Getting "EndpointDisabled" from Amazon SNS

I'm using Amazon SNS. Notifications work well, but sometimes I get this error:

{
    "message": "Endpoint is disabled",
    "code": "EndpointDisabled",
    "name": "EndpointDisabled",
    "statusCode": 400,
    "retryable": false
}

Maybe you know why.


You can create a new SNS topic such as push-notification-failures and then associate your APNS/APNS_SANDBOX applications' "Delivery Failures" event to it. Subscribe to the event via email (and confirm) and you'll get useful debugging information about failures. This can all be accomplished through the SNS console and doesn't require API calls to perform.

It is probably worth it to subscribe an HTTP endpoint to this SNS topic and record all delivery failures so you have historical data to work from and debug production issues.

For example a delivery FailureMessage of "Platform token associated with the endpoint is not valid" means that you're sending a message from APNS_SANDBOX to an APNS registered device or vice versa. This can mean that you have the wrong APNS settings for your build system. (We have a frustrating problem of developer built binaries using APNS_SANDBOX vs. TestFlight built binaries using APNS for local testing and QA which is what led me down this path.)


I have found 3 reasons so far:

  • Sometimes we mixed tokens from sandbox app.
  • User turn off notifications in phone settings.
  • User uninstalled the app.

These are regarding Iphons/Ipads.


There are few reasons why an end point can be disabled. I didn't see it documented anywhere (might have missed it), here's what I got from support:

  • You push to an endpoint but the token is invalid/expired. Tokens become invalid if:

  • It belongs to an app that is no more installed on the device.

  • If device has been restored from backup. This renders token invalid and your app should request a new token and update SNS endpoint token accordingly.

  • App has been re-installed on the same device. In case of Android, the app is assigned a new token. This happens as well with APNs but more often with Android.

  • In case of APNs, a wrong provisioning profile is selected in xCode. In this case notifications fail and device becomes disabled later after APNs feedback.

  • If mistakenly use a token for IOS development to IOS production app and vice versa.

  • If Apple for any reason invalidates your IOS push cert or someone revokes the push cert from itunes connect portal. This takes a few hours before device gets disabled.

  • Same with GCM if you update API key from Google developer console without updating the Platform application credentials in SNS.

  • You push to an APNs device endpoint but application has been disabled due to expired push certificate.

  • You push to GCM device endpoint however API key has been updated in Google developer console but not the SNS platform application credentials accordingly.

For Details, I recommend this excellent article which solves my problem


According to http://docs.aws.amazon.com/sns/latest/APIReference/API_Publish.html that means that the endpoint is disabled.

From http://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/services/sns/model/SetEndpointAttributesRequest.html:

Enabled -- flag that enables/disables delivery to the endpoint. Message Processor will set this to false when a notification service indicates to SNS that the endpoint is invalid. Users can set it back to true, typically after updating Token.

"notification service" in this case is referring to Google's GCM, Apples APNS or Amazon's ADM.


I had the same issue. This is what I did:

  1. export the FULL CERTIFICATE from Keychain Access to a .p12 file
  2. export the PRIVATE KEY from Keychange Access to a *private.p12 file

  3. use openssl with the downloaded .cer file (from iOS Developer MemberCenter) to create a public .pem certificate

  4. use openssl with the generated *private.p12 file to create a private .pem keyfile

  5. In AWS SNS create a new Application. Give it a name. Choose Apple Development.
  6. Choose the FULL CERTIFICATE from Keychain Access with a .p12 extension, and type in the passphrase you chose when exporting from Keychain Access Copy the content of the public CERTIFICATE .pem file, to the textarea labelled "Certificate", including the starting and ending lines:

    -----BEGIN CERTIFICATE-----
    -----END CERTIFICATE-----
    
  7. Copy only the part of the private key .pem file starting and ending with the following lines, to the textarea labelled "Private Key":

    -----BEGIN RSA PRIVATE KEY-----
    -----END RSA PRIVATE KEY-----
    

I use Cordova with phonegap-plugin-push 1.4.4, but it my issue had nothing to do with phonecap. Apart from a bit of confusion about the above, what finally did the trick for me, was to open up my project in XCode, find the Target for my project, and then enable Push Notifications. This automatically adds the "Push Notifications" entitlement to the app ID.. The next time the app is installed on your device, push notification should work. At least it did for me.

I hope this can save someone experiencing the same issue as me a 1/2 day of work! :)