  if (event.action === 'open' || !event.action) {
    event.waitUntil(
      clients.openWindow(event.notification.data.url)
    );
  }
});

Best Practices

// Notification payload best practices
const notificationPayload = {
  title: 'New Message',
  body: 'You have a new message from John',
  icon: '/icons/notification-icon.png',
  badge: '/icons/badge.png',
  tag: 'message-notification',  // Prevent duplicate
  renotify: true,              // Always notify
  requireInteraction: true,     // Keep on screen
  data: {
    url: '/messages/123',
    type: 'new_message'
  },
  // Rich notification
  actions: [
    { action: 'reply', title: 'Reply' },
    { action: 'mark_read', title: 'Mark as Read' }
  ],
  // Image attachment
  image: '/images/message-preview.jpg'
};

Conclusion

Building a push notification system for PWAs involves setting up Service Workers, handling browser subscriptions, and managing a server to send notifications. With this foundation, you can create engaging real-time experiences for your users.

Key takeaways:

Use web-push library for VAPID authentication
Store subscriptions in a database for production
Handle expired subscriptions gracefully
Implement rate limiting to prevent abuse
Use rich notifications with actions for better engagement
Test across different browsers and platforms