The revoke tokens endpoint (/auth/revoke) is the only way to programmatically invalidate user tokens associated to your developer account without user interaction. This endpoint requires either a valid refresh token or access token for invalidation, as Sign in with Apple expects all apps to securely transmit and store these tokens for validation and user identity verification while managing user sessions. If you don’t have the user’s refresh token, access token, or authorization code, you must still fulfill the user’s account deletion request and meet the account deletion requirement. You'll need to follow this workaround to manually revoke the user credentials: Delete the user’s account data from your systems. Direct the user to manually revoke access for your client. Respond to the credential revoked notification to revert the client to an unauthenticated state Important: If the manual token revocation isn’t completed, the next time the user authenticates with your client using Sign in with Apple, they won’t be presented with the initial authorization flow to enter their full name, email address, or both. This is because the user credential state managed by Sign in with Apple remains unchanged and returns the.authorizedcredential state, which may also result in the system auth UI displaying the “Continue with Apple” button. Respond to the credential revoked notification Once the user’s credentials are revoked by Apple, your client will receive a notification signaling the revocation event:  For apps using the Authentication Services framework to implement Sign in with Apple, register to observe the notification named credentialRevokedNotification. For web services, if an endpoint is registered for server-to-server notifications, Apple broadcasts a notification to the specified endpoint with the consent-revokedevent type. When receiving either notification, ensure you’ve already performed the following operations to meet the requirements of account deletion: Deleted all user-related account data, including: The token used for token revocation; Any user-related data stored in your app servers; and Any user-related data store in the Keychain or securely on disk in the native app or locally on web client. Reverted the client to an unauthenticated state. Securely store user tokens for account creations For all new user account creations, follow the expected authorization flow below: Securely transmit the identity token and authorization code to your app server. Verify the identity token and validate the authorization code using the /auth/token endpoint.  Once the authorization code is validated, securely store the token response — including the identity token, refresh token, and access token. Validate the refresh token up to once per day with Apple servers (to manage the lifetime of your user session and for future token revocation requests), and obtain access tokens (for future token revocation, app transfer, or user migration requests). For information about verifying an identity token and validating tokens, visit Verifying a user and Generate and validate tokens. If you have questions about implementing these flows, including client authorization, token validation, or token revocation, please submit a Technical Support Incident.

Hi, Please see TN3159: Migrating Sign in with Apple users for an app transfer for more information on the expected end-to-end app transfer and user migration flow. Additionally, if you'd like for the iCloud and App Store engineering teams to confirm if the errors are related to a revoked authorization to previous users accounts, please submit a report via Feedback Assistant and include the following information: Gathering required information for troubleshooting Sign in with Apple user migration To prevent sending sensitive JSON Web Tokens (JWTs) in plain text, you should create a report in Feedback Assistant to share the details requested below. Additionally, if I determine the error is caused by an internal issue in the operating system or Apple ID servers, the appropriate engineering teams have access to the same information and can communicate with you directly for more information, if needed. Please follow the instructions below to submit your feedback. For issues occurring with your user migration, ensure your feedback contains the following information: the primary App ID and Services ID the client secret for the transferring team (Team A) and the recipient team (Team B) the failing request(s), including all parameter values, and error responses (if applicable) the timestamp of when the issue was reproduced (optional) screenshots or videos of errors and unexpected behaviors (optional) Important: If providing a web service request, please ensure the client secret (JWT) has an extended expiration time (exp) of at least ten (10) business days, so I have enough time to diagnose the issue. Additionally, if your request requires access token or refresh tokens, please provide refresh tokens as they do not have a time-based expiration time; most access tokens have a maximum lifetime of one (1) hour, and will expire before I have a chance to look at the issue. Submitting your feedback Before you submit via Feedback Assistant, please confirm the requested information above (for your native app or web service) is included in your feedback. Failure to provide the requested information will only delay my investigation into the reported issue within your Sign in with Apple client. After your submission to Feedback Assistant is complete, please respond in your existing Developer Forums post with the Feedback ID. Once received, I can begin my investigation and determine if this issue is caused by an error within your client, a configuration issue within your developer account, or an underlying system bug. Cheers, Paris X Pinkney |  WWDR | DTS Engineer

