What are the exact conditions for '429 TooManyProviderTokenUpdates' in APNs when managing multiple TEAM_ID and KEY_ID?

App & System Services Notifications
goneeee OP
Created 1w
Replies 1
Boosts 0
Views 100
Participants 2

Hi, We are building a system that integrates with APNs using the Token-Based Authentication method. While testing, we encountered the 429 TooManyProviderTokenUpdates error and would like clarification on the exact conditions that trigger this response.

Our Testing Scenario:

  1. Private Key: We keep the same Private Key constant across requests.
  2. TEAM_ID and KEY_ID: For testing purposes, we change the TEAM_ID and KEY_ID for every JWT we generate.
  3. Requests: Each generated JWT is used to call the /3/device/{token} API endpoint.

Observed Behavior:

  • When we test with different TEAM_ID and KEY_ID combinations, we initially receive 403 InvalidProviderToken, which is expected because the TEAM_ID and KEY_ID combinations are invalid.
  • However, if we change the TEAM_ID and KEY_ID and make multiple calls (e.g., more than two within 20 minutes), we start receiving 429 TooManyProviderTokenUpdates.
  • If we switch to a different IP address (via VPN) after receiving the 429 error, we revert to receiving 403 InvalidProviderToken.

Our Use Case: We are building a system where multiple server clusters handle multiple apps (some under the same Apple Developer account, others under different accounts). Each server generates JWTs for requests to the APNs /3/device/{token} API.

Our Questions:

  1. What specific conditions cause the 429 TooManyProviderTokenUpdates error? Does APNs monitor token updates at the level of TEAM_ID and KEY_ID, or does it consider additional factors such as the originating IP address or shared infrastructure?
  2. How does APNs handle frequent changes in TEAM_ID and KEY_ID within a single server or cluster?
  3. Is there any documentation or guidance on managing JWTs effectively in a distributed system with multiple apps and servers?
  4. Does APNs limit JWT updates based on IP address or API endpoint usage across multiple apps sharing the same Apple Developer account?

We would greatly appreciate any clarification on these points and guidance on best practices for managing JWTs in a multi-cluster environment.

Thank you!

Replies  1
Boosts  0
Views  100
Participants  2
Engineer OP
Apple
1w

To simplify your worries here: APNs doesn’t support authentication tokens from multiple developer accounts over a single connection.

So, if you have multiple apps from different teams, you will need to send pushes to those on different connections. You can open multiple connections to APNs from a single host. You will likely run out of your own resources before you can deplete connections on the APNs side (but if interested, I can provide some guidance later if your request per minute hits millions)

Once you are on a connection established with a JWT for a specific TEAM_ID/KEY_ID combo, the very specific and only reason for 429 TooManyProviderTokenUpdates error is going to be creating a new JWT in less than 20 minutes for that TEAM_ID/KEY_ID on the same connection. As you are not supposed to send requests for multiple TEAM_ID/KEY_ID sets on the same connection, this makes the rule quite simple.

Our general recommendation for better performance for both ends is to have a central JWT generated for a TEAM_ID/KEY_ID to be used on all connections and hosts on your farm - because both generating and decoding them are expensive - but it is not required. Unique JWTs per connection would be OK when starting up, but when your volume becomes substantial, you will want to optimize every bit to avoid unnecessary work and time burden.

Argun Tekant /  DTS Engineer / Core Technologies

0
What are the exact conditions for '429 TooManyProviderTokenUpdates' in APNs when managing multiple TEAM_ID and KEY_ID?
First post date Last post date
 
 
Q