Firebase Cloud Messaging (FCM) lets your Bolt.new app send push notifications to users — but only on deployed sites. Bolt's WebContainer uses its own Service Worker for networking, which prevents registering a custom FCM Service Worker during development. Deploy to Netlify or Bolt Cloud first, set up your VAPID key, then FCM push notifications will work end-to-end.
Push Notifications in Bolt.new: A Deployment-First Integration
Firebase Cloud Messaging is the industry-standard solution for web push notifications, used by millions of apps to re-engage users with timely alerts. Integrating FCM with a Bolt.new app enables real-time notifications for new messages, order updates, content alerts, and any event your backend needs to communicate to users — even when they have your app closed in a background tab.
The critical constraint you must understand before starting: push notifications rely on Service Workers, and Bolt's WebContainer already uses a Service Worker to virtualize its networking layer. Because browsers allow only one active Service Worker per origin, your FCM Service Worker (firebase-messaging-sw.js) cannot be registered in the WebContainer preview environment. Any attempt to test push notifications in the Bolt preview will silently fail — no errors, just no notifications. This is not a bug you can work around; it is a fundamental architectural constraint of how WebContainers work.
The correct workflow is to build and configure the integration in Bolt, deploy to Netlify or Bolt Cloud first, and then test the complete push notification flow on your deployed domain. This tutorial walks you through every step: Firebase project setup, VAPID key configuration, permission UI, the firebase-messaging-sw.js Service Worker file, FCM token storage, and the server-side API route that sends notifications using firebase-admin.
Integration method
FCM push notifications require a Service Worker registered on the client side and firebase-admin on the server side for sending messages. In Bolt.new, the firebase JS SDK handles frontend notification permissions and token registration, while an API route uses firebase-admin to send notifications. The entire push notification flow only works on deployed sites — not in Bolt's WebContainer preview — because WebContainers control their own Service Worker for networking.
Prerequisites
- A Bolt.new account with a Next.js project created
- A Google account to access Firebase Console (console.firebase.google.com)
- A Netlify account or Bolt Cloud access for deployment (required for testing)
- Basic understanding of environment variables in Bolt (.env file)
- Node.js packages: firebase (client SDK) and firebase-admin (server SDK)
Step-by-step guide
Create a Firebase Project and Enable Cloud Messaging
Create a Firebase Project and Enable Cloud Messaging
Start by creating a new Firebase project at console.firebase.google.com. Click 'Add project', give it a name matching your app, and follow the setup wizard — you can disable Google Analytics if you don't need it. Once your project is created, click the web icon ('< />') to register a web app. Name it, skip the Firebase Hosting option, and you'll receive your firebaseConfig object containing apiKey, authDomain, projectId, storageBucket, messagingSenderId, and appId. Next, navigate to Project Settings (gear icon) → Cloud Messaging tab. Scroll to 'Web Push certificates' and click 'Generate key pair'. This creates your VAPID (Voluntary Application Server Identification) key pair. Copy the Key pair value — this is your VAPID public key, which the browser uses to verify that push messages come from your server. Without it, the browser will reject Service Worker registration for push. Finally, navigate to Project Settings → Service Accounts tab, and click 'Generate new private key'. Download the JSON file. This file contains your firebase-admin credentials — you'll extract the project_id, client_email, and private_key values from it for your server-side environment variables. Treat this file like a password: never commit it to source control.
Pro tip: Keep the Service Account JSON file open — you'll need to copy three specific fields (project_id, client_email, private_key) into your .env file in the next step.
Expected result: You have a Firebase project with a registered web app, a VAPID key pair generated, and a Service Account private key JSON downloaded.
Configure Environment Variables in Bolt
Configure Environment Variables in Bolt
In your Bolt.new project, open the .env file (or create one in the project root if it doesn't exist). You need two sets of variables: public Firebase config for the client-side SDK, and private Service Account credentials for the server-side firebase-admin SDK. For the client-side Firebase config, all variables must use the NEXT_PUBLIC_ prefix so they're accessible in browser code. For firebase-admin on the server, variables must NOT have this prefix — they're only ever accessed inside API routes and never bundled to the client. The private key from the Service Account JSON has literal newline characters (\n) that you must preserve exactly as-is when pasting into the .env file. Once you've added all variables, prompt Bolt to install the required npm packages. The firebase package handles client-side SDK operations (token registration, notification permissions), while firebase-admin is the server-side package for sending messages.
