Internet-Draft Use of VAPID in JMAP WebPush March 2024
Gultsch Expires 21 September 2024 [Page]
Intended Status:
Standards Track
D. Gultsch

Use of VAPID in JMAP WebPush


This document defines a method for JMAP servers to advertise their capability to authenticate WebPush notifications using the Voluntary Application Server Identification protocol.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 21 September 2024.

Table of Contents

1. Introduction

JMAP [RFC8620] specifies how clients can subscribe to events using a protocol that is compatible to WebPush [RFC8030]. Some push services require that the application server authenticates all push messages using the Voluntary Application Server Identification protocol [RFC8292]. To faciliate that the client (or user agent in WebPush terminology) needs the VAPID public key of the application server to pass it along to the push service when retrieving a new endpoint.

2. Conventions Used in This Document

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. These words may also appear in this document in lower case as plain English words, absent their normative meanings.

3. Discovering Support for VAPID

The JMAP capabilities object is returned as part of the standard JMAP session object (see Section 2 of [RFC8620]). Servers supporting this specification MUST add a property called "urn:ietf:params:jmap:webpush-vapid" to the capabilities object. The value of this property is an object that MUST contain the following information:

4. Issuing Push Notifications

Every time the server sends a push message to a PushSubscription URL it MUST authenticate that POST request using the protocol outlined in [RFC8292]. This includes both StateChange events and PushVerification notifications.

5. Security Considerations

The security considerations for JMAP ([RFC8620], especially Section 8.6 and Section 8.7 of that document), WebPush ([RFC8030]) and VAPID ([RFC8292]) apply to this document.

6. IANA Considerations

6.1. Registration of the JMAP Capability for VAPID

This specification requests IANA to register the JMAP Capability for VAPID with the following data:

Capability Name: urn:ietf:params:jmap:webpush-vapid

Specification document: this document

Intended use: common

Change Controller: IETF

7. Normative References

Jenkins, N. and C. Newman, "The JSON Meta Application Protocol (JMAP)", RFC 8620, DOI 10.17487/RFC8620, , <>.
Thomson, M., Damaggio, E., and B. Raymor, Ed., "Generic Event Delivery Using HTTP Push", RFC 8030, DOI 10.17487/RFC8030, , <>.
Thomson, M. and P. Beverloo, "Voluntary Application Server Identification (VAPID) for Web Push", RFC 8292, DOI 10.17487/RFC8292, , <>.
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <>.
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, , <>.
Josefsson, S., "The Base16, Base32, and Base64 Data Encodings", RFC 4648, DOI 10.17487/RFC4648, , <>.

Author's Address

Daniel Gultsch