Really can't believe this was so simple in the end. The problem was the subject in the JWT. I actually did have subject, but it was malformed (or at least malformed according to Apple's restrictions). My subject was in the format "mailto: <email_address>". It seems Safari doesn't like the space or the angle brackets.

A bit unrelated, but just wondering if you have managed to get this working yet? I am trying to do the same, but when I send a notification to https://web.push.apple.com I receive a 403 with reason BadJwtToken as you can see from the logs below: 2023-02-21 11:42:25.388 DEBUG 20308 --- [/O dispatcher 1] org.apache.http.wire : http-outgoing-0 >> "POST /QN5I5mx9vmEotORPX9aPdim6RePBT2qnDh-2U75xyu0H1Y2VZV0ab_tuUBBb_Ockgj6dq0g84yWzrKwP7VBs7y9eZ8i0tZRbWrfHsNbtNjacIeOBWsYq-r039iQETW6nQmS00cbzA7BEXrz2NsRr1_JRBUQvQK8xwi7kFlNGW_o HTTP/1.1[\r][\n]" 2023-02-21 11:42:25.388 DEBUG 20308 --- [/O dispatcher 1] org.apache.http.wire : http-outgoing-0 >> "Authorization: WebPush eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJhdWQiOiJodHRwczovL3dlYi5wdXNoLmFwcGxlLmNvbSIsImV4cCI6MTY3NzAyMjk0NCwic3ViIjoibWFpbHRvOiA8aW5mb0BtZHNnbG9iYWwuY29tPiJ9.ujc8ZMuxs41I0Ca_VT30g4C6p0qRGWgXOe9xNUOExe9CbBKg1LRi5BrmHAjAGt-cXp54LS3279WaErag9shfZA[\r][\n]" 2023-02-21 11:42:25.388 DEBUG 20308 --- [/O dispatcher 1] org.apache.http.wire : http-outgoing-0 >> "Content-Encoding: aesgcm[\r][\n]" 2023-02-21 11:42:25.388 DEBUG 20308 --- [/O dispatcher 1] org.apache.http.wire : http-outgoing-0 >> "Encryption: salt=Ah-Arn55Qmgq4WdxsxeTtQ[\r][\n]" 2023-02-21 11:42:25.388 DEBUG 20308 --- [/O dispatcher 1] org.apache.http.wire : http-outgoing-0 >> "Urgency: normal[\r][\n]" 2023-02-21 11:42:25.388 DEBUG 20308 --- [/O dispatcher 1] org.apache.http.wire : http-outgoing-0 >> "TTL: 2419200[\r][\n]" 2023-02-21 11:42:25.388 DEBUG 20308 --- [/O dispatcher 1] org.apache.http.wire : http-outgoing-0 >> "Crypto-Key: dh=BBXUBajK8nTVgz0GabyD9zlpbz9Pkg1KTzL75iC7boGGtTNlf1rchMJ7V6NI0DkNiV4u3m6wgrQD3D4YF-Q6Wvw=;p256ecdsa=BKjlmDj7I5JkC3I2clsddfl7rklur8OIIx8_EKvDfpdrebwKRebZChSCIqKp64nkkyq4IWpUlVoDQ2CKK4axUjo[\r][\n]" 2023-02-21 11:42:25.388 DEBUG 20308 --- [/O dispatcher 1] org.apache.http.wire : http-outgoing-0 >> "Content-Type: application/octet-stream[\r][\n]" 2023-02-21 11:42:25.388 DEBUG 20308 --- [/O dispatcher 1] org.apache.http.wire : http-outgoing-0 >> "Content-Length: 205[\r][\n]" 2023-02-21 11:42:25.388 DEBUG 20308 --- [/O dispatcher 1] org.apache.http.wire : http-outgoing-0 >> "Host: web.push.apple.com[\r][\n]" ... 2023-02-21 11:42:25.511 DEBUG 20308 --- [/O dispatcher 1] org.apache.http.wire : http-outgoing-0 << "HTTP/1.1 403 Forbidden[\r][\n]" 2023-02-21 11:42:25.511 DEBUG 20308 --- [/O dispatcher 1] org.apache.http.wire : http-outgoing-0 << "content-type: text/plain; charset=UTF-8[\r][\n]" 2023-02-21 11:42:25.511 DEBUG 20308 --- [/O dispatcher 1] org.apache.http.wire : http-outgoing-0 << "content-length: 24[\r][\n]" 2023-02-21 11:42:25.511 DEBUG 20308 --- [/O dispatcher 1] org.apache.http.wire : http-outgoing-0 << "apns-id: 6DB81D2C-38BC-97B9-650D-2B8960C4BC5B[\r][\n]" 2023-02-21 11:42:25.511 DEBUG 20308 --- [/O dispatcher 1] org.apache.http.wire : http-outgoing-0 << "[\r][\n]" 2023-02-21 11:42:25.511 DEBUG 20308 --- [/O dispatcher 1] org.apache.http.wire : http-outgoing-0 << "{"reason":"BadJwtToken"}" I can't see an issue with the JWT. The exact same code works perfect when sending to a Chrome endpoint.