Install the firebase and firebase-admin npm packages in my project. Then create a lib/firebase.ts file that initializes the Firebase client SDK using environment variables with NEXT_PUBLIC_ prefix, and a lib/firebase-admin.ts file that initializes the Admin SDK using server-only environment variables. Both files should use TypeScript and handle the case where the app is already initialized.
Paste this in Bolt.new chat
1# .env file — add these to your project root2# Client-side Firebase config (safe to expose, use NEXT_PUBLIC_ prefix)3NEXT_PUBLIC_FIREBASE_API_KEY=your_api_key_here4NEXT_PUBLIC_FIREBASE_AUTH_DOMAIN=your-project.firebaseapp.com5NEXT_PUBLIC_FIREBASE_PROJECT_ID=your-project-id6NEXT_PUBLIC_FIREBASE_STORAGE_BUCKET=your-project.appspot.com7NEXT_PUBLIC_FIREBASE_MESSAGING_SENDER_ID=1234567898NEXT_PUBLIC_FIREBASE_APP_ID=1:123456789:web:abcdef9NEXT_PUBLIC_FIREBASE_VAPID_KEY=your_vapid_public_key1011# Server-side firebase-admin (NEVER expose these — no NEXT_PUBLIC_ prefix)12FIREBASE_PROJECT_ID=your-project-id13FIREBASE_CLIENT_EMAIL=firebase-adminsdk-xxxxx@your-project.iam.gserviceaccount.com14# Copy private_key exactly from JSON, including \n escape sequences15FIREBASE_PRIVATE_KEY="-----BEGIN PRIVATE KEY-----\nMIIEvAIBAD...\n-----END PRIVATE KEY-----\n"Pro tip: When copying FIREBASE_PRIVATE_KEY from the JSON file, the value will have \n sequences. Wrap the entire value in double quotes in your .env file so the newlines are preserved correctly.
Expected result: Your .env file has both client and server Firebase variables. Running npm install completes without errors, and both firebase and firebase-admin packages appear in package.json.
Create the Firebase SDK Initialization Files
Create the Firebase SDK Initialization Files
Create two separate initialization files: one for the client-side Firebase SDK and one for the server-side Admin SDK. Keeping these separate prevents accidentally importing server credentials into client bundles — a critical security boundary. The client file initializes Firebase with your public config and exports the messaging instance. It must guard against re-initialization (Firebase throws if you call initializeApp() more than once), which can happen with Next.js hot module replacement during development. The server-side Admin SDK initialization uses a similar guard pattern. The private key from the environment variable needs its \n escape sequences converted to actual newlines — this is a common source of authentication errors when the key is pasted directly from environment variables.
Create the Firebase initialization files I described. Also create a public/firebase-messaging-sw.js Service Worker file that imports the Firebase compat SDK scripts and handles background push notifications with notificationclick events.
Paste this in Bolt.new chat
1// lib/firebase.ts — client-side initialization2import { initializeApp, getApps, getApp } from 'firebase/app';3import { getMessaging, type Messaging } from 'firebase/messaging';45const firebaseConfig = {6 apiKey: process.env.NEXT_PUBLIC_FIREBASE_API_KEY,7 authDomain: process.env.NEXT_PUBLIC_FIREBASE_AUTH_DOMAIN,8 projectId: process.env.NEXT_PUBLIC_FIREBASE_PROJECT_ID,9 storageBucket: process.env.NEXT_PUBLIC_FIREBASE_STORAGE_BUCKET,10 messagingSenderId: process.env.NEXT_PUBLIC_FIREBASE_MESSAGING_SENDER_ID,11 appId: process.env.NEXT_PUBLIC_FIREBASE_APP_ID,12};1314const app = getApps().length === 0 ? initializeApp(firebaseConfig) : getApp();1516export function getFirebaseMessaging(): Messaging | null {17 // Messaging is only available in browser environments18 if (typeof window === 'undefined') return null;19 try {20 return getMessaging(app);21 } catch {22 return null;23 }24}2526export { app };Expected result: lib/firebase.ts and lib/firebase-admin.ts are created without TypeScript errors. The firebase-messaging-sw.js file exists in the public/ folder.
