Validate the authorization grant code with Apple to obtain tokens or validate an existing refresh token.
- Sign In with Apple REST API 1.0+
.apple .com /auth /token
The list of input parameters required for validating the authorization code or refresh token.
(Authorization and Validation) The application identifier for your app.
(Authorization and Validation) A secret generated as a JSON Web Token that uses the secret key generated by the WWDR portal.
(Authorization) The authorization code received from your application’s user agent. The code is single use only and valid for five minutes.
(Authorization and Validation) The grant type that determines how the client interacts with the server. For authorization code validation, use
authorization. For refresh token validation requests, use
(Validation) The refresh token received during the authorization request.
(Authorization) The destination URI the code was originally sent to.
The validation server returns a TokenResponse object on a successful validation. When using this endpoint for authorizing the user, use the following parameters:
redirect. When using this endpoint for validating the refresh token, use the following parameters:
Creating the Client Secret
client is a JSON object that contains a header and payload. The header contains:
The encryption algorithm used to encrypt the token.
A 10-character key identifier obtained from your developer account.
In the claims payload of the token, include:
The issuer registered claim key, which has the value of your 10-character Team ID, obtained from your developer account.
The issued at registered claim key, the value of which indicates the time at which the token was generated, in terms of the number of seconds since Epoch, in UTC.
The expiration time registered claim key, the value of which must not be greater than 15777000 (6 months in seconds) from the Current Unix Time on the server.
The audience registered claim key, the value of which identifies the recipient the JWT is intended for. Since this token is meant for Apple, use https://appleid.apple.com.
The subject registered claim key, the value of which identifies the principal that is the subject of the JWT. Use the same value as
clientas this token is meant for your application.
After creating the token, sign it with the same private key, the identifier of which is specified in
kid. Encrypt the token using the Elliptic Curve Digital Signature Algorithm (ECDSA) with the P-256 curve and the SHA-256 hash algorithm. Specify the value ES256 in the algorithm header key.
A decoded client_secret JWT token has the following format: