# FCM Service Account Private Key Setup This guide walks you through setting up Firebase Cloud Messaging (FCM) for enabling push notifications in Android apps using a security-focused, least-privilege approach. The process has three steps: 1. Create a least-privilege IAM role for push messaging. 2. Generate a service account private key. 3. Upload or hand over the key depending on your app type. ## Prerequisites You must have a Firebase account and project for your application to start using FCM. If you do not have them, complete the following before proceeding: - Create a Google account at [accounts.google.com](https://accounts.google.com). - Create a Firebase project at [console.firebase.google.com](https://console.firebase.google.com). ## 1. Create a Push Notification Role You need a service account assigned a role with the `cloudmessaging.messages.create` permission. 1. Sign in to [console.firebase.google.com](https://console.firebase.google.com). 2. On the Firebase console, select your softphone project. 3. Select the Project Overview Settings icon > Project settings. 4. On the Project settings pane: 1. Select the Cloud Messaging tab. 2. Select Manage Service Accounts of the desired Sender ID. 5. In the IAM & Admin section, select **Roles** on the left navigation menu. 6. On the Roles pane, select **+ CREATE ROLE** at the top navigation bar. 7. Under Create Role, enter a descriptive name for this role in the Title and ID fields. !!! note "Example" - Title - Acrobits Push Role - ID - AcrobitsPushRole 8. Select **+ ADD PERMISSION**, search for `cloudmessaging.messages.create`, and select its check box. !!! tip To filter for quicker search, enter "cloudmessaging" in the filter field, then select `cloudmessaging.messages.create` from the suggestions. 9. Select **ADD**, then select **Create** at the bottom of the pane. ## 2. Create a Service Account 1. In the IAM & Admin section, select **Service Account** on the left navigation menu. 2. Select **+ CREATE SERVICE ACCOUNT** at the top navigation bar. 3. Under Service account details, enter a descriptive name and description. !!! note "Example" - Service account name - Acrobits Push Service account - Service account description - Allow Acrobits to send pushes. 4. Select **CREATE AND CONTINUE**. 5. In Grant this service account access to project, select the **Select a role** drop-down and search for the role created in the previous section (e.g., Acrobits Push Role). Select it. !!! tip Enter the role title in the Type to filter field to find it quickly. 6. Select **CONTINUE**. !!! note In Grant users access to this service account, you may leave the Service account users role and Service account admins role fields blank. 7. Select **DONE**. ## 3. Download the Service Account Private Key 1. In the IAM & Admin section, select **Service Account** on the left navigation menu. 2. Locate the service account that handles push notifications. 3. Under the Actions column, select the three-dot menu > **Manage keys**. 4. Select **ADD KEY** > **Create new key**. 5. Ensure the **JSON** radio button is selected. 6. Select **CREATE**. 7. Save the private key file to your local computer. ## 4. Deploy the Private Key === "Cloud Softphone White-Label" 1. Log in to the Cloud Softphone portal at [providers.cloudsoftphone.com](https://providers.cloudsoftphone.com). 2. Select your white-label app softphone project. 3. Select the Edit button of the Whitelabel options. 4. At the Android Firebase Private Key section, select the Select file button. 5. Locate and upload the private key file in JSON format. === "SDK-Based App" Contact your Acrobits representative through your designated SDK support channel to arrange a secure key handover. Once received, the Acrobits team will deploy the key to the appropriate environment on your behalf.