Build the Notification Permission UI and Token Registration
Build the Notification Permission UI and Token Registration
Push notifications require explicit user permission. You need a React component that requests permission from the browser, retrieves the FCM registration token when permission is granted, and saves that token to your database so your server can target specific users later. The FCM token is the unique identifier for this user's browser instance. It's what you pass to firebase-admin when sending a notification. Tokens can be refreshed by Firebase — good practice is to check and update the stored token each time the user loads the app. Important: the permission request and token generation will work in Bolt's WebContainer preview for the JavaScript logic, but the push notifications themselves will not arrive in the preview. Token generation requires a Service Worker to be registered, which will fail silently in WebContainers. You won't see errors — the function simply won't return a token until you deploy. This is expected behavior.
Create a NotificationPermission React component that: 1) Shows a 'Enable notifications' button when permission is 'default', 2) Calls Notification.requestPermission() on click, 3) Uses Firebase getToken() with the VAPID key to get the FCM registration token, 4) Saves the token to a /api/save-fcm-token endpoint via POST, 5) Shows appropriate UI for 'granted' and 'denied' states. Use TypeScript and handle loading/error states.
Paste this in Bolt.new chat
1// components/NotificationPermission.tsx2'use client';3import { useState } from 'react';4import { getToken } from 'firebase/messaging';5import { getFirebaseMessaging } from '@/lib/firebase';67export function NotificationPermission() {8 const [status, setStatus] = useState<'idle' | 'loading' | 'granted' | 'denied'>('idle');910 async function requestPermission() {11 setStatus('loading');12 try {13 const permission = await Notification.requestPermission();14 if (permission !== 'granted') {15 setStatus('denied');16 return;17 }18 const messaging = getFirebaseMessaging();19 if (!messaging) {20 // Service Worker not available — running in WebContainer preview21 console.warn('FCM not available: Service Worker cannot register in WebContainer. Deploy to test push notifications.');22 setStatus('denied');23 return;24 }25 const token = await getToken(messaging, {26 vapidKey: process.env.NEXT_PUBLIC_FIREBASE_VAPID_KEY,27 });28 if (token) {29 await fetch('/api/save-fcm-token', {30 method: 'POST',31 headers: { 'Content-Type': 'application/json' },32 body: JSON.stringify({ token }),33 });34 setStatus('granted');35 }36 } catch (error) {37 console.error('Error requesting notification permission:', error);38 setStatus('denied');39 }40 }4142 if (status === 'granted') return <p className="text-green-600">Notifications enabled</p>;43 if (status === 'denied') return <p className="text-red-500">Notifications blocked or unavailable</p>;4445 return (46 <button47 onClick={requestPermission}48 disabled={status === 'loading'}49 className="px-4 py-2 bg-blue-600 text-white rounded hover:bg-blue-700 disabled:opacity-50"50 >51 {status === 'loading' ? 'Requesting...' : 'Enable Notifications'}52 </button>53 );54}Pro tip: Add an explanatory message above the button telling users why they're being asked for permission — browsers are more likely to grant permission when context is clear.
Expected result: The NotificationPermission component renders correctly. Clicking 'Enable notifications' triggers the browser permission dialog. After granting, the component calls /api/save-fcm-token (which you'll create next).
