I'm going to develop an app that uses device groups feature. As I understand I need to first send current registration token I get on Android client in method onTokenRefresh to the server and then add this registration token to proper device group (or create it if it doesn't exist) via HTTP request. I see, however, a potential for leaking registration tokens, as Android app user may for example wipe app's data multiple times. How to prevent it? What happens when a limit of 20 members is exceeded? And is it possible to check whether some group already exists or not?

I see, however, a potential for leaking registration tokens, as Android app user may for example wipe app's data multiple times. How to prevent it?

If by preventing you mean disabling Clear Data for your app in the App Manager, you should refer to this post. The accepted answer states that it isn't possible.

However, Jakar's answer provides a workaround where instead of Clear Data, Manage Spaces will show up instead. Haven't tried it out yet, so I can't say for sure. The upvotes speak for itself though.

But, if ever the app's data is wiped/cleared by the user, you should refer with what is stated in the FirebaseInstanceId docs:

Instance ID is stable except when:

• App deletes Instance ID

• App is restored on a new device

• User uninstalls/reinstall the app

• User clears app data

In the above cases a new Instance ID is generated and the application needs to recreate the authorization tokens previously generated implementing onTokenRefresh().

What happens when a limit of 20 members is exceeded?

Not sure what the question is here.. But if you are pertaining to adding devices to a Device Group more than the maximum...

Wasn't able to find it clearly stated in the FCM: Device Group Messaging docs, but if you refer to the Add to group section, it states:

A successful operation returns a notification_key.

So from that, I think if you ever try to add another device to an already maxed out device group, the operation will fail.

I suggest using Topics instead, if you think you're going more than 20. But I don't really know what your use-case is, so.. your call.

And is it possible to check whether some group already exists or not?

For this, you should make use of the notification_key and notification_key_name. As per the docs:

The notification_key_name is a name or identifier (e.g., it can be a username) that is unique to a given group. The notification_key_name and notification_key are unique to a group of registration tokens. It is important that notification_key_name is unique per client app if you have multiple client apps for the same sender ID. This ensures that messages only go to the intended target app.

And emphasizing on the statement:

Basic management of device groups — creating and removing groups, and adding or removing devices — is usually performed via the app server.

The keys and names should be on your server, so that you can check if it already exists or not.

I am currently doing the following with some success but not fully tested or scaled yet.

App uses firebase as the backend and I am adding FCM to implement push notifications.

I need groups to handle when a user could be on different devices or several devices.

I store the returned notification_key value and the registration_id (token) for each device with the profile i.e

profiles
   -profile_id
     -FCM
       -notification_key:value
       -registration_ids
         -device_1_uuid:token_for_device_1
         -device_2_uuid:token_for_device_2

When a user first signs on there is no data under the FCM node i.e. no notification_key and no registration_ids

Each time a user signs in they hook up to their profile_id.

I get the FCM token and then

If there is no notification_key (i.e. first time on any device) I create the group using the profile_id as the notification_key_name and store the notification_key that comes back.

If there is a notification_key (return sign-in or first sign-in on a new device) I see if there is a registration_id for the current device and if not (first sign-in on new device), add the device_uuid:token pair to the registration_ids.

If there is (return sign-on) I remove the stored token from the FCM group and replace the old token in my stored registration_ids with the token I just got.

I can now message all of the devices used by that user (profile) by sending to their profile_id, and I shouldn't be leaking tokens because I delete the old ones.

However, I have no way of knowing because there doesn't seem to be API to just read the group and the tokens so that the groups could be cleaned every now and again.

Also, my early code bugged and I didn't capture the notification_key so now I can't add, remove or do anything to one of my groups. I hate the idea that I'll have to leave burned groups lying around in the firebase cloud for ever and ever.

I think FCM should provide more API access to help us keep the place tidy.