FCMDebug logoFCMDebug

FCM Best Practices — Deliverability, Token Management & Security

Proven best practices for Firebase Cloud Messaging in production. Improve push notification delivery, handle FCM token refresh, manage priorities, and secure your implementation.

fcmbest-practices

Push notifications are a powerful engagement tool, but only if they actually reach users. Here are the best practices for FCM.

Token Management

Always Handle Token Refresh

Device tokens change periodically. Always listen for refresh events:

dart
FirebaseMessaging.instance.onTokenRefresh.listen((newToken) {
  // Update token on your server
  updateServerToken(newToken);
});

Clean Up Stale Tokens

When FCM returns UNREGISTERED, remove that token from your database immediately. Sending to stale tokens wastes resources and can trigger rate limits.

Store Token Metadata

Save the platform (Android/iOS/Web), app version, and last-active timestamp alongside each token. This helps with debugging and targeted messaging.

Message Design

Use Both Notification and Data

Combine notification and data payloads for the best experience:

json
{
  "notification": {
    "title": "New message",
    "body": "John sent you a photo"
  },
  "data": {
    "chatId": "abc123",
    "type": "photo",
    "senderId": "user456"
  }
}

The notification shows the alert; the data lets your app navigate to the right screen.

Keep Payloads Small

The 4KB limit is total across all fields. Don't send large data through FCM — send an ID and fetch details from your API.

Use Platform Overrides

Customize for each platform instead of a one-size-fits-all approach:

  • Android: Set channel ID, priority, and custom sound
  • iOS: Set badge count, category for actions, and sound
  • Web: Set icon and click action URL

Security

Never Expose Service Account Keys

  • Store keys in environment variables or secret managers
  • Never commit them to version control
  • Rotate keys periodically

Validate on Your Server

Always validate notification content on your server before sending. Never trust client-provided payloads directly.

Use Topic Authorization

For sensitive topics, implement server-side subscription management rather than letting clients subscribe to any topic.

Deliverability

Respect Rate Limits

FCM has rate limits per project. Spread your sends over time for batch notifications.

Set Appropriate TTL

Time-sensitive notifications (OTP, live scores) should have short TTL. Marketing notifications can use the default 28 days.

Monitor Delivery

Use Firebase Console's Cloud Messaging analytics and set analytics_label on messages to track delivery rates by message type.

Testing

Use our FCM Tester to validate your payloads before deploying. Test on all platforms you support.

← Back to BlogTry the FCM Tester →