Azure Notification Hub: FCM V1 (The Push Notification System rejected the request because of an invalid credential)

Hi,

I created the diagnostics on my namespace, 1 writes to storage another one to log analytics. Both contain all logs.

When i query nothing appears. I clicked the log analytics in my namespace. I've send some test messages through the portal, does that generate enough to have logs available?

I finally was able to get it working, but it's very unstable. Without changing any setting it sometimes works, and when i send another test message via the portal it says 'invalid credentials'. It's very unreliable.

Hello Guy Wouters,

Welcome to the Microsoft Q&A and thank you for posting your questions here.

I understand that your Azure Notification Hub: FCM V1 (The Push Notification System rejected the request because of an invalid credential).

With all the said and done. To address the issues and provide stable notifications, actionable logs, and permanent fix. I put together the below structured resolution plan:

1. Confirm Azure Notification Hub automatically refreshes FCM OAuth2 tokens. Then, use Azure’s Debug Send feature to test notifications immediately after a failure. If subsequent attempts succeed without credential changes, token refresh is likely the issue. Check for more steps: https://firebase.google.com/docs/cloud-messaging/auth-server it also explains token expiration 1 hour and https://learn.microsoft.com/en-us/azure/notification-hubs/notification-hubs-push-notification-fixer#fcm-v1-credentials notes Azure handles token refreshes internally.
2. Force Azure to reauthenticate with FCM by:
   • Remove and re-add FCM V1 credentials in Azure Portal.
   • Use the latest service account JSON key regenerated after removing old credentials. Because, Azure may cache stale tokens or credentials. - https://learn.microsoft.com/en-us/azure/notification-hubs/configure-notification-hub-portal-pns-settings#google-firebase-cloud-messaging-fcm-v1.
3. Use Azure Network Watcher or tools like tcping to test connectivity between Azure and FCM endpoints fcm.googleapis.com:443. To check transient network drops can disrupt authentication - https://firebase.google.com/docs/cloud-messaging/server#endpoints
4. In Azure:
   1. Enable OperationalLogs and RuntimeAuditLogs at the namespace level.
   2. Query logs with:

            
            AzureDiagnostics
            
            | where ResourceType == "NOTIFICATIONHUBS"
            
            | where OperationName == "Microsoft.NotificationHubs/namespaces/notificationHubs/messages/send"
            
            | project TimeGenerated, ResultDescription, CorrelationId
            
      

      This will capture transient errors during failed sends. - https://learn.microsoft.com/en-us/azure/notification-hubs/notification-hubs-diagnostic-logs
5. In Google Cloud Console:
   1. Navigate to IAM & Admin > Service Accounts.
   2. Check the service account key used for FCM V1. Ensure “Key expiry” is set to “Never”.
   It will help to know expired keys that's causing permanent failures, but misconfigured auto-rotation could lead to instability. - https://cloud.google.com/iam/docs/creating-managing-service-account-keys.
6. Use a script to send notifications directly to FCM every 5 minutes for 24 hours:

      # Replace PROJECT_ID and DEVICE_TOKEN
      while true; do
        curl -X POST -H "Authorization: Bearer $gcloud auth print-access-token" \
             -H "Content-Type: application/json" \
             -d '{"message":{"token":"DEVICE_TOKEN","notification":{"title":"Test","body":"Direct FCM Test"}}}' \
             "https://fcm.googleapis.com/v1/projects/PROJECT_ID/messages:send"
        sleep 300
      done
   

   If direct FCM fails intermittently, the issue lies with Google’s infrastructure or the service account.
7. Finally, if all steps fail, escalate by contacting Azure Support via your Azure Portal with more details: -https://learn.microsoft.com/en-us/azure/azure-portal/supportability/how-to-create-azure-support-request.

I hope this is helpful! Do not hesitate to let me know if you have any other questions or clarifications.

Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.

Hi Guy Wouters,

Just checking back to see if the above response was helpful, If it does do let us know, feel free to post back if you have any questions or concern, happy to help you.

Hi Guy Wouters,

The Push Notification System rejected the request because of an invalid credential

Try the Below Workaround to resolve this issue:

Confirm Token Handling by Azure Notification Hub

Azure internally handles OAuth2 token refresh for FCM V1 service accounts.

FCM V1 tokens expire after 1 hour. Intermittent failures may occur if token refresh fails due to caching or transient network issues.

For more details, please refer the following documentation: Firebase OAuth 2.0 Tokens,

ANH Token Refresh Behavior

Force Reauthentication with Fresh Credentials

To avoid cached/stale credentials:

Delete existing FCM V1 credentials in the Azure Portal.

Regenerate a new service account key in the Firebase Console.

Re-add the new JSON key into the Azure Notification Hub under FCM V1 Settings.

Refer: Configure FCM V1 in Azure

Validate Network Connectivity (Advanced)

Use tools like Azure Network Watcher, tcping, or similar from your environment to test outbound HTTPS access:

tcping fcm.googleapis.com 443

Even brief interruptions to fcm.googleapis.com:443 can trigger token refresh or auth issues.

Enable Logging at Namespace Level

Azure logs for Notification Hub are only available at the namespace level (NHNS).

• Navigate to Notification Hub Namespace > Diagnostic settings.
• Enable logs:OperationalLogs, RuntimeAuditLogs, Send to Log Analytics or Storage Account
• Use this Kusto query in Log Analytics:

AzureDiagnostics

| where ResourceProvider == "MICROSOFT.NOTIFICATIONHUBS"

| where OperationName == "Microsoft.NotificationHubs/namespaces/notificationHubs/messages/send"

| project TimeGenerated, ResultDescription, CorrelationId

| order by TimeGenerated desc

Note: Logs may take 5–10 minutes to appear after enabling diagnostics.

