Register Device - Sublay Documentation

curl --request POST \
  --url https://api.sublay.io/api/v6/:projectId/api/v7/push-notifications/devices \
  --header 'Content-Type: application/json' \
  --data '
{
  "platform": "<string>",
  "token": "<string>",
  "subscription": {
    "endpoint": "<string>",
    "keys.p256dh": "<string>",
    "keys.auth": "<string>"
  }
}
'

POST

:projectId

api

push-notifications

devices

curl --request POST \
  --url https://api.sublay.io/api/v6/:projectId/api/v7/push-notifications/devices \
  --header 'Content-Type: application/json' \
  --data '
{
  "platform": "<string>",
  "token": "<string>",
  "subscription": {
    "endpoint": "<string>",
    "keys.p256dh": "<string>",
    "keys.auth": "<string>"
  }
}
'

Registers a push device for the currently authenticated user. Re-registering the same physical device updates the existing record instead of creating a duplicate. If the device was previously registered by a different user (e.g. a shared device), it is reassigned to the calling user. Requires end-user authentication (Authorization: Bearer <accessToken>). Service and master keys are explicitly rejected — this endpoint has no impersonation path by design (see Security note). Requires the push bundle.

Body Parameters

platform

string

required

The device platform. One of "ios", "android", or "web".

token

string

The APNs or FCM device token. Required when platform is "ios" or "android".

subscription

object

The Web Push subscription object. Required when platform is "web".

Show subscription fields

endpoint

string

required

The push subscription endpoint URL provided by the browser’s PushManager.

keys.p256dh

string

required

The P-256 Diffie-Hellman public key, Base64-encoded.

keys.auth

string

required

The authentication secret, Base64-encoded.

Response

Returns 200 with an empty body on success.

Error Responses

Unauthorized — 401

{ "error": "Unauthorized", "code": "push-device/unauthorized" }

Returned when no valid end-user token is present, or when a service/master key is used (impersonation is not allowed on this endpoint).

Invalid Body — 400

{ "error": "...", "code": "push-device/invalid-body" }

Returned when platform is unrecognized, or when the required token / subscription field is missing for the given platform.

Bundle Not Installed — 403

{ "error": "...", "code": "database/tables-not-available" }

Returned when the push bundle is not installed for this project.

Security note

Unlike most other write endpoints, this endpoint does not accept a userId body parameter and cannot be called with a service key. Allowing a backend to register an arbitrary token for an arbitrary user would let it redirect that user’s push notifications to an attacker-controlled device. Registration must always come from the end user’s own session.

​Body Parameters

​Response

​Error Responses

​Security note

​See Also

Body Parameters

Response

Error Responses

Security note

See Also