APNs credentials being "randomly" removed from expo servers causing issues with push notifications

We have a setup in our company where we deploy the same expo managed codebase to over 150 standalone apps. Recently, I noticed that some apps started presenting issues while trying to send iOS push notifications, so I checked the logs, and found several errors with the message “Could not find APNs credentials”. After a little digging, I found out that the only issue was that the APNs keys for those apps weren’t on expo servers any longer, for some reason, even though I had initially uploaded them when those standalone apps were published. To solve that, I tried to use the expo-cli command expo credentials:manager to upload the keys, and, even though the keys were successfully uploaded, I would still get the error message when trying to send push notifications to Expo tokens associated with that standalone app. To solve the issue, I had to re-build the standalone app, re-uploading the APNs keys.

So my goal is to first, understand why the credentials might have been removed from expo servers, and then take the action needed to avoid this in the future.

TLDR;
-Do APNs keys/credentials get ever removed from expo servers “automatically”? If so, how to prevent this?
-Is there a limit to how many APNs credentials a project will hold on expo servers?
-Why keys uploaded with the expo credentials:manager won’t work, but when uploaded while building the standalone app, it works fine?

A big thanks in advance for the help to the Expo team and community!

Hi! thanks for posting, iOS push credentials can be a pretty confusing topic

Do APNs keys/credentials get ever removed from expo servers “automatically”?

No, we never remove your credentials unless you tell us to (for instance, by passing the -clear-credentials or --clear-push-key to the expo build:ios command)

Is there a limit to how many APNs credentials a project will hold on expo servers?

A single project can only have 1 push key associated with it, and Apple only allows you to have 2 APN keys at any one time. But you can have as many apps as you want using the same APN key (for more information, I suggest reading through our app signing docs

Why keys uploaded with the expo credentials:manager won’t work, but when uploaded while building the standalone app, it works fine?

They should work the same did you change any other credentials when re-building, like your provisioning profile for instance?

Thank you for your response @charliecruzan.

It’s good to know that credentials will never be removed from expo servers. At some point in the past, I might have run a command using the -c flag without taking into account that I needed those creds in the expo servers for the app push notifications to work. I will keep that in mind in the future.

I understand that each Apple Developer account can only have up to 2 APNs keys, but I currently have a single expo project (a single slug), which has more than 100 APNs keys associated with it. And I can send push notifications through Expo Notifications without a problem, to multiple (more than 150) unique standalone apps, that use the same single expo codebase / project. In fact, I just ran expo credentials:manager and selected iOS, and it printed the hundreds of credentials that I currently have associated with this project, including the APNs keys.

When I try to upload an APNs key using expo credentials:manager, it doesn’t ask me to associate a provisioning profile with it. It just takes the APNs key. Maybe because it wasn’t taken into account that the system actually allows multiple APNs keys associated with a single project, and it thought it would be able to automatically define which provisioning profile to use? When I run expo build:ios, it always needs a provisioning file and distribution certificate, so maybe that’s the reason why it works? I’d be willing to provide additional info of my use case in case it would be helpful to improve how things currently work. Just let me know.

I’ll be looking forward to your answer

Edit: Typo

Hi

I currently have a single expo project (a single slug), which has more than 100 APNs keys associated with it

iOS project in expo is identified by (owner, slug and bundleIdentifier) there is no way to associate more than one push notification key to expo project, but if you have different bundle identifier that are separate expo projects

When I try to upload an APNs key using expo credentials:manager , it doesn’t ask me to associate a provisioning profile with it.

There are two options in credentials:manager one to add push key to your account and one one to use already uploaded push key in current project. Push notification key is not specific to any app(from apple perspective) and it’s not assigned to provisioning profile, but it needs to be assigned to expo project.

Thank you @wkozyra,

This does make sense, since each standalone app use the same slug, but a different bundleIdentifier.

Regarding the expo credential:manager options, I only mentioned that it didn’t ask for provisioning profile to associate with the APNs key because @charliecruzan had asked if I had changed the provisioning profile when building the standalone app, which made me assume that it was somewhat related to the issue I was having: APNs keys uploaded via expo credentials:manager won’t be sufficient for the Expo Notifications to work with iOS devices. But thank you for the clarification.

That said, do you have any idea why Expo Notifications won’t work (it will return an error saying “Could not findAPNs credentials”) when the APNs key is uploaded via expo credentials:manager, even after it says that it was successfully uploaded, but it works when uploaded when running expo build:ios?

I just had a thought that might give us some insight:

The current setup I have is: I have a sub-folder that has another sub-folder for each standalone app, and it carries the app.json for the individual standalone app. Every time I run the expo build:ios command, I do it using the --config option, and point to the respective app.json for the standalone app I want to build.

I tried running expo credentials:manager using the --config option, but it doesn’t accept it. So it makes me think that it is always using the “default” app.json that is in the current directory where the command was run from, so it is always uploading the APNs key to the “project” for that app.json setup. Is that a possibility? @wkozyra @charliecruzan

Yes that is most likely the case, if you try to run without specific config you don’t see option Use existing Push Notifications Key in current project. Running Add new Push Notifications Key is only adding this key to your account but it’s not attaching ti to any projects.

When credentials manager list all user credentials (push key & dist certs) it shows which app is using it. You probably have now few unused added there.

@wkozyra That’s it!

I just made a few tests:

• I tried to run expo credentials:manager from the subfolder with one of the app.json’s, but it complained that the packages.json file wasn’t found. So I copied the packages.json file, and the credentials:manager ran, but it didn’t give me the Current project actions. So, I tried the next step:

• I copied the app.json from one of the standalone apps and replaced my root “Default” app.json with it, and then ran expo credentials:manager, which gave me the Current project actions, so I was then able to associate the previously uploaded APNs key(s) (that were unused, as you mentioned) to the respective projects.

It would be great to be able to use the --config option on the expo credentials:manager command. I will take a look at the expo GitHub repo and see if I can contribute with that, and maybe while I’m at it, I can also add this info you just gave me to the documentation, which can help future users that happen to have the same “issue”.

I haven’t contributed with expo yet, so I’d have to see how complex it would be for me to get up and running with the contributor environment.

Anyways, thank you so much for all your help, as always, and for the incredible tool you have in expo. You guys rock!

Edit: formatting and typo

expo credentials:manager was not designed to supported use cases like yours, adding --config should be relatively simple but there are still some other parts that might cause problems.

• user is asked only once for apple credentials, so because you are using separate apple accounts/teams for every app you would need to close and reopen credentials manager for every app
• we are fetching all credentials(that is why command takes a long time)
• you can only assign user credentials for the current app (user credentials are credentials that are not specific to any app, but can be assigned to multiple apps at the same time e.g. push key, dist cert)

added PR with support fo --config here https://github.com/expo/expo-cli/pull/2641

That’s awesome @wkozyra. I’ll be watching that PR. As soon as it’s merged and “live”, I’ll make sure to update expo-cli and try it out. Thank you so much!