Getting "EndpointDisabled" from Amazon SNS

I'm using Amazon SNS. Notifications work well, but sometimes I get this error:

{
    "message": "Endpoint is disabled",
    "code": "EndpointDisabled",
    "name": "EndpointDisabled",
    "statusCode": 400,
    "retryable": false
}

Maybe you know why.

You can create a new SNS topic such as push-notification-failures and then associate your APNS/APNS_SANDBOX applications' "Delivery Failures" event to it. Subscribe to the event via email (and confirm) and you'll get useful debugging information about failures. This can all be accomplished through the SNS console and doesn't require API calls to perform.

It is probably worth it to subscribe an HTTP endpoint to this SNS topic and record all delivery failures so you have historical data to work from and debug production issues.

For example a delivery FailureMessage of "Platform token associated with the endpoint is not valid" means that you're sending a message from APNS_SANDBOX to an APNS registered device or vice versa. This can mean that you have the wrong APNS settings for your build system. (We have a frustrating problem of developer built binaries using APNS_SANDBOX vs. TestFlight built binaries using APNS for local testing and QA which is what led me down this path.)

I have found 3 reasons so far:

• Sometimes we mixed tokens from sandbox app.
• User turn off notifications in phone settings.
• User uninstalled the app.

These are regarding Iphons/Ipads.

There are few reasons why an end point can be disabled. I didn't see it documented anywhere (might have missed it), here's what I got from support:

• You push to an endpoint but the token is invalid/expired. Tokens become invalid if:

• It belongs to an app that is no more installed on the device.

• If device has been restored from backup. This renders token invalid and your app should request a new token and update SNS endpoint token accordingly.

• App has been re-installed on the same device. In case of Android, the app is assigned a new token. This happens as well with APNs but more often with Android.

• In case of APNs, a wrong provisioning profile is selected in xCode. In this case notifications fail and device becomes disabled later after APNs feedback.

• If mistakenly use a token for IOS development to IOS production app and vice versa.

• If Apple for any reason invalidates your IOS push cert or someone revokes the push cert from itunes connect portal. This takes a few hours before device gets disabled.

• Same with GCM if you update API key from Google developer console without updating the Platform application credentials in SNS.

• You push to an APNs device endpoint but application has been disabled due to expired push certificate.

• You push to GCM device endpoint however API key has been updated in Google developer console but not the SNS platform application credentials accordingly.

For Details, I recommend this excellent article which solves my problem

According to http://docs.aws.amazon.com/sns/latest/APIReference/API_Publish.html that means that the endpoint is disabled.

From http://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/services/sns/model/SetEndpointAttributesRequest.html:

Enabled -- flag that enables/disables delivery to the endpoint. Message Processor will set this to false when a notification service indicates to SNS that the endpoint is invalid. Users can set it back to true, typically after updating Token.

"notification service" in this case is referring to Google's GCM, Apples APNS or Amazon's ADM.

I had the same issue. This is what I did:

1. export the FULL CERTIFICATE from Keychain Access to a .p12 file

2. export the PRIVATE KEY from Keychange Access to a *private.p12 file

3. use openssl with the downloaded .cer file (from iOS Developer MemberCenter) to create a public .pem certificate

4. use openssl with the generated *private.p12 file to create a private .pem keyfile

5. In AWS SNS create a new Application. Give it a name. Choose Apple Development.

6. Choose the FULL CERTIFICATE from Keychain Access with a .p12 extension, and type in the passphrase you chose when exporting from Keychain Access Copy the content of the public CERTIFICATE .pem file, to the textarea labelled "Certificate", including the starting and ending lines:

    -----BEGIN CERTIFICATE-----
    -----END CERTIFICATE-----
   

7. Copy only the part of the private key .pem file starting and ending with the following lines, to the textarea labelled "Private Key":

    -----BEGIN RSA PRIVATE KEY-----
    -----END RSA PRIVATE KEY-----
   

I use Cordova with phonegap-plugin-push 1.4.4, but it my issue had nothing to do with phonecap. Apart from a bit of confusion about the above, what finally did the trick for me, was to open up my project in XCode, find the Target for my project, and then enable Push Notifications. This automatically adds the "Push Notifications" entitlement to the app ID.. The next time the app is installed on your device, push notification should work. At least it did for me.

I hope this can save someone experiencing the same issue as me a 1/2 day of work! :)

Quick checklist before taking drastic measures:

1. Generate the Certificate Signing Request (CSR) using Keychain App.
2. Export the APNS certificate and its private key into a single p12 file using Keychain App.
3. When you create a new application in Amazon SNS, the platform must match the APNS environment (Development/Production on both sides).
4. When you request a device token, you must be in the right application (the application's bundle identifier matches the APNS certificate).
5. When you create a new platform endpoint in AWS SNS, the device token must be added to the right application (the good application certificate and the good Development/Production platform).

---

In my case I generated the CSR using a third party SSL tool. I obtained a valid certificate from Apple developer portal but without the private key. Then I tried Windows' certificate tool to export without great success. Waste of time. Start your Mac.

