A push service (in this context, mobile app push) requires a remote server sending a signal to your mobile phone, and that will trigger a push message that you see. Generally, this step is handled by Apple, Google or similar who builds the mobile phone systems.
For centralized platforms, they have an overview of all mobile apps and phones connected to their service, thus they can notify Apple, Google or similar's server to send push messages to your phone.
For decentralized platforms like Mastodon, each instance does not own such overview of mobile devices connected, therefore a push relay needs to be setup between each instance and your mobile devices.
In tooot app, you request to tooot's server that you are interested in using push notification service. This step, tooot app will acquire an app installation unique token generated by Expo's push service, which tooot relies on. After then, tooot app registers this token with tooot's push server.
Tooot's server registers the token received above, and return 3 new generated token for encryption purpose later on to tooot app. At this stage, tooot's server still holds the tokens for decryption but it is not being used.
Also, tooot's server generates a unique endpoint url, meaning a link, that your logged in instance (e.g. mastodon.social) can send push messages to.
After tooot app received the 3 tokens for encrypting messages as well as the endpoint url, it then sends all these information to your logged in instance (e.g. mastodon.social) so that your logged in instance can encrypt a message that only you can decrypt, and also knows where to send this push message to (tooot's relay server).
By above information, your logged in instance (e.g. mastodon.social) will let you know that everything is okay, and also sends tooot app a unique token that only this particular instance is using to identify itself.
Lastly, tooot app sends this server unique token back to tooot's relay server, so that tooot's server can verify a received push message is indeed coming from a known server, preventing possible spam.
At this stage, tooot app also lets tooot's relay server know if you prefer to have tooot's relay server the ability to decrypt the message. If not, which is by default, tooot's relay server removes the 3 generated token from its server, mentioned in step 2. After then, only you will be able to decrypt the message.
-"How Push Works"