OneSignal Help & Documentation

Welcome to the OneSignal New IA developer hub. You'll find comprehensive guides and documentation to help you start working with OneSignal New IA as quickly as possible, as well as support if you get stuck. Let's jump right in!

Get Started    Discussions

Data and Security Questions

Common questions about OneSignal's data handling and security

Data Questions

What data is collected by the OneSignal SDK?

For a complete list of the data that the OneSignal SDK can collect, see Data Collected by the OneSignal SDK.

How do you recommend handling user data in OneSignal?

See our Handling Personal Data FAQ and guide for best practices for handling user data within OneSignal.

How do I export data from OneSignal?

Please see the Exporting Data page for details.

How secure is OneSignal?

Please see our Security page for security details and tips to keep your OneSignal app information secure.

Is OneSignal COPPA compliant?

COPPA is the responsibility of the publisher to maintain. However, OneSignal provides an easy solution for gathering User Consent before collecting data and prompting for push. More details on how to properly handle this interaction can be found in this article: How to Implement COPPA Compliant Push Notifications in Kid Directed Apps.

How can I or my users opt-out (unsubscribe) from Web Push Notifications?

See the following guides to learn how to opt-out of OneSignal's Notifications:

How large are the OneSignal SDKs?

Native Android SDK

Our Native Android SDK is currently 190KB and, like most Android SDKs/Plugins, it depends on the Android Support Library v4 and Google Play services library which may add 1 to 2 MB if they are not in your project already. However, if you use Proguard on your project this size will be reduced.

Native iOS SDK

Our Native iOS SDK is a 3MB download. However, if you build your app with bit code turned on, it will only add around 500KB to your app's size.


Our Web SDK is 55 KB minified and gzipped. It is loaded asynchronously from our worldwide CDN with a long browser-expiry.

Security Questions

How secure is OneSignal?

All OneSignal SDKs connect to our servers with HTTPS, and our REST API enforces the need for a REST API Key where it is needed.

Similar to all other software-as-a-service companies, every app that you create in OneSignal contains a public key (OneSignal app_id) and a private key (REST API Key).

iOS - OneSignal uses the TLS encryption for sending notifications as required by the Apple APNS specifications.

Android - OneSignal uses Google's GCM/FCM service, which uses the HTTPS protocol.

How to lock down or secure my OneSignal account?

Steps to secure your OneSignal Account:

  1. Use Two-Step Authentication and enable it for all users with access to your account.
  2. Remove Administrators that do not need access to your account. Multiple people should also NOT share a single account. You should have 1 email associated for each person.
  3. Do not publish your REST API Key or User Auth Key. These keys should not be placed anywhere publicly accessible like Github or within your app/site.
  4. If you believe your account is already compromised follow these steps to reset your account.

What happens if a "bad actor" gains access to my OneSignal REST API Key?

If you believe that your REST API key has been compromised, please follow our guide to Reset Your REST API Key.

More details below on Locking down your account.

What happens if a "bad actor" gains access to my OneSignal app_id?

If someone was to gain access to your app_id through your application or site, they could technically add a new device record. However, that record cannot receive notifications if the device wasn't subscribed through valid means.

What happens if a "bad actor" gains access to a OneSignal player_id?

A user's own player_id is public to that user, and discovering it is generally harmless. It can be used to view and update tags and other data about the user's subscription. For this reason, tags should not be used for either authentication or the storage of sensitive data and personally-identifiable information.

Users of your application or service should not be given access to the player_ids of other users. This is because a player_id on its own is sufficient to send a notification to that user's device. So the player_ids belonging to other people should be kept secret.

My account has been compromised, what should I do?

Generally we see this occur when your OneSignal REST API KEY gets published within your app/site or openly on

Otherwise, it may be due to your email and password being compromised through another site. You can check if this occurred using a site like

To lockdown and reset your account, please take the following steps:

1. Disable sending from your OneSignal app

While you are updating the password and keys, you can disable the app from sending using the "Disable App" button in Settings > Keys & Ids in your OneSignal dashboard.

2. Reset your password

Access your Accounts & API Keys section (top right of OneSignal Dashboard) to Reset Your Password. This will reset your User Auth Key as well, which is different from your REST API key.

If you use WordPress, make sure the password is updated and keep both passwords unique.

3. Reset your REST API key and keep in secret.

You can reset the REST key by going to you Dashboard > App Settings > Keys & Ids and click the link that says "Reset your REST API key?"

More details if needed in our Reset Your REST API Key guide.

4. Remove old Admin Users
You can Remove any Admin users on your account that are not part of the project anymore or who don't need access.

5. Enable 2 factor Authentication
You can enable Two-Step Authentication within your OneSignal dashboard and require it for all users.

Once you have finished these steps, make sure to Re-enable your app in Settings > Keys & Ids.

Updated 2 months ago

Data and Security Questions

Common questions about OneSignal's data handling and security

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.