Create the Server-Side API Routes for Saving Tokens and Sending Notifications
Create the Server-Side API Routes for Saving Tokens and Sending Notifications
You need two API routes: one to save FCM tokens to your database when users subscribe, and one to send push notifications using firebase-admin. Both routes run server-side in Next.js API routes, outside the WebContainer's browser context, which means they can safely access your firebase-admin credentials. The send-notification route accepts a target token (or a topic for broadcasting), a notification title, and a body. It uses firebase-admin's messaging API to construct and send the message. You can extend this to send to multiple tokens simultaneously using sendEachForMulticast, which handles batches of up to 500 tokens and returns per-token success/failure results. For the token storage route, a simple database table with columns for user_id, token, and updated_at is sufficient. Use your existing database setup (Supabase, Bolt Database, etc.) to persist tokens. Tokens are per-browser-instance, so one user might have multiple tokens across devices.
Create two Next.js API routes: 1) /api/save-fcm-token (POST) that saves the FCM token to a database table called fcm_tokens with fields user_id, token, and created_at. 2) /api/send-notification (POST) that accepts token, title, and body fields and sends a push notification using firebase-admin messaging. Both should use TypeScript and proper error handling.
Paste this in Bolt.new chat
1// app/api/send-notification/route.ts2import { NextResponse } from 'next/server';3import { initializeApp, getApps, cert } from 'firebase-admin/app';4import { getMessaging } from 'firebase-admin/messaging';56// Initialize firebase-admin once7if (!getApps().length) {8 initializeApp({9 credential: cert({10 projectId: process.env.FIREBASE_PROJECT_ID,11 clientEmail: process.env.FIREBASE_CLIENT_EMAIL,12 // Replace escaped \n with real newlines — required for env var format13 privateKey: process.env.FIREBASE_PRIVATE_KEY?.replace(/\\n/g, '\n'),14 }),15 });16}1718export async function POST(request: Request) {19 try {20 const { token, title, body, data } = await request.json();2122 if (!token || !title) {23 return NextResponse.json(24 { error: 'token and title are required' },25 { status: 400 }26 );27 }2829 const messaging = getMessaging();30 const messageId = await messaging.send({31 token,32 notification: { title, body },33 data: data ?? {},34 webpush: {35 notification: {36 icon: '/icon-192x192.png',37 badge: '/badge-72x72.png',38 },39 fcmOptions: {40 link: process.env.NEXT_PUBLIC_APP_URL ?? '/',41 },42 },43 });4445 return NextResponse.json({ success: true, messageId });46 } catch (error) {47 console.error('FCM send error:', error);48 return NextResponse.json(49 { error: 'Failed to send notification' },50 { status: 500 }51 );52 }53}Pro tip: The .replace(/\\n/g, '\n') on the private key is essential — environment variables store \n as a literal two-character sequence, but the RSA key needs real newline characters.
Expected result: Both API routes are created and TypeScript compiles without errors. The routes are accessible at /api/save-fcm-token and /api/send-notification.
Deploy and Test End-to-End Push Notifications
Deploy and Test End-to-End Push Notifications
Because Service Workers cannot register in Bolt's WebContainer, you must deploy before testing the complete push notification flow. This is not optional — it is a hard requirement of the architecture. First, deploy to Netlify by connecting your GitHub repo (push your Bolt project to GitHub first, then connect in Netlify's dashboard) or use Bolt Cloud's publish feature. In your hosting provider's dashboard, add all the environment variables from your .env file — both the NEXT_PUBLIC_ client variables and the server-only FIREBASE_* variables. Do not skip any. After deployment, visit your deployed URL (not the Bolt preview URL) and open the developer tools console. Click 'Enable notifications', grant permission, and check the console for the FCM token. The Service Worker should register successfully — you'll see firebase-messaging-sw.js in the Application → Service Workers tab of DevTools. Once a token is saved, use a tool like Postman or the Firebase Console's Cloud Messaging test feature to send a test notification to that specific token. You should see the browser notification appear even if the tab is in the background.
Add a test notification button to my admin page that calls /api/send-notification with a hardcoded test message. Also add console.log statements in the NotificationPermission component that print the FCM token after it's retrieved, so I can copy it for testing.
