API key for GCM is suddenly invalid? Unauthorized (401) error

kumar picture kumar · Jun 13, 2016 · Viewed 44.3k times · Source

I created an Android API key for GCM Push Notification for my Android application.From the last two days, GCM server returns Unauthorized (401) response in PHP.

Is there any reason for Android API key invalid/expire? Or Is Android API key deprecated by GCM?

Still I'm not getting proper explanation regarding Why Android API key is invalid? Most of them prefer Server key instead of Android API key for GCM but not mentioning as to why not use Android API key.

Why do not use Android API Key in GCM? Is there any limitation for Android API key? Or Is GCM server blocks the notification/GCM server is making Android API key invalid if notification message exceeds per day limit?

Answer

AL. picture AL. · Jun 14, 2016

Update: The term being used is back to Server Key.

Just recently, there is now a Firebase Cloud Messaging Token (FCM Token) that is being rolled out. This is visible in the Cloud Messaging tab in your Firebase Console.


Update: There is now a visible note in the GCM docs saying:

Starting from Sept. 2016 new server key can only be created in the Firebase Console using the Cloud Messaging tab of the Settings panel. Existing projects that need to create a new server key can be imported in the Firebase console without affecting their existing configuration.


Update: It would also seem that Migrating from GCM to FCM fixes the issue for 401 Unauthorized Error.

If you are just starting to use GCM, instead of creating a project in the Google Developers Console, do it in the Firebase Console. After creating the project, simply use the auto-generated Server Key. Here are the steps where to find the Server Key:

  1. Go to your Firebase Console and click on CREATE NEW PROJECT.
  2. Fill in your desired Project Name and select your Country. After this, the new Project should be active.
  3. Then on left-side panel, click on the gear button and select Project Settings.
  4. Then go to the Cloud-Messaging Tab.

For old GCM projects, you can simply Import the project to the Firebase Console:

  1. Go to your Firebase Console and click on IMPORT PROJECT.
  2. Select the project you want to import and your country.
  3. Click on ADD FIREBASE. After this, the new Project should be active.
  4. Then on left-side panel, click on the gear button and select Project Settings.
  5. Then go to the Cloud-Messaging Tab.

For some reason, only a Server Key works now with GCM. The Android Key isn't the only one that seems to be invalid, all other Client API keys (Browser, iOS, Android) are.


When pertaining to the Server Key's description:

Create and use a Server key if your application runs on a server.

It is logical to use a Server key since you are using the API key on your Server, and it is working with GCM Connection server.

If you compare the FCM docs with the GCM docs (under Credentials), you can see that in GCM, it only states API key, while in FCM, it already specifies a Server key. Well, FCM is the newer version of GCM, may be it has something to do with it? I'm not so sure, but I think you get the gist of what I'm saying.

Update: In the GCM docs, Server Key is now indicated.


By default, after going through the Configure your API Project steps, a Server API key is generated (I tested it by selecting Android app). Same goes with . Whenever I create a new project, it just generates a Server Key automatically.

Hopefully there will be an explanation in the future as to why.


Gonna go on ahead and add the steps on how to create a Server Key. Just in case others are confused, or newbies are not sure how.

  1. Go to your Google Developers Console
  2. On the left-pane, click on Credentials
  3. Under the Credentials Tab, Click on Create Credentials
  4. Select API Key

---Update in the Developers Console cuts the step here---

  1. Select Server Key
  2. Fill out the details.
  3. Click on Create

The Server Key should be available by then.


Update: It seems there was a recent change when generating an API key. It is the same up until Step 4 that I mentioned above. However, after you select API Key, it will directly create an API key without asking what type of key (Server, Android, Browser, iOS) it is. It will only allow you to set some Restrictions that was visible depending on which API Key you intend to generate.


Update: When creating an API Key with No Restrictions, it is showing a Notice (Exclamation Point) that your API key is vulnerable, that's why it is highly encouraged for you to add a restriction for your API key. One post had this issue and adding a restriction was able to resolved it.