Push Notifications
Get real-time alerts and manual approval prompts on your phone via ntfy.
Token Vault integrates with ntfy for push notifications. Notifications power the manual approval policy rule and provide informational alerts for vault events like token refreshes.
How It Works
Enabling Notifications
- Go to Settings in the dashboard.
- Find the Notifications card.
- Click Enable.
- Token Vault creates a private ntfy topic and account for you automatically.
- Your topic URL, username, and password are displayed in the settings card.
Each user gets their own private ntfy topic. Only Token Vault can send notifications to it, and only you can subscribe to receive them.
Mobile Setup
Install the ntfy app and subscribe to your private topic using the credentials from your vault settings.
iOS
- Install ntfy from the App Store.
- Tap + to add a subscription.
- Enter the server URL shown in your vault settings (e.g.
https://ntfy.tokenvault.uk). - Enter the topic name shown in settings.
- Tap the settings icon on the subscription and enter your username and password.
- Enable notifications when prompted.
Android
- Install ntfy from Google Play or F-Droid.
- Tap + to add a subscription.
- Enter the topic name and set the server URL to the one shown in your vault settings.
- Tap the settings icon and enter your username and password.
- Notifications are delivered instantly via WebSocket - no extra configuration needed.
Make sure you enter the server URL from your vault settings, not the default ntfy.sh.
Token Vault uses a private ntfy server.
Manual Approval
When a manual_approval policy rule is attached to an agent, proxy, or token, every credential request triggers an interactive push notification:
- An agent or proxy makes a credential request.
- Token Vault evaluates policies and finds a
manual_approvalrule. - A push notification is sent to your phone with Approve and Deny buttons.
- The request blocks, waiting for your response.
- You tap Approve - the credential is returned to the agent.
- You tap Deny - the request is rejected with
403 POLICY_DENIED. - If you don't respond within 60 seconds, the request is automatically denied.
Timeout = Denied
The 60-second timeout is a security feature. If you don't respond - whether you're away from your phone, in a meeting, or asleep - access is denied by default. This prevents unattended credential access.
Notification Types
| Type | When sent | Interactive? |
|---|---|---|
| Manual approval | Credential request with a manual_approval policy rule | Yes - Approve / Deny buttons |
| Informational | Token refresh completed, vault events | No - notification only |
Testing Notifications
After enabling notifications, use the Test button in the settings card to send a test notification to your phone. If you receive it, your setup is working correctly.
If you don't receive the test notification:
- Check that the ntfy app is installed and the subscription is configured.
- Verify the server URL, topic, username, and password match what's shown in settings.
- On iOS, ensure notification permissions are granted for the ntfy app.
- On Android, check that battery optimization isn't preventing ntfy from maintaining its WebSocket connection.
Disabling Notifications
Click Disable in the settings card. This removes your ntfy account and topic. Any policies
with manual_approval rules will deny all requests until notifications are re-enabled.