Web Push API (VAPID)

W3C standard for sending push notifications to web browsers via Service Workers without requiring a native app, using VAPID keys for serverless push delivery.

Evaluated Mar 06, 2026 (0d ago) vW3C Push API
Homepage ↗ Repo ↗ Other web-push vapid push-notifications pwa service-worker browser
⚙ Agent Friendliness
57
/ 100
Can an agent use this?
🔒 Security
83
/ 100
Is it safe for agents?
⚡ Reliability
78
/ 100
Does it work consistently?

Score Breakdown

⚙ Agent Friendliness

MCP Quality
--
Documentation
80
Error Messages
72
Auth Simplicity
83
Rate Limits
68

🔒 Security

TLS Enforcement
100
Auth Strength
80
Scope Granularity
70
Dep. Hygiene
83
Secret Handling
82

VAPID private key must be kept secret — compromise allows sending notifications to all subscribed users. HTTPS required for Service Worker registration.

⚡ Reliability

Uptime/SLA
70
Version Stability
85
Breaking Changes
85
Error Recovery
72
AF Security Reliability

Best When

Building PWAs or web apps that need real-time agent notifications delivered to users' browsers without requiring a native app or paid push service.

Avoid When

You need reliable guaranteed delivery, support mobile native apps, or want managed analytics and segmentation — use OneSignal or FCM instead.

Use Cases

  • Sending agent-triggered notifications to web users when long-running tasks complete
  • Real-time alerts from agents to subscribed browser clients without polling
  • Re-engagement notifications for PWA users based on agent-detected activity triggers
  • Broadcasting critical agent alerts to all subscribed users simultaneously
  • Progressive Web App notification delivery that works across Chrome, Firefox, Safari, and Edge

Not For

  • Mobile native apps (use APNs/FCM for iOS/Android native push)
  • Guaranteed delivery — browsers can block, expire, or throttle push subscriptions
  • High-frequency notifications — browsers throttle aggressive push senders

Interface

REST API
Yes
GraphQL
No
gRPC
No
MCP Server
No
SDK
Yes
Webhooks
No

Authentication

Methods: api_key
OAuth: No Scopes: No

VAPID (Voluntary Application Server Identification) — generate VAPID public/private key pair. Public key shared with browser subscription; private key signs server-to-push-service requests.

Pricing

Model: open_source
Free tier: Yes
Requires CC: No

W3C standard using browser vendor push services (Google FCM, Mozilla, APNs). No per-message cost. Self-hosted sending server.

Agent Metadata

Pagination
none
Idempotent
No
Retry Guidance
Not documented

Known Gotchas

  • Subscriptions expire or become invalid (410 Gone) — agents must handle InvalidPushSubscription responses and cleanup stale subscriptions
  • Safari requires user interaction to prompt for permission — cannot auto-request permissions on page load in Safari
  • Push payload is limited to ~4KB — agents must keep notification data minimal; use notification to trigger client data fetch
  • Service Worker must be registered on exact scope path — incorrect scope means push events never fire
  • Browser throttling: Chrome throttles to ~1 notification/second per origin; excessive push can result in push permission revocation

Alternatives

firebase-fcm-api onesignal-api aws-pinpoint-api

Full Evaluation Report

Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for Web Push API (VAPID).

$99
API endpoint ↗ Agent guide ↗ Report inaccuracy

Scores are editorial opinions as of 2026-03-06.

5173
Packages Evaluated
26151
Need Evaluation
173
Need Re-evaluation
Community Powered