Push notifications can drive retention—or churn if abused. The craft is getting the right message to the right user at the right time, with the right technical setup so it actually arrives. This playbook covers the transport layer (APNs/FCM), deliverability tuning, segmentation and timing, and privacy-safe personalization patterns for 2025.
1) Transport fundamentals
- APNs (iOS/macOS): JWT token auth; HTTP/2 over TLS; per-message priority (10 = immediate, 5 = background). Respect collapse IDs and
apns-expiration. - FCM (Android/Web): V1 HTTP API with OAuth2; topics and device groups; high/normal priority; channel importance on device.
- Receipt handling: Store provider response IDs; map to your message record for retries and diagnostics.
2) Device token lifecycle
- Acquisition: Request permission with value; show sample content/settings screen first (pre-prompt).
- Rotation: Tokens change; update server on every app open and at install/upgrade.
- Uninstalls & bounces: Expired/invalid tokens must be purged automatically; track rejection reasons.
3) Payload design for reliability
- Compact JSON: Keep under size limits (APNs ~4KB effective).
- Collapse keys: Replace previous redundant notifications (e.g., “new likes”) with the latest count.
- Mutable content: Use Notification Service Extension (iOS) or FCM data payload to download rich media only when on Wi-Fi and within size/timeouts.
- Localization: Send server-side templates with language codes; avoid shipping 20 strings in one payload.
4) On-device channels and user control
- Android channels: Create clear categories (e.g., “Orders,” “Promotions,” “Security Alerts”) with sensible importance and sound/vibration. Never post to the wrong channel.
- iOS notification types: Time-Sensitive for critical alerts; Scheduled for digests; respect Focus modes.
- In-app settings: Mirror OS controls; allow granular opt-outs. The fastest path to uninstall is ignoring user preferences.
5) Timing, cadence, and quiet hours
- Local time awareness: Deliver at the user’s local hour; never blast at 3 a.m.
- Cadence caps: Per user, per category (e.g., ≤ 2 promos/week, unlimited transactional).
- Send windows: For promotions, test morning vs evening. For transactional, immediate with collapse.
6) Personalization without creepiness
- Behavior signals: Recent categories viewed, wishlisted items, abandoned actions—kept as coarse features, not raw PII.
- Contextual bandits/AB testing: Explore subject lines and send times; exploit winners per segment.
- On-device intelligence: Compute “likelihood to engage” locally (e.g., Core ML / TensorFlow Lite); server sees only a score bucket, not raw history.
7) Transactional vs promotional
- Transactional (receipts, OTP, delivery updates): High priority, bypass digests, clear copy, deep link to exact view, short TTL.
- Promotional (offers, content): Normal priority, respect quiet hours and caps; add in-app inbox as fallback.
8) Deep linking and post-click UX
- Universal Links / App Links: Ensure routes exist; avoid dumping users at the home screen.
- Cold start optimization: Warm the target screen’s data in the background if possible; show a prefilled skeleton while loading.
- Undo/mark as read: Provide a quick action on open to complete the most likely intent.
9) Deliverability diagnostics
- Provider metrics: Acceptance rate, send latency, error codes (invalid token, throttle, payload too large).
- App metrics: Open rate, conversion, time-to-open, opt-in rate by version.
- Device-side logs: Capture “delivered but never shown” cases (e.g., channel disabled, Focus mode).
- Test matrix: Real devices across OS versions; emulators don’t reflect push reliability.
10) Privacy and compliance
- Consent: Explicit opt-in for promotions; fine-grained controls.
- Data minimization: No PII in payload; use opaque IDs and fetch details in-app after auth.
- Regulatory alignment: Respect regional requirements (e.g., unsubscribe mechanics).
- Security: Sign server calls to APNs/FCM; rotate keys; restrict provider credentials per environment.
11) Fail-safes and fallbacks
- In-app inbox: Every push also lands in a message center view for users who disabled notifications.
- Email/SMS backup: For critical transactional flows (password resets), push is additive, not sole.
- Retry policy: Exponential backoff; do not retry indefinitely; log and move on.
12) Measurement and experimentation
- Holdout groups: Always maintain a control cohort to detect true lift.
- Attribution window: Define (e.g., 12–24 hours) for post-open conversions.
- Multi-armed bandit: Adjust subject line and send-time exploration continuously; cap regret.
13) Common pitfalls
- Over-personalization: Feels invasive; use category affinities, not exact item surveillance.
- No collapse keys: Users receive a storm of near-duplicates.
- Silent failures: Lack of device token hygiene results in large dead lists.
- Hard-coded channels: Inflexible and impossible to tune post-release.
Play it straight: Earn the opt-in with value, respect local time and cadence, collapse ruthlessly, and keep payloads lean. Push should feel like a timely assistant, not a megaphone.
