Web Push
Reach members in their browser on the open Web Push Protocol— no app, no paid third-party provider, no per-message fee. Flash auto-generates the workspace's VAPID keys on enable, members subscribe from the portal, and every message is encrypted to the subscription's own keys.
How it works
Open standard, no provider
Web push runs on the browser's own Web Push Protocol via each browser's push service. There's no paid third-party push vendor and no per-message fee.
VAPID keys, auto-generated
On first enable, Flash generates the workspace's VAPID application server keys for you — nothing to create, paste or rotate by hand.
Member-initiated subscribe
Members subscribe themselves from the portal privacy page. The browser's own permission prompt gates it — no permission, no subscription.
Per-subscription encryption
Each push payload is encrypted to the individual subscription's keys (RFC 8291 message encryption), so only that member's browser can read it.
Enable it (admin)
An admin turns web push on for the workspace. There are no keys to generate — Flash creates the VAPID application-server keypair on first enable.
// Admin enables web push for the workspace in Settings → Web Push.
// On first enable, Flash GENERATES the VAPID application-server keypair automatically —
// you don't create or paste keys. You set a contact email and can fire a test send.
//
// Settings → Web Push:
// • Enable web push (OFF by default, per workspace)
// • Contact email (identifies the sender to the browser push services)
// • Send test notification (verify the end-to-end path)
//
// The public VAPID application server key is what the member's browser uses when it
// creates a push subscription (below).Member subscribe flow
The member's browser creates the subscription with the workspace's public VAPID key; the portal posts it to Flash. See the Member Portal Embed guide for the signed-in consumer session this relies on.
// Members subscribe THEMSELVES from the member portal privacy page. The web-push card
// only renders when (a) the browser supports the Push API AND (b) the workspace enabled
// web push. Tapping it triggers the browser's native permission prompt.
//
// 1. Portal registers a service worker.
// 2. Browser creates a PushSubscription using the workspace's public VAPID key
// (Notification.requestPermission() → pushManager.subscribe(...)).
// 3. The portal posts that subscription (endpoint + p256dh + auth keys) to Flash:
POST https://flash.socialhub.ai/api/member/web-push
Content-Type: application/json
{
"endpoint": "<browser push service endpoint>",
"keys": { "p256dh": "<client public key>", "auth": "<client auth secret>" }
}
// → 200 { data: { ok: true } }
// GET https://flash.socialhub.ai/api/member/web-push → the workspace public key + whether web push is on
// DELETE https://flash.socialhub.ai/api/member/web-push { "endpoint": "..." } → unsubscribe
// The member identity comes from the signed-in member session — never the body.Delivery: a channel, not an API call
// You do NOT call a "send web push" endpoint directly. Web push is a CHANNEL in the
// same send/automation stack as email and app push. When a campaign or journey targets
// a subscribed member:
//
// • Flash encrypts the payload to that member's subscription keys (RFC 8291) and
// hands it to the member's own browser push service for delivery.
// • Subscriptions that the push service reports as gone/expired are pruned
// automatically, so you don't keep sending into dead endpoints.Good to know
Works in modern browsers that support the Push API and service workers — the portal only offers the opt-in card where the browser supports it, so members are never shown a channel their browser can't use.
Off by default and per workspace: nothing is sent until an admin enables it and a member opts in through their browser.
The subscription's keys are supplied by the member's browser; Flash stores them to encrypt each message and never shares them across workspaces.
Related: App Push · Member Portal Embed · Compliance & Consent API
Wiring up web push?
Talk to an engineer about the service-worker + VAPID subscribe flow, the send-channel stack, or per-subscription message encryption.
Talk to engineering