Check the validity and integrity of a user’s identity token.
After your app receives the user information, you can verify their associated identity token with the server to confirm that the token is not expired and ensure it has not been tampered with or replayed to your app. For information about retrieving the identity token, see Authenticating Users with Sign in with Apple.
Verify the Identity Token
Start by securely transmitting the identity token and authorization code to your app server. For more about the information required to verify a user’s identity, see Retrieve the User’s Information from Apple ID Servers.
To verify the identity token, your app server must:
Verify the JWS E256 signature using the server’s public key
noncefor the authentication
Verify that the
Verify that the
audfield is the developer’s
Verify that the time is earlier than the
expvalue of the token
Obtain a Refresh Token
After verifying the identity token on your server, call the Generate and Validate Tokens endpoint with the
On success, the server issues a refresh token, which you use to obtain access tokens with future calls. You may verify the refresh token up to once a day to confirm that the user’s Apple ID on that device is still in good standing with Apple’s servers. Apple’s servers may throttle your call if you attempt to verify a user’s Apple ID more than once a day.
If any step of the token verification fails, direct your app to fetch a new identity token for the user. Obtaining a new identity token on the device requires user interaction.
Manage the User Session
After verifying the identity token, your app is responsible for managing the user session. You may tie the session’s lifetime to successful
get calls on Apple devices. This is a local, inexpensive, nonnetwork call and is enabled by the Apple ID system that keeps the Apple ID state on a device in sync with Apple servers.
User interaction is required any time a new identity token is requested. User sessions are long-lived on device, so calling for a new identity token on every launch, or more frequently than once a day, can result in your request failing due to throttling.
If the user’s Apple ID changes in the system, calls to
get indicate that the user changed. Assume that a different user has signed in and log out the app’s currently known user.
For apps running on other systems, use the periodic successful verification of the refresh token to determine the lifetime of the user session.