Skip to main content

Web push requirements

Your website must meet all of the following for Web Push to work: Browser APIs required Security & connection
  • ✅ HTTPS only (with valid SSL certificate)
  • ✅ OneSignal’s service worker installed
  • ✅ Browser must reach:
    • Browser push servers (e.g., FCM, Mozilla)
    • api.onesignal.com
User state
  • ✅ Notification permission granted by user
  • ❌ Not in Incognito/Private/Guest mode
  • ❌ Site data not cleared (deletes subscriptions)
Clearing browser data (cookies, site storage) automatically unsubscribes users from push notifications.

iOS/iPadOS requirements

To receive push on iOS or iPadOS:
  • iOS 16.4+ or iPadOS 16.4+
  • Site must be added to home screen and opened from there
  • Valid manifest.json file with required fields
  • Users must accept notification permissions after opening as web app

iOS web push setup

Follow Apple-specific steps to enable web push on iPhones and iPads running iOS 16.4+.

Browser compatibility

Users may see web permission prompts but cannot subscribe to push notifications in incognito, private, or guest browser modes.
BrowserWindowsmacOSAndroidiOS
Chrome✅ ¹
Firefox✅ ¹
Safari 10+✅ ¹
Microsoft Edge✅ ¹
Opera ²✅ ¹
Samsung Internet ²✅ ¹
Yandex ²✅ ¹
UC Browser ²✅ ¹
Internet Explorer
DuckDuckGo
¹ iOS requires web app installation (see iOS web push setup)² Chromium-based browsers appear as “Chrome” in OneSignal analytics

Domain changes & migration

Understanding browser origin policy

Browsers tie web push subscriptions to a specific origin (domain/site URL) for security reasons. You cannot transfer subscribers between different origins - this is a browser limitation, not a OneSignal restriction. Different origins include:
  • HTTP vs HTTPS (e.g., http://mysite.comhttps://mysite.com)
  • www vs non-www (e.g., www.mysite.com vs mysite.com)
  • Different domains/subdomains (e.g., domain1.com vs domain2.com or sub1.domain.com vs sub2.domain.com)

Migration options

When changing your site’s origin, choose one of these approaches:

HTTP to HTTPS upgrade

Upgrading from HTTP to HTTPS creates a new origin. Follow the domain migration steps above since browsers treat HTTPS sites as completely separate from their HTTP versions.

Multiple sites & subdomains

Single app limitations

Due to browser same-origin policy, you can not use one OneSignal App for multiple origins like:
  • https://mysite.com and https://www.mysite.com
  • https://main.com and https://shop.main.com

Solutions for multiple origins

  • Single Origin Strategy
  • Separate Apps
  • Subscribe users only on your main domain
  • Redirect users from other origins to main domain for subscription
  • Redirect back to original page after subscription

Language support scenarios

Advanced configuration

Multiple OneSignal apps on same site

  • Not recommended - causes subscription conflicts.
  • What happens: OneSignal auto-resubscribes users to the most recently visited App ID, causing subscribers to bounce between apps and creating many unsubscribed devices.
  • Better approach: Use Data Tags to segment users within a single app.

Subfolder sites

Web push operates at the origin level. For sites in subfolders (e.g., https://example.com/blog), use the main origin (https://example.com) for setup.

Self-hosting SDK files

Strongly discouraged. Browser push specifications change frequently, and OneSignal updates files immediately to maintain compatibility. Use OneSignal’s CDN URLs from your Web Push Settings instead.

Custom init code

Custom init code only works with Custom Code Setup. Typical Setup or Website Builder users: Custom init code will be ignored by the OneSignal SDK. If you need to delay initialization, use the privacy methods.

Development & testing

Local environment testing

See Web SDK setup > Local testing for complete local testing setup.

Service worker integration

OneSignal can work alongside existing service workers and PWAs. See Integrating Multiple Service Workers for implementation details.

Push spam

Push notifications are not designed to be used for advertisments, spamming users, or deceptive campaigns. If your app is detected as sending spam notifications, browsers may send your users a “Spam warning” notification. Avoid sending notifications that:
  • Are not relevant to the users
  • Use words like “Ads” or link to a page that is not related to the app
  • Are not from a trusted source (e.g. a brand you are not associated with)
See Fighting Unwanted Notifications with Machine Learning in Chrome for more information.
If your app is being flagged as spam, you can:
  • Review your notification content and remove anything that may be considered spam. This includes:
    • The words “Ads” or “Ad” in the title or body
    • Links to pages that are not related to the app
    • Links to pages that are not from a trusted source (e.g. a brand you are not associated with)
  • Continue sending and monitor further reports.

Troubleshooting

Update deployment timing

  • Service Worker files: 24-hour cache
  • Web SDK: 3-day cache
Plan accordingly when deploying critical updates.

macOS Chrome notification issues

For macOS Chrome users, ensure notifications are enabled for both:
  1. Google Chrome app (Apple Menu > Settings > Notifications)
  2. Google Chrome Helper app
Without both enabled, notifications won’t appear in the notification center.

Next steps after setup

  1. Test thoroughly across your supported browsers and devices
  2. Implement proper error handling for permission requests
  3. Set up analytics to monitor subscription rates
  4. Plan your notification strategy to avoid user fatigue
  5. Consider A/B testing your permission request timing and messaging

Common migration gotchas

  • Browser data clearing unsubscribes users automatically
  • Duplicate notifications during dual-app transitions
  • iOS requires web app installation before push works
  • Private/Incognito modes never support push notifications
  • Service workers must be accessible at your site’s root or configured subdirectory

Next steps