Verifying a User

Check the validity and integrity of a user’s identity token.


After your app receives the user information, you can verify their associated identity token with the server to confirm that the token is not expired and ensure it has not been tampered with or replayed to your app. For information about retrieving the identity token, see Authenticating Users with Sign in with Apple.

A sequence diagram that describes the flow for verifying a user’s identity.

Verify the Identity Token

Start by securely transmitting the identity token and authorization code to your app server. For more about the information required to verify a user’s identity, see Retrieve the User’s Information from Apple ID Servers.

To verify the identity token, your app server must:

  • Verify the JWS E256 signature using the server’s public key

  • Verify the nonce for the authentication

  • Verify that the iss field contains

  • Verify that the aud field is the developer’s client_id

  • Verify that the time is earlier than the exp value of the token

Obtain a Refresh Token

After verifying the identity token on your server, call the Generate and validate tokens endpoint with the client_id, client_secret, and nonce information.

On success, the server issues a refresh token, which you use to obtain access tokens with future calls. You may verify the refresh token up to once a day to confirm that the user’s Apple ID on that device is still in good standing with Apple’s servers. Apple’s servers may throttle your call if you attempt to verify a user’s Apple ID more than once a day.

If any step of the token verification fails, direct your app to fetch a new identity token for the user. Obtaining a new identity token on the device doesn’t require user interaction.

Manage the User Session

After verifying the identity token, your app is responsible for managing the user session. You may tie the session’s lifetime to successful getCredentialState(forUserID:completion:) calls on Apple devices. This is a local, inexpensive, nonnetwork call and is enabled by the Apple ID system that keeps the Apple ID state on a device in sync with Apple servers.

You may also choose to get a new identity token at any time without user interaction. User sessions are long-lived on device, so calling for a new identity token on every launch, or more frequently than once a day, can result in your request failing due to throttling.

If the user’s Apple ID changes in the system, calls to getCredentialState(forUserID:completion:) indicate that the user changed. Assume that a different user has signed in and log out the app’s currently known user.

For apps running on other systems, use the periodic successful verification of the refresh token to determine the lifetime of the user session.

See Also

Authentication and Verification of Users

Authenticating Users with Sign in with Apple

Securely authenticate users, and create an account in your app for users to log in to.