firebase-admin-go: sender id does not match regisration token (not api or scope related)

[REQUIRED] Step 2: Describe your environment

  • Library version: 3.7.0
  • Firebase Product: messaging

Running on GKE

[REQUIRED] Step 3: Describe the problem

Every call to send a message to cloud messaging returns this error: http error status 403; reason: sender id does not match regisration token; code: mismatched-credential; details: The caller does not have permission

Related issues:

https://github.com/firebase/firebase-admin-go/issues/238 This was solved by adding scopes to the service account, but I have already added way more permissions to the account than it should require (listed below) https://github.com/firebase/firebase-admin-go/issues/116 This was an issue with not enabling the Firebase Cloud Messaging API, but I have it enabled

Steps to reproduce:

Roles on my service account

Firebase Admin
Firebase Service Management Service Agent
Firebase Admin SDK Administrator Service Agent
Service Account Token Creator

I have checked quota usage here https://console.cloud.google.com/apis/api/fcm.googleapis.com/credentials and verified that the service account with the above permissions is the account being used to make the requests.

Relevant Code:

app, err := firebase.NewApp(c, nil)
fbClient, err := app.Messaging(c)
_, err := fbClient.Send(c, &messaging.Message{
	Data:  map[string]string{"some": "data"},
	Topic: "user_123",
})

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Comments: 22 (9 by maintainers)

Most upvoted comments

“sender id does not match registration token” means the registration token in the request is not registered under the google cloud project. If “sender id” is not a familiar concept to developers we should consider changing it to “project id” or “google project id” in the error message. If you are using HTTP in sending the request, the sender id can appear in your request URL: https://fcm.googleapis.com/v1/projects/[SENDER_ID]/messages:send

The solution is to find the correct sender id (project id) associated with that token, and send with that sender id. Or to have the device register again with the correct project and send to the new registration token.

[More information] Regarding the other fixes discussed in this thread:

  1. Scope: I cannot think of any way scope can be related to this problem.
  2. Service Account permission: there is a use case that: assume we have a cloud project “A”. Project “A” has a service account “SA”. SA can actually be added into another project “B”'s IAM list, and then you can generate oAuth tokens using SA’s key and send to project B. So in some settings, changing the service account’s permission may resolve this issue. But that depends on the actual config. The root cause should always be that the registration token is not registered with the project you are using.
+1
chong-shao on May 31, 2019
Read more comments on GitHub
← firebase-admin-go: sender id does not match regisration token
firebase-admin-java: java.lang.NoSuchMethodError: com.google.common.base.Preconditions.checkState →