Sending web push to APNs (https://web.push.apple.com) responds with 403 Forbidden

Question

We can send web push from java server to PWA on Android/Chrome works fine, but sending to PWA on iPhone/Safari fails with 403 Forbidden.

Works fine on Android phone

• PWA gets installed on Android phone via Chrome
• User clicks Subscribe button in app and grants permission
• App gets Subscription using server's VAPID public key
• PWA sends Subscription (endpoint, keys) to server
• Server sends web push to subscription endpoint (https://fcm.googleapis.com/fcm/send/...)
• FCM responds with 201 Created
• PWA service worker gets the "push" event and shows the notification

Request to fcm.googleapis.com

url:https://fcm.googleapis.com/wp/evZRV...IeBQGGaRfGK
Authorization=vapid t=eyJ0eXAiOi...o2jHfWJGw, k=BHBlZKwyYa...SclQckMDxE
Content-Encoding=aes128gcm
TTL=2419200
Crypto-Key=p256ecds...lQckMDxE=
Content-Type=application/octet-stream
method:POST
protocol version:HTTP/1.1
entity:[Content-Length: 219,Chunked: false]

Response

statusline:HTTP/1.1 201 Created
Location=https://fcm.googleapis.com/0:1705097911549557%0f493ae6f9fd7ecd
X-Content-Type-Options=nosniff
X-Frame-Options=SAMEORIGIN
X-Xss-Protection=0
Date=Fri, 12 Jan 2024 22:18:31 GMT
Content-Length=0
Content-Type=text/html; charset=UTF-8
Alt-Svc=h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
protocol version:HTTP/1.1
entity:[Content-Type: text/html; charset=UTF-8,Content-Length: 0,Chunked: false]

Fails on iPhone

• PWA gets installed on iPhone via Safari
• User clicks Subscribe button in app and grants permission
• App gets Subscription using server's VAPID public key
• PWA sends Subscription (endpoint, keys) to server
• Server sends web push to subscription endpoint (https://web.push.apple.com/...)
• FCM responds with 403 Forbidden
• PWA service worker never gets the "push" event

Request to web.push.apple.com

url:https://web.push.apple.com/QPU8aHza...q44-RonI
Authorization=vapid t=eyJ0eXAiO...DKVX7h5g, k=BHBlZKwy...QckMDxE
Content-Encoding=aes128gcm
TTL=2419200
Crypto-Key=p256ecdsa=BHBlZKwy...clQckMDxE=
Content-Type=application/octet-stream
method:POST
protocol version:HTTP/1.1
entity:[Content-Length: 219,Chunked: false]

Response

statusline:HTTP/1.1 403 Forbidden
content-type=text/plain; charset=UTF-8
apns-id=3597065D-3C81-ED1D-A56C-E5CED97D3BC1
protocol version:HTTP/1.1
entity:org.apache.http.client.entity.DecompressingEntity@6cbc2aee

I'm using the webpush-java library to prepare the web push request. Here's the send code:

JSONObject json = new JSONObject();

json.put("title", "Hello");

json.put("body", "This is a test.");

json.put("sub","mailto:[email protected]");

PushService pushService = new PushService(publicKey, privateKey);
Notification notification = new Notification(subscription, json);

HttpPost httppost = pushService.preparePost(notification, Encoding.AES128GCM);

HttpClient httpclient = HttpClients.createDefault();

HttpResponse response = httpclient.execute(httppost);


Any help would be greatly appreciated.