Related: PF-10 notifications / push;
supabase/functions/send-push-notification, src/platform/notifications/hooks/usePushSubscription.ts
This guide merges the former split between “setup” and “Lovable” docs. Never commit real VAPID private keys or production key pairs to git. Use placeholders below and store secrets only in Supabase Edge secrets and your host’s env UI.
1. Executive summary
Web push requires a VAPID key pair and subject (mailto: or https: URL). The send-push-notification Edge Function in this repo implements sending with Deno’s Web Crypto APIs (VAPID JWT signing and payload encryption) — no Node web-push package in Edge. If you add or replace server-side push logic, use a Deno-compatible Web Push library (for example @negrel/webpush) or call a separate Node service that uses web-push, invoked from the Edge Function. The client continues to expose only the public key via VITE_VAPID_PUBLIC_KEY (unchanged).
2. Generate keys
On a trusted machine (not committed to the repo):web-push CLI only to generate keys; it is not the Edge runtime library. Record public key, private key, and set subject to a contact the push service can use, for example mailto:your-team@yourorg.org.
Rotate keys annually or immediately if compromised. After rotation, users may need to re-subscribe.
3. Lovable / Supabase (server-side)
In Supabase (or Lovable secrets UI for the project), set Edge Function secrets forsend-push-notification:
Deploy the edge function after setting secrets.
4. Vercel / local (client-side)
The private key must not appear here.
5. Implementation notes
- Edge: see
supabase/functions/send-push-notification/index.ts— native Web Crypto (RFC 8292 / 8291), no third-party push dependency; logs may referenceweb-push-nativeas the provider label. - Client: subscription flow in
usePushSubscription; storage tablepf_push_subscriptions. - New or alternate server implementations: prefer Deno-compatible Web Push libraries or a Node sidecar (see executive summary), not the Node
web-pushmodule inside Edge unless you run it in a separate Node runtime.
6. Verification
VAPID_*secrets present in Supabase for the push function.import.meta.env.VITE_VAPID_PUBLIC_KEYdefined in the built client.- Subscribe from the app; confirm a row in
pf_push_subscriptions. - Send a test push; confirm delivery and edge logs.
7. Security
- Private key: Supabase secrets only.
pf_push_subscriptions: Rows can hold device subscription endpoints and keys,user_id, and metadata — in healthcare contexts this may be PII or PHI-adjacent. Treat the table as sensitive: rely on RLS and least-privilege access, Supabase encryption in transit and at rest, audit who can read or export rows, and never log, document, or paste real tokens or subscription payloads in issues or PRs (same discipline as the private key rule above).- Enable secret scanning on the repository.
- Do not paste real keys into Markdown in pull requests.