FCM Security: Prevent multiple senders from pushing notifications to all devices?

Question

As part of our solution, we want to deploy an FCM \"app server\" at each of our customer sites. Each customer site has their own users with their own devices using our app.

Answer 1

There is no way to restrict a server key to only allow certain topics/devices/etc.

I would consider using Cloud Functions for Firebase to solve this a different way. You could build an HTTPS function that took per-site authorization tokens (by any means you deem fit) and then that function calls through to Firebase Cloud Messaging to actually send the push notifications.

This way, you have complete control over what kinds of push notifications can be sent by the "client" sites, and you don't have to worry about cascading security problems in the event a client site gets compromised.