Paste this in Bolt.new chat
1// public/firebase-messaging-sw.js — REQUIRED file in public/ folder2// This Service Worker handles background push notifications3// Must be at the root of your domain for FCM to register it4importScripts('https://www.gstatic.com/firebasejs/10.7.1/firebase-app-compat.js');5importScripts('https://www.gstatic.com/firebasejs/10.7.1/firebase-messaging-compat.js');67firebase.initializeApp({8 apiKey: 'REPLACE_WITH_YOUR_API_KEY',9 authDomain: 'REPLACE_WITH_YOUR_AUTH_DOMAIN',10 projectId: 'REPLACE_WITH_YOUR_PROJECT_ID',11 storageBucket: 'REPLACE_WITH_YOUR_STORAGE_BUCKET',12 messagingSenderId: 'REPLACE_WITH_YOUR_SENDER_ID',13 appId: 'REPLACE_WITH_YOUR_APP_ID',14});1516const messaging = firebase.messaging();1718// Handle background messages19messaging.onBackgroundMessage((payload) => {20 console.log('Background message received:', payload);21 const { title, body } = payload.notification ?? {};22 self.registration.showNotification(title ?? 'New notification', {23 body: body ?? '',24 icon: '/icon-192x192.png',25 });26});2728// Handle notification click — open app when user taps notification29self.addEventListener('notificationclick', (event) => {30 event.notification.close();31 event.waitUntil(32 clients.openWindow(event.notification.data?.link ?? '/')33 );34});Pro tip: The firebase-messaging-sw.js file in the public/ folder CANNOT use import.meta.env — Service Workers don't have access to Vite/Next.js build-time variables. You must hardcode the public Firebase config values directly in this file. These are safe to expose (they're already in client-side code).
Expected result: After deploying, the Service Worker registers at firebase-messaging-sw.js on your domain. FCM tokens are generated and saved. Test notifications sent from the Firebase Console or your /api/send-notification endpoint appear as browser notifications.
Common use cases
SaaS App Re-Engagement Notifications
Send push notifications when new activity happens in a user's account — new comments, mentions, task assignments, or status changes. Users receive alerts even when the app is in a background tab, keeping engagement high without requiring email.
Add Firebase Cloud Messaging to my Next.js app. I need a notification permission button, an API route at /api/send-notification that accepts a token and message payload and sends a push via firebase-admin, and a firebase-messaging-sw.js Service Worker file. Use TypeScript and store credentials in environment variables.
Copy this prompt to try it in Bolt.new
E-Commerce Order Status Alerts
Notify customers when their order ships, arrives at a facility, or is out for delivery. This replaces polling-heavy status pages with instant push delivery, reducing customer support load.
Build an order tracking page with Firebase Cloud Messaging push notifications. When order status changes to 'shipped' or 'delivered', send a push notification to the subscribed user. Include the FCM token registration flow, a Supabase table for storing user tokens, and an API route to trigger notifications.
Copy this prompt to try it in Bolt.new
Real-Time Collaboration Alerts
Inform team members when a collaborator makes changes to a shared document, assigns a task, or leaves a comment. Push notifications surface activity in real time without requiring users to keep the app open.
Add push notification support to my collaborative task manager using Firebase Cloud Messaging. Users should be able to subscribe to notifications, and I need an endpoint that broadcasts a notification to all team members when a task is updated. Store FCM tokens in a database table keyed by user ID.
Copy this prompt to try it in Bolt.new
Troubleshooting
getToken() returns null or throws 'Messaging: We are unable to register the default service worker'
Cause: This is expected behavior in Bolt's WebContainer preview. The WebContainer uses its own Service Worker for networking, preventing FCM from registering firebase-messaging-sw.js. Push notification testing is impossible in the preview environment.
Solution: Deploy to Netlify or Bolt Cloud and test on the deployed URL. The Service Worker will register correctly on a real domain.
firebase-admin throws 'Error: Failed to determine service account' or 'invalid_grant' when sending notifications
Cause: The FIREBASE_PRIVATE_KEY environment variable has malformed newlines. Environment variables store \n as a literal two-character escape sequence, but the RSA private key requires actual newline characters.
Solution: Ensure the private key value in your hosting dashboard includes the literal \n sequences (not real newlines), and that your API route applies .replace(/\\n/g, '\n') before passing it to cert().
