 How do you make sure that push messaging is secure? How can you avoid a user getting messages from another site pretending to be you? You need a way to ensure secure communication in three ways, between your users and your server, between your server and a push service, and between the push service and your users. In other words, the user needs to be sure that messages are from the domain they claim to be from and have not been tampered with by the push service. You need to make sure that the user is who they claim to be. Vapid is a standard created to solve this problem. Vapid identification information can be used by the push service to attribute requests that are made by the same application server to a single entity. And this can be used to reduce the secrecy for push subscription URLs by making it possible to restrict subscriptions to a specific application server. An application server can include additional information that the operator of a push service can use to contact the operator of an application server. In order to use Vapid, we need to generate a public-private key pair and subscribe to a push service using the public key. The public key must first be converted from URL-Base64 to a UINT-8 array. This is then passed into the application server key parameter in the subscribe method. The web push library provides the generate Vapid keys method, which, as you might expect, generates the keys. Now this should be used once in the command line using web push generate Vapid keys, and the keys must be stored somewhere safe. You can use the web push library to send a message with the required Vapid details. You add a Vapid details object to the options, including parameters required for the request signing. Now let's look at the messages from the receiving end in the web app on the client. As you know, handling push events happens in the service worker. The service worker is woken up to handle incoming push messages, even if the browser is closed and a push event is fired. This allows your app to react to push messages, for example, by displaying a notification using service worker registration.show notification. So to display a push notification, you listen for the push event in the service worker. You get the push message data from the push event object. Now in this example, we simply convert the message data to text. We wrap show notification in a wait until to extend the lifetime of the push event until the show notification promise resolves. The push event will not be reported as successfully completed until the notification has displayed. You can practice working with the notification in push APIs and VAPID by following the lab that accompanies this video. Now, one small gotcha don't use private or incognito mode for this lab. For security reasons, push notifications are not supported in private or incognito mode. So there you have it. Secure authenticated push messaging implemented with standard cross-platform APIs and protocols. Thanks for watching.