Single APNs key on multiple applications in one organisation

My organisation maintains multiple applications and there's a confusion about how the APNs keys are supposed to be used. We are using firebase to send push notifications.

So far we have two apple keys for two different applications. But cannot create a third key with APNs activated.

This question indicates that we're supposed to use the same key for all applications.

My questions are:

If we only can create two keys for one organisation is one supposed to be used for production and one for testing/development?

If we use the same keys for multiple unrelated application (unrelated except that the apps are all created by the same organisation) what stops cloud messages from being pushed to the wrong application. Is it related to identifiers for apps? Are we supposed to create a convention to circumvent the problem of sending messages to the wrong app? ( I don't actually think this is a very valid option. It feels very wrong.)

For example:

• using topics with a prefix for each app?
• create device groups, one for each app?

I've asked this question here as well: https://forums.developer.apple.com/message/415911#415911

The key is used to authenticate to the service. It identifies your organisation to the service.

The reason you can have two keys is so that you can create a new one before revoking the old one if the key is compromised.

When an app registers for remote notifications you receive an identifier that is unique for that app on that device. If you have multiple apps on that device each will get a different identifier.

When you send a push notification the identifier ensures that it gets to the right app on the right device.

You need to ensure that you store the identifier against the right app on your backend (or you may have different backends for different apps).