Then I used the AmazonMobilePush sample app to get a device token. Because the demo's bundle identifier doesn't match my certificate, the endpoint was invalid. At each SNS sending the endpoint became disabled (false). At the end the cause was obvious, but I still lose precious time.

If you get the error End Point is Disabled, use the code below to enable the endPoint and then Push Notification using Amazon credentials:

*//Enable Device*

var sns = new AmazonSimpleNotificationServiceClient("AwsAccesskeyId", "AwsSecrteAccessKey", RegionEndpoint.USWest1);
Dictionary<string, string> objDictCheckEndpointEnable = new Dictionary<string, string>();
objDictCheckEndpointEnable.Add("Enabled", "False");
sns.SetEndpointAttributes(new SetEndpointAttributesRequest
    {
        Attributes = objDictCheckEndpointEnable,
        EndpointArn = "AwsEndPointArn" //This is Device End Point Arn
    });

*//End*

For me, I was getting the "Platform token associated with the endpoint is not valid" because my SNS Platform Application Endpoints were not set up correctly. Specifically, the SNS console was not reading the credentials correctly from my .p12 file even though it contained the correct cert and private key. The solution, based on this post, was to create a second .p12 file that contained the cert and no key. I loaded the credentials from the first .p12 file, and then loaded the credentials second .p12 file. I could see the cert string change when I did so, and afterward I had no problems.

If you are creating a production endpoint, SNS will warn you about mismatched certs, but it does no such checking for development endpoints. The only way you will know that the endpoint is borked is when you get the platform token error.

I sure hope this helps somebody out there, as it drove me to distraction.

I am using this. If the get endpoint response finds the NotFound error, it creates an endpoint (this should never happen, but hell, it's on AWS SNS documentation website). If that doesn't happen, it means you're getting the info for the endpoint. It can either be ok (tokens match and enabled is true), or the other way around (in which case you need to update it).

    - (void)getEndpointDetailsWithResponse:(void(^)(AWSSNSGetEndpointAttributesResponse *response, AWSTask *))handleResponse {
    NSString * deviceTokenForAWS = [self deviceTokenForAWS];
    AWSSNS *manager = [AWSSNS SNSForKey:@"EUWest1SNS"];
    
    AWSSNSGetEndpointAttributesInput *input = [AWSSNSGetEndpointAttributesInput new];
    input.endpointArn = self.endpointArn;
    AWSTask *getEndpointAttributesTask = [manager getEndpointAttributes:input];
    [getEndpointAttributesTask continueWithBlock:^id(AWSTask *task) {
        NSLog(@"%@ Error: %@", task.result, task.error);
        
        
        AWSSNSGetEndpointAttributesResponse *result = task.result;
        NSError *error = task.error;
        
        if (error.code == AWSSNSErrorNotFound) {
            [self createEndpointWithResponse:^(AWSSNSCreateEndpointResponse *createResponse) {
                
                
                dispatch_async(dispatch_get_main_queue(), ^{
                    if (handleResponse != nil) {
                        handleResponse(result, task);
                    }
                });
            }];
        } else {
            
            NSLog(@"response for get endpoint attributes : %@", result);
            
            NSString *token = [result.attributes valueForKey:@"Token"];
            NSString *enabled = [result.attributes valueForKey:@"Enabled"];
            NSLog(@"token : %@, enabled : %@", token, enabled);
            BOOL wasSuccessful = [token isEqualToString:deviceTokenForAWS] && ([enabled localizedCaseInsensitiveCompare:@"true"] == NSOrderedSame);
            
            if (!wasSuccessful) {
                NSLog(@"device token does not match the AWS token OR it is disabled!");
                NSLog(@"Need to update the endpoint");
                
                AWSSNSSetEndpointAttributesInput *seai = [AWSSNSSetEndpointAttributesInput new];
                seai.endpointArn = self.endpointArn;
            
            NSDictionary *attributes = [NSDictionary dictionaryWithObjectsAndKeys:deviceTokenForAWS, @"Token", @"true", @"Enabled", nil];
            seai.attributes = attributes;
                
                AWSTask *setEndpointAttributesTask = [manager setEndpointAttributes:seai];
                [setEndpointAttributesTask continueWithBlock:^id(AWSTask *task) {
                    NSLog(@"response : %@, error: %@", task.result, task.error);
                    
                    dispatch_async(dispatch_get_main_queue(), ^{
                        if (handleResponse != nil) {
                            handleResponse(result, task);
                        }
                    });
                    return nil;
                }];
                
            } else {
                NSLog(@"all is good with the endpoint");
                
                dispatch_async(dispatch_get_main_queue(), ^{
                    if (handleResponse != nil) {
                        handleResponse(result, task);
                    }
                });
            }
        }
        return nil;
    }];
}

This is the exact replica of the AWS SNS token management documentation found here: https://mobile.awsblog.com/post/Tx223MJB0XKV9RU/Mobile-token-management-with-Amazon-SNS

I can attach the rest of my implementation if needed, but this part is the most important one.