Learn about OneSignal’s REST API capabilities, security requirements, rate limits, retries, and how to send notifications, manage users, apps, and segments programmatically.
Our REST API follows the REST Architecture and provides programmatic access to core messaging and user features. Use the API to send push notifications, emails, and SMS, manage users, subscriptions, and segments, export data, and configure apps.
General
443
.https://api.onesignal.com
on port 443
.Incoming Traffic to OneSignal (API & SDK Requests)
All incoming API traffic—whether from your backend, our SDKs, or the dashboard—passes through Cloudflare, which serves as our global edge network.
We do not recommend whitelisting specific Cloudflare IPs, as they may change without notice.
Outgoing Traffic from OneSignal (Webhooks & Event Streams)
For features where OneSignal sends HTTP requests to your servers (e.g., webhooks or event streams), these originate from our infrastructure on Google Cloud Platform (GCP) in the europe-west4
region (Groningen, Netherlands).
europe-west4
region.)5228
, 443
, 5229
, and 5230
5223
, 443
, and 2197
api.sandbox.push.apple.com:443
api.push.apple.com:443
17.0.0.0/8
See our Create Message guide to get started. Programmatically send:
Send push notifications to apps and websites.
Send transactional and promotional emails.
Send SMS or MMS messages globally.
Send Live Activity updates to iOS devices.
Below are common supported features for each platform. See our overview docs for each platform’s supported features:
Add dynamic content to personalize messages for each user.
Send push notifications in multiple languages.
Control push notification delivery speed.
Limit the number of push notifications per user.
Send data-only notifications for background tasks.
Templates are reusable push, email, and SMS messages that simplify development and improve consistency.
Create a reusable template.
Update a template.
View all templates.
Delete a template.
See our Users and Subscriptions guides for more details.
Create a user with optional aliases and subscriptions.
View user details.
Update a user.
Delete a user.
Segments help group users by filters.
You can also target users dynamically using filters without creating persistent segments.
For analytics breakdowns, see Analytics overview.
Export all user and subscription data.
Export events like sent, received, and clicked.
View message details and analytics.
View individual message details.
OneSignal allows you to group platforms (mobile apps, websites) under a single App ID. See Apps, orgs, & accounts.
Create an app.
Update an app.
View a single app.
View all apps.
API key management
See Keys & IDs for more details.
Create an API key.
View all API keys.
Delete an API key.
Update an API key.
All API endpoints are subject to rate limits. Limits vary by endpoint and request type.
Refer to the Rate Limits reference for full details.
Retry-After
.If a request fails due to a transient error (HTTP 5xx or rate limit), retry the request using an exponential backoff strategy based on the Retry-After
header. Avoid retrying 4xx errors, which typically indicate invalid requests.
429
errors after waiting the duration specified in the Retry-After
header.400
, 401
, or 403
errors without fixing the underlying issue.Use the idempotency_key
header to prevent duplicate messages when retrying failed requests.
See the Idempotent Notification Requests guide for implementation tips.
idempotency_key
to safely retry.No, certificates are not required. If needed for your security posture:
Option 1: Download the Cloudflare cert
Option 2. Loosen your TLS restrictions
See Cloudflare’s guides on managing certs
Learn about OneSignal’s REST API capabilities, security requirements, rate limits, retries, and how to send notifications, manage users, apps, and segments programmatically.
Our REST API follows the REST Architecture and provides programmatic access to core messaging and user features. Use the API to send push notifications, emails, and SMS, manage users, subscriptions, and segments, export data, and configure apps.
General
443
.https://api.onesignal.com
on port 443
.Incoming Traffic to OneSignal (API & SDK Requests)
All incoming API traffic—whether from your backend, our SDKs, or the dashboard—passes through Cloudflare, which serves as our global edge network.
We do not recommend whitelisting specific Cloudflare IPs, as they may change without notice.
Outgoing Traffic from OneSignal (Webhooks & Event Streams)
For features where OneSignal sends HTTP requests to your servers (e.g., webhooks or event streams), these originate from our infrastructure on Google Cloud Platform (GCP) in the europe-west4
region (Groningen, Netherlands).
europe-west4
region.)5228
, 443
, 5229
, and 5230
5223
, 443
, and 2197
api.sandbox.push.apple.com:443
api.push.apple.com:443
17.0.0.0/8
See our Create Message guide to get started. Programmatically send:
Send push notifications to apps and websites.
Send transactional and promotional emails.
Send SMS or MMS messages globally.
Send Live Activity updates to iOS devices.
Below are common supported features for each platform. See our overview docs for each platform’s supported features:
Add dynamic content to personalize messages for each user.
Send push notifications in multiple languages.
Control push notification delivery speed.
Limit the number of push notifications per user.
Send data-only notifications for background tasks.
Templates are reusable push, email, and SMS messages that simplify development and improve consistency.
Create a reusable template.
Update a template.
View all templates.
Delete a template.
See our Users and Subscriptions guides for more details.
Create a user with optional aliases and subscriptions.
View user details.
Update a user.
Delete a user.
Segments help group users by filters.
You can also target users dynamically using filters without creating persistent segments.
For analytics breakdowns, see Analytics overview.
Export all user and subscription data.
Export events like sent, received, and clicked.
View message details and analytics.
View individual message details.
OneSignal allows you to group platforms (mobile apps, websites) under a single App ID. See Apps, orgs, & accounts.
Create an app.
Update an app.
View a single app.
View all apps.
API key management
See Keys & IDs for more details.
Create an API key.
View all API keys.
Delete an API key.
Update an API key.
All API endpoints are subject to rate limits. Limits vary by endpoint and request type.
Refer to the Rate Limits reference for full details.
Retry-After
.If a request fails due to a transient error (HTTP 5xx or rate limit), retry the request using an exponential backoff strategy based on the Retry-After
header. Avoid retrying 4xx errors, which typically indicate invalid requests.
429
errors after waiting the duration specified in the Retry-After
header.400
, 401
, or 403
errors without fixing the underlying issue.Use the idempotency_key
header to prevent duplicate messages when retrying failed requests.
See the Idempotent Notification Requests guide for implementation tips.
idempotency_key
to safely retry.No, certificates are not required. If needed for your security posture:
Option 1: Download the Cloudflare cert
Option 2. Loosen your TLS restrictions
See Cloudflare’s guides on managing certs