Basic setup instructions for OneSignal's REST API.

Keys and Identifiers

REST API Key

Locate or create your app's REST API Key by navigating to Dashboard > Settings > Keys & IDs. This key allows you to interact with the app that created the key. To interact with several apps, you must create separate API Keys. Refer to Keys & IDs to learn more.

App ID

All requests require an App ID, which can be found using one of several methods:

  • Inspecting the URL of the Dashboard page. For example, you log in to onesignal.com and click your app to get https://dashboard.onesignal.com/apps/202d4f61-1ca9-42df-9d36-bb17d8123abc. The App ID is 202d4f61-1ca9-42df-9d36-bb17d8123abc.
  • Settings page in the Dashboard. See Keys & IDs.
  • Inspecting a successful response from a Configuration API.

See Notification Parameters to learn more about this identifier and other notification-specific parameters.

Key Safety

It's critical to keep your API keys secure. Your App ID is public but REST API Keys enable you to control almost every aspect of your app, including managing subscriptions, modifying user data, and sending messages to your users. Good security hygiene can lower the risks of bad actors accessing your apps.

  • Don't store keys in source code.
  • Don't push keys to GitHub.
  • Don't leak keys in your app.
  • Don't email keys.
  • Don't share keys in chat apps (e.g., Slack, Discord, Zoom, Meet, Teams, SMS, etc).
  • Don't store keys in a database, especially when unencrypted.
  • Do store keys in your local environment or a password or key manager.

Responding to Incidents

If you suspect your app may have been compromised, generate a new REST API Key as soon as possible. Doing so will limit a bad actor has time to carry out malicious activity. To generate a new key, navigate to Dashboard > Settings > Keys & IDs, then click the Generate New API Key button. See Account Security for details.

Authentication

Our API uses the Basic authentication scheme when authentication is required.

To use the REST API Key , set the Authorization header to Basic followed by the key.

  • API Key: MjAyYzJlOTAtMTY4Mi00ODFlLTg2MDYtZTM2YzllM2ZlZTVi
  • Header: Authorization: Basic MjAyYzJlOTAtMTY4Mi00ODFlLTg2MDYtZTM2YzllM2ZlZTVi

Example

POST /notifications HTTP/1.1
Content-Type: application/json
Authorization: Basic MjAyYzJlOTAtMTY4Mi00ODFlLTg2MDYtZTM2YzllM2ZlZTVi
Host: api.onesignal.com
Connection: close
Content-Length: 220

{
  "app_id":"202d4f61-1ca9-42df-9d36-bb17d8123abc",
  "contents":{"en":"Hello, World","es":"Hola Mundo","fr":"Bonjour le monde","zh-Hans":"\u4f60\u597d\u4e16\u754c"},
  "target_channel":"push",
  "included_segments":["All Subscribers"]
}

Generating and Managing API Keys

  1. Navigate to Dashboard: Go to Dashboard > Settings > Keys & IDs.
  2. Create a New Key: Click on Create New Key to generate a new API Key for your app.
  3. Manage Keys: Use the Keys & IDs section to regenerate your REST API Key

Error Handling

When making requests, ensure that your API Key or Bearer token is valid and correctly formatted. Invalid or expired keys will result in authentication errors. The API will return the following error messages for common issues:

  • Invalid API Key: 401 Unauthorized
  • Missing Authorization Header: 400 Bad Request