Web Service Endpoint

Generate and validate tokens

Validate the authorization grant code with Apple to obtain tokens or validate an existing refresh token.

URL

POST https://appleid.apple.com/auth/token

HTTP Body

form-data

The list of input parameters required for validating the authorization code or refresh token.

Parts

client_id
string
(Required)

(Authorization and Validation) The application identifier for your app.

client_secret
string
(Required)

(Authorization and Validation) A secret generated as a JSON Web Token that uses the secret key generated by the WWDR portal.

code
string

(Authorization) The authorization code received from your application’s user agent. The code is single use only and valid for five minutes.

grant_type
string
(Required)

(Authorization and Validation) The grant type that determines how the client interacts with the server. For authorization code validation, use authorization_code. For refresh token validation requests, use refresh_token.

refresh_token
string

(Validation) The refresh token received during the authorization request.

redirect_uri
string

(Authorization) The destination URI the code was originally sent to.

Response Codes

OK

The request was successful.

400 Bad Request
Bad Request

The server was unable to process the request.

Discussion

The validation server returns a TokenResponse object on a successful validation. When using this endpoint for authorizing the user, use the following parameters: client_id, client_secret, grant_type, code, and redirect_uri. When using this endpoint for validating the refresh token, use the following parameters: client_id, client_secret, grant_type, and refresh_token.

Creating the Client Secret

The client_secret is a JSON object that contains a header and payload. The header contains:

alg

The algorithm used to sign the token.

kid

A 10-character key identifier obtained from your developer account.

In the claims payload of the token, include:

iss

The issuer registered claim key, which has the value of your 10-character Team ID, obtained from your developer account.

iat

The issued at registered claim key, the value of which indicates the time at which the token was generated, in terms of the number of seconds since Epoch, in UTC.

exp

The expiration time registered claim key, the value of which must not be greater than 15777000 (6 months in seconds) from the Current Unix Time on the server.

aud

The audience registered claim key, the value of which identifies the recipient the JWT is intended for. Since this token is meant for Apple, use https://appleid.apple.com.

sub

The subject registered claim key, the value of which identifies the principal that is the subject of the JWT. Use the same value as client_id as this token is meant for your application.

After creating the token, sign it using the Elliptic Curve Digital Signature Algorithm (ECDSA) with the P-256 curve and the SHA-256 hash algorithm. Specify the value ES256 in the algorithm header key. Specify the key identifier in the kid attribute.

A decoded client_secret JWT token has the following format:

{
    "alg": "ES256",
    "kid": "ABC123DEFG"
}
{
    "iss": "DEF123GHIJ",
    "iat": 1437179036,
    "exp": 1493298100,
    "aud": "https://appleid.apple.com",
    "sub": "com.mytest.app"
}