User Profile

I'm working on integrating Sign In with Apple into my app. The app is written in React Native using expo and I'm using this component nearly exactly for now. https://docs.expo.io/versions/latest/sdk/apple-authentication/#usage I've been able to successfully generate the Authorization Grant code with this component, however, I've been unable to validate it server side. Here is the error I'm currently getting: { "error": "invalid_grant", "error_description": "The code has expired or has been revoked." } Details I've added a Sign In with Apple key to my app and downloaded the private key. I've published the app to TestFlight so I get my own bundle identifier and not Expo's in the simulator. This is the format of the authorization grant code from the a first request (formatting not JSON as it's output from go): { realUserStatus:1 , authorizationCode:xxxx , fullName:{ middleName:null nameSuffix:null namePrefix:null givenName:null familyName:null nickname:null} state:null identityToken:xxxxxxx email:null user:xxxxx } I'm using this library to generate the verification request: https://github.com/pagnihotry/siwago I'm running a go script from my laptop (not the a domain associated with the app), as well as copying/pasting information into Postman. Both methods are using x-www-form-urlencoded. The go app is signing the client_secret, and I assume it's the correct way because I'm no longer getting a 400 invalid_client. I've decode the client_secret and confirmed that the validation request is formatted: { "alg": "ES256", "kid": "SECRET_KEY_ID" } { "iss": "TEAM_ID", "iat": 1626740200, "exp": 1629332200, "aud": "https://appleid.apple.com", "sub": "BUNDLE_ID" } I've confirmed that the client secret is signed with my private key by validating it against my private key's public complement. The form data for the authorization to https://appleid.apple.com/auth/token request is (no punctuation on values): client_id: [BUNDLE_ID] client_secret: [signed secret] code: [authorizationCode] (from the Authorization grant code) grant_type: authorization_code redirect_uri: [left empty in go, not a key in Postman] I've requested my authorization code repeatedly and thought that I might be throttled, but then I tried a brand new one the first time but still got the invalid_grant response. Looking for any help, I've spent the past two solid days on this and am exhausted.