An APNs auth key is the modern token-based credential for sending push notifications through Apple Push Notification service. Apple issues a .p8 ECDSA private key, gives you a Key ID and the Team ID, and you use those to sign short-lived JWTs that authenticate each batch of push sends. One auth key covers every app on the team, works for sandbox and production, and does not expire.
How it differs from an APNs certificate
- APNs certificate (legacy)
- An Apple Push Services certificate, one per app, that expires once a year. Authenticates with mutual TLS to APNs.
- APNs auth key (modern)
- A single .p8 ECDSA key, shared across every app, that never expires. Authenticates with a signed JWT in the `authorization` header.
When you create one
- 1
Apple Developer portal > Keys
Sign in as Account Holder or Admin, open Keys, and create a new key with APNs enabled.
- 2
Download the .p8 right away
Apple lets you save it once. Save the .p8 alongside the Key ID and your Team ID and put all three into your push backend's secret manager.
- 3
Sign a JWT and send a push
Your push backend signs an ES256 JWT with the .p8, the Key ID in the JWT header, and the Team ID as the `iss` claim. The JWT is reused for up to one hour before resigning.
Rotation
Auth keys do not expire, but you may need to rotate one if it leaks, if the engineer who created it leaves and you cannot account for the .p8, or if Apple's security recommendations change. The pattern is to create a new key, deploy both keys to your push backend, switch sends to the new Key ID, and then revoke the old key. Apple allows up to two active APNs auth keys per team during the overlap.