jknapp
6d4ae2e5c3
- OAuth authentication via Authentik - WebSocket connection to OpenClaw gateway - Configurable gateway URL with first-run setup - User preferences sync across devices - Multi-user support with custom assistant names - ElevenLabs TTS integration (local + remote) - FCM push notifications for alarms - Voice input via Google Speech API - No hardcoded secrets or internal IPs in tracked files
5.7 KiB
Firebase Cloud Messaging (FCM) Setup Guide
Step-by-step guide to set up FCM for Alfred Mobile app with correct IAM permissions.
Prerequisites
- Google Cloud project with Firebase enabled
- Android app registered with package name:
com.openclaw.alfred google-services.jsondownloaded and placed inapp/directory
Firebase Service Account Setup
Step 1: Create Service Account
-
Go to Google Cloud Console IAM:
-
Click "Create Service Account"
-
Service account details:
- Name:
alfred-fcm-server - Description:
FCM service account for Alfred proxy notifications - Click Create and Continue
- Name:
Step 2: Grant IAM Role
CRITICAL: The service account needs the correct role for FCM HTTP v1 API.
Required Role:
- Firebase Admin SDK Administrator Service Agent (
roles/firebase.sdkAdminServiceAgent)
This role includes:
- ✅
cloudmessaging.messages.create(required for sending FCM) - ✅
firebase.projects.get - ❌ NOT
firebasenotifications.*(legacy API - wrong)
How to add the role:
- In the role selection dropdown, search: "Firebase Admin SDK Administrator"
- Select: "Firebase Admin SDK Administrator Service Agent"
- Click Continue, then Done
Step 3: Download Service Account Key
- Click on the service account you just created
- Go to Keys tab
- Click Add Key → Create new key
- Choose JSON format
- Click Create - downloads a JSON file
- Save this file securely (e.g.,
service-account.json)
Step 4: Enable Firebase Cloud Messaging API
- Go to: https://console.cloud.google.com/apis/library/fcm.googleapis.com?project=YOUR_PROJECT_ID
- Click "Enable"
- Wait for activation (~30 seconds)
Alfred Proxy Configuration
Place Service Account Key
cd ~/.openclaw/workspace/alfred-proxy
cp ~/Downloads/your-service-account-key.json service-account.json
chmod 600 service-account.json
Update .env (if needed)
The proxy reads the service account from service-account.json automatically. No additional configuration needed.
Verify Configuration
# Check service account email matches
grep "client_email" service-account.json
# Should show: alfred-fcm-server@YOUR_PROJECT_ID.iam.gserviceaccount.com
Testing FCM Permissions
Test 1: Send Notification via Proxy
curl -X POST http://localhost:18790/api/notify \
-H "Content-Type: application/json" \
-d '{
"notificationType": "alarm",
"title": "Test Alarm",
"message": "Testing FCM permissions",
"priority": "high",
"sound": true,
"vibrate": true
}'
Expected response:
{"success":true,"clients":0,"fcm":1}
Test 2: Check Proxy Logs
tail -f /tmp/alfred-proxy.log | grep fcm
Success looks like:
[fcm] Sending push notification to 1 registered device(s)
[fcm] Successfully sent 1 message(s)
Permission error looks like:
[fcm] Error: Permission 'cloudmessaging.messages.create' denied
If you see the permission error, verify:
- Service account has correct role (Firebase Admin SDK Administrator Service Agent)
- FCM API is enabled
- Service account key is fresh (regenerate if > 1 hour old)
Common Issues
Wrong Role: "Firebase Cloud Messaging Admin"
Problem: This role gives firebasenotifications.* permissions (legacy API), not cloudmessaging.* (v1 API).
Solution: Remove this role, add "Firebase Admin SDK Administrator Service Agent" instead.
API Not Enabled
Problem: FCM HTTP v1 API not enabled.
Solution:
# Enable via gcloud (if you have CLI installed)
gcloud services enable fcm.googleapis.com --project=YOUR_PROJECT_ID
# Or enable in console:
# https://console.cloud.google.com/apis/library/fcm.googleapis.com
Token Not Persisted
Problem: FCM tokens lost after proxy restarts.
Solution: Already fixed! Tokens now persist to fcm-tokens.json. Verify:
cat alfred-proxy/fcm-tokens.json
Should show registered tokens. If empty, reconnect the Alfred app.
Architecture
Alfred App (Android)
↓ (on connect)
{"type": "fcm.register", "token": "..."}
↓
Alfred Proxy
- Saves to fcm-tokens.json
- Loads on startup
↓ (when alarm triggered)
Firebase Admin SDK
- admin.messaging().sendEachForMulticast()
- Requires: cloudmessaging.messages.create permission
↓
Firebase Cloud Messaging (Google)
↓
Alfred App (receives notification even when asleep)
Security Best Practices
-
Never commit service account keys to git
- Already in
.gitignore:service-account.json
- Already in
-
Restrict service account permissions
- Use minimal role: Firebase Admin SDK Administrator Service Agent
- Don't use "Firebase Admin" (too broad)
-
Rotate keys periodically
- Generate new key every 90 days
- Delete old keys from service account
-
File permissions
chmod 600 alfred-proxy/service-account.json
Verification Checklist
After setup, verify:
- Service account exists with correct name
- Role: Firebase Admin SDK Administrator Service Agent
- FCM API enabled in Google Cloud Console
- Service account key downloaded and placed correctly
- Proxy logs show:
[firebase] Firebase Admin SDK initialized - Test notification succeeds:
[fcm] Successfully sent X message(s) - Alfred app receives notification even when locked
Next Steps
Once FCM is working:
- Set up alarms via cron jobs (see TOOLS.md)
- Configure morning briefings
- Test cross-device notifications
- Monitor FCM quota (free tier: 10M messages/month)
Last Updated: 2026-02-04
Status: ✅ Working with correct IAM role