Refer: Enable NH Diagnostic Logs

Validate Service Account Configuration in Google Cloud

• Go to IAM & Admin > Service Accounts.
• Select your service account used for FCM V1.

Ensure the service account has the Firebase Admin or Editor role.

Refer: Managing Service Account Keys

Verify Direct Communication with FCM

You can run a test script to simulate sending messages directly to FCM. This helps isolate whether the issue is with Azure or the Firebase configuration.

Example Bash script (using gcloud CLI):

while true; do
  curl -X POST -H "Authorization: Bearer $(gcloud auth print-access-token)" \
       -H "Content-Type: application/json" \
       -d '{
            "message":{
               "token":"DEVICE_TOKEN",
               "notification":{
                 "title":"Test",
                 "body":"Direct FCM Test"
               }
             }
           }' \

       "https://fcm.googleapis.com/v1/projects/YOUR_PROJECT_ID/messages:send"
  sleep 300
done

If this script also fails intermittently, the issue is likely on the Firebase side.

You mentioned that your Firebase project works better when not testing via the Azure Portal. This aligns with known limitations of Test Send in the Portal.

Recommendation: Use a C# client or direct REST API to register devices and send notifications. This provides more visibility and reliability.

Hi,

Thanks for your patience. I've tried implementing the logging, but wasn't able to get any logs. I need to check it further.

It's mainly the setup at my work that is not working, but we have created a new project in firebase. I still need to test that with sending notifications via C#, not via Azure Portal. I think that validation error is maybe related to testing from the Azure Portal.

I'll keep you updated as soon as I have more info.

Hi Guy Wouters,

We haven't heard any response from you and if you are still facing any issues, please click on comment. Please Let me know how it's going!

Hello Guy Wouters,

It’s good to hear that you’ve created a fresh Firebase project and regenerated everything. The next step is to move away from the portal’s Test Send (which can be unreliable) and use a small C# snippet to push notifications, this will show the exact what Azure is doing (or rejecting), rather than rely on the portal UI.

First, make sure the JSON key you downloaded is the only one configured in your hub. Go to your Notification Hub in Azure, open PNS credentials, clear out any legacy text, and paste the new JSON exactly as-is. By removing the old text entirely and saving, you force Azure to drop any cached token.

Next, switch to a simple C# console app. Grab your “Full Access” connection string from Notification Hub → Access Policies, and fill in your hub name and a valid device token in code like this:

using Microsoft.Azure.NotificationHubs;

using System;

using System.Threading.Tasks;

namespace NhFcmTest

{

    class Program

    {

        // Replace with your actual values

        private const string HubConnectionString = "<Your_Full_Access_Connection_String>";

        private const string HubName = "<Your_Notification_Hub_Name>";

        private const string FcmDeviceToken = "<YOUR_DEVICE_TOKEN>";

        static async Task Main(string[] args)

        {

            var hub = NotificationHubClient.CreateClientFromConnectionString(

                HubConnectionString,

                HubName

            );

            var fcmPayload = @"{

                ""notification"": {

                    ""title"": ""Hello from C#"",

                    ""body"": ""This is a test push""

                }

            }";

            try

            {

                var outcome = await hub.SendFcmNativeNotificationAsync(fcmPayload, FcmDeviceToken);

                Console.WriteLine($“Notification state: {outcome.State}”);

            }

            catch (Exception ex)

            {

                Console.WriteLine($“Error sending notification: {ex.Message}”);

            }

        }

    }

}

Running this code will either succeed or throw a specific exception—if it succeeds consistently, you know the credentials are solid. If it still complains about invalid credentials, the exception text will reveal whether it’s a permissions issue, malformed JSON, or something else.

Make sure that the service account in Google Cloud has the Firebase Admin role (not just “Owner” at the project level), and that the Firebase Cloud Messaging API is enabled in your Google project. Even a single missing permission can cause Azure to reject the OAuth token.

If you ever need to confirm that Azure is actually processing send attempts, enable diagnostics at the Notification Hub Namespace → Monitoring → Diagnostic settings level. Select OperationalLogs and point them to a Log Analytics workspace. After sending from your C# app, wait a few minutes, then query:

AzureDiagnostics

| where ResourceProvider == "MICROSOFT.NOTIFICATIONHUBS"

| where OperationName endswith "/notificationHubs/messages/send"

| project TimeGenerated, ResultDescription, CorrelationId

| order by TimeGenerated desc

Seeing entries here means Azure accepted your push request; if it still says “invalid credential,” you’ll get more detail in the ResultDescription.

Finally, if you’re in a virtual network or using private endpoints, check that outbound HTTPS to fcm.googleapis.com:443 is allowed. You can spin up a quick VM in the same VNet and run:

tcping fcm.googleapis.com 443

Consistent replies here confirm there’s no network interruption causing token refresh to fail.

Once your C# snippet succeeds every time, you can be confident that your configuration is correct and stable. If a push ever fails, the exception message from the SDK will tell you exactly why, whether it’s a missing role, expired key, or network drop and you can address it immediately. Let me know if you run into any specific errors in code!

Hello Guy Wouters,We haven't heard any response from you and if you are still facing any issues, please click on comment. If the answer was helpful, please click on Accept answer and upvote it.