Use of VAPID in JMAP WebPush

Introduction JMAP specifies how clients can subscribe to events using a protocol that is compatible to WebPush . Some push services require that the application server authenticates all push messages using the Voluntary Application Server Identification protocol . To faciliate that the client (or user agent in WebPush terminology) needs the VAPID public key of the application server to pass it along to the push service when retrieving a new endpoint.

Conventions Used in This Document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here. These words may also appear in this document in lower case as plain English words, absent their normative meanings.

Discovering Support for VAPID The JMAP capabilities object is returned as part of the standard JMAP session object (see Section 2 of ). Servers supporting this specification MUST add a property called "urn:ietf:params:jmap:webpush-vapid" to the capabilities object. The value of this property is an object that MUST contain the following information: applicationServerKey: "String" The P-256 public key that the push service will use to authenticate the application server, encoded in URL-safe base64 representation as defined in .

Issuing Push Notifications Every time the server sends a push message to a PushSubscription URL it MUST authenticate that POST request using the protocol outlined in . This includes both StateChange events and PushVerification notifications.