1privateKey: process.env.FIREBASE_PRIVATE_KEY?.replace(/\\n/g, '\n')Browser shows 'Notification permission denied' immediately without a dialog, or notifications never appear
Cause: The browser may have previously blocked notifications for this origin, or the user dismissed the prompt. Notification permission state persists across sessions.
Solution: In Chrome, click the lock icon in the address bar → Notifications → Reset permission. Then reload and try again. Ensure your site is served over HTTPS — push notifications require a secure context.
Notification appears when app is open (foreground) but not when minimized (background)
Cause: Background notifications are handled by the Service Worker (firebase-messaging-sw.js), while foreground notifications are handled by onMessage() in the app. If firebase-messaging-sw.js has errors or incorrect config, background delivery fails.
Solution: Open DevTools → Application → Service Workers and check for errors in firebase-messaging-sw.js. Verify the Firebase config values are hardcoded correctly in the Service Worker file (environment variables are not available in Service Workers).
Best practices
- Never test FCM push notifications in Bolt's WebContainer preview — always deploy first, as the Service Worker cannot register in the browser-based runtime
- Hardcode public Firebase config values in firebase-messaging-sw.js since Service Workers cannot access Vite or Next.js environment variables at runtime
- Store FCM tokens in your database with a timestamp and user ID — tokens can be refreshed by Firebase and should be updated on each app load
- Keep firebase-admin credentials (project_id, client_email, private_key) in server-side environment variables only — never in NEXT_PUBLIC_ prefixed variables
- Handle the case where getToken() returns null gracefully — this happens in unsupported browsers, incognito mode, and WebContainer previews
- Use sendEachForMulticast when sending to multiple users — it handles up to 500 tokens per call and returns per-token success/failure results
- Add clear user-facing copy explaining why you need notification permission before triggering the browser's permission dialog
- Register a cleanup webhook to remove invalid tokens — Firebase returns a 'messaging/registration-token-not-registered' error for stale tokens that should be deleted from your database
Alternatives
Twilio offers SMS and WhatsApp notifications that work across all devices without requiring notification permission, making it better for high-priority alerts users must not miss.
SendGrid delivers notifications via email, which has broader reach than push but lower immediacy — good for digest-style or non-time-sensitive notifications.
The full Firebase SDK adds Firestore, Authentication, and Storage alongside messaging, making it worth using if you need a complete backend rather than push notifications alone.
Frequently asked questions
Can I test FCM push notifications in Bolt's preview window?
No. Push notifications require a Service Worker registered at your domain, but Bolt's WebContainer uses its own Service Worker for networking. Because browsers only allow one active Service Worker per origin, your FCM Service Worker cannot register during development. You must deploy to Netlify or Bolt Cloud and test on the live URL.
Does Firebase Cloud Messaging cost anything?
FCM is completely free with no usage limits. It's one of Google's genuinely free products — there's no per-message pricing, no monthly caps, and no paid tier required. You only pay if you add other Firebase services like Firestore or Cloud Functions.
How do I send a push notification to all users at once instead of one at a time?
Use FCM Topics or use firebase-admin's sendEachForMulticast() method with an array of tokens. Topics let you subscribe users to named channels (e.g., 'news-updates') and send one message to all subscribers. Multicast lets you send to up to 500 specific tokens in a single API call, which is useful for targeted broadcasts.
Do push notifications work on Safari and iOS?
Web push notifications on iOS Safari require iOS 16.4 or later, and users must add your site to their Home Screen first (PWA mode). FCM supports iOS via the Apple Push Notification service (APNs) bridge, but you need to configure an APNs key in Firebase Console → Project Settings → Cloud Messaging → Apple app configuration.
What happens to my FCM tokens when I redeploy to a new domain?
FCM tokens are tied to the Service Worker registration and the origin (domain). If you change domains, all existing tokens become invalid and users must re-subscribe. Always test on your final production domain and plan for a re-subscription flow if you ever migrate domains.
Talk to an Expert
Our team has built 600+ apps. Get personalized help with your project.
Book a free consultation