I have tried everything to get the user field returned with Sign in flow and it never does, not for new users, not even if i create a new app! Working with Apple is so frustrating and you have to pay for it!! Referencing this page, I am using scope=name email. I have tried using + and %20 as the spacer and neither makes a difference. I have also tried setting response_type = code and code id_token (again with + and %20 as the spacer) which also doesn't make a difference. Always the id_token is returned and always the email, but never the user. https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_js/incorporating_sign_in_with_apple_into_other_platforms#3332115 AUTHORIZE REQUEST https://appleid.apple.com/auth/authorize? { "response_type": "code", "client_id": "com.example.service", "scope": "name email", "state": "77264297-813c-4738-83ef-f1b77daea04c", "redirect_uri": "https://example.com/auth/apple/callback", "code_challenge_method": "S256", "code_challenge": "2SJCneEpjKcN.....xIIHnpqcvjK_Y0s", "access_type": "offline", "nonce": "1734523662", "response_mode": "form_post" } TOKEN REQUEST https://appleid.apple.com/auth/token? { "grant_type": "authorization_code", "code": "c870aaec987a14.....dqakaGP4Yn1nH3dnPgww", "client_id": "com.hikesync.service", "client_secret": "eyJhbGciOiJFUzI....3izij6dojYfdV6JMdbQPx3sOA", "redirect_uri": "https://hikesync.com/auth/apple/callback", "code_verifier": "38hHUC....mYuE0zfYVNTycg" } RESPONSE { "access_token": "a2b70e12d38b446....4hA7-RLNj0ifU5Q", "token_type": "Bearer", "expires_in": 3600, "refresh_token": "rb4ed9be2b4024......w5RWjVFUQ", "id_token": "eyJraWQiOiJyQlJmV.......0Df0ihEJiA" } JWT { "iss": "https://appleid.apple.com", "aud": "SERVICE_ID", "exp": 1734606699, "iat": 1734520299, "sub": "000000.f7f7c0ac.....db9fad7e19.1111", "nonce": "NONCE", "at_hash": "NAfjmciTi2NtmPYIMAgjig", "email": "abc123@privaterelay.appleid.com", "email_verified": true, "is_private_email": true, "auth_time": 1734520297, "nonce_supported": true }

We are developing a captive portal for a community Wi-Fi service that will be deployed to thousands of locations around the world. The service is a paid service that sells Wi-Fi connectivity by data volume rather than time. We want to enable our customers to Sign in with Apple without giving them full internet access until they have made a purchase. This requires us to whitelist domains and URLs to make this work. Where can I find a complete list of domains that are required for Sign in with Apple to function correctly? It’s not possible for us to whitelist *.apple.com because that results in significant (free) background network traffic during the sign in process. So far we have whitelisted: account.apple.com appleid.apple.com appleid.apple-cdn.com idmsa.apple.com gsa.apple.com mzstatic.com Our customers are still having issues with Sign in with Apple while interacting with our captive portal in the iOS pseudo browser. How can we debug this because we cannot use the Safari developer tools with the pseudo browser. Are there any logs when doing this on a Mac that we can check in the Console? If we kick the user out to Safari then they are able to complete the Sign in with Apple process, but that is not the user experience we want.

We have confirmed that our app is not grouped for SIWA. And all other transfer criteria are met. Why do we still get this error? I did not see anything about you cannot transfer an app with SIWA enabled in the doc.

I was referred to here, #102484182418 I'm trying to setup apple login on my community site but I'm having a hard time getting it to work. I keep getting "invalid_request​ Invalid client id or web redirect url." The last tech said she thanks its setup right but we could not get it to work. Here are my steps https://xenforo.com/docs/xf2/connected-account-apple/ I just someone to look at my Certificates, Identifiers & Profiles and make sure I have them setup right.

Hi everyone, I'm developing a minimal Safari web extension for macOS and trying to implement "Sign in with Apple" directly from the extension popup, as per Apple's guidelines it's prohibited to open a new tab/window: Guideline 4.0 - Design: The user is taken to a new Safari window or tab to sign in or register for an account, which provides a poor user experience. What I've Done So Far Created an App ID with "Sign in with Apple" enabled and configured. Created a Service ID with the "Sign in" feature enabled. Enabled "Sign in with Apple" for native targets in Xcode Added the following JavaScript code in my popup.html file to initialize the Apple JS API and handle authentication via a popup: <script type="text/javascript" src="https://appleid.cdn-apple.com/appleauth/static/jsapi/appleid/1/en_US/appleid.auth.js"></script> <script> // have tried many different configurations here - nothing works! AppleID.auth.init({ clientId: '<valid client ID>', redirectURI: '<valid URL>', usePopup: true, }); document.getElementById('sign-in-button-apple') .addEventListener('click', () => { AppleID.auth.signIn().then((response) => { console.log('Success', response) }).catch((error) => { console.error('Error', error) }); }); </script> I also added event listeners for AppleID events: document.addEventListener('AppleIDSignInOnSuccess', (event) => { console.log('Success', event); }); document.addEventListener('AppleIDSignInOnFailure', (event) => { console.log('Error', event); }); Issue When I click the "Sign in" button in the popup, a native macOS dialog appears for authorization. However, after confirming sign-in, the modal just closes and no response (success or error) is logged in the console. Expected behavior To receive a success message or an error in the console about the authorization process result. Questions Service ID Configuration: Since the popup's location URL is safari-web-extension://<random-url>, I can't add it to the supported redirect URLs in the Service ID settings. Is there a way to work around this? Safari Web Extension Setup: Are there specific configurations required in Xcode to enable "Sign in with Apple" within a Safari web extension? Sign-In Method: Am I correctly implementing the signIn method in the JavaScript code? Could there be any constraints or special considerations for running it within an extension popup? I would greatly appreciate any guidance, examples, or documentation that can help resolve this issue. Thank you in advance!

Hi We use login using apple id feature in our website. However when it comes to apple id, it is possible for user to hide the original email and show a relay email. We have found that this relay email doesn't work Hence looking for a possible solution to acquire the real email from the user. Is there a possibility in doing that? any help would be greatly appreciated. Best Regards Hasintha

Hello, These questions are in regard to transferring Sign in With Apple users as part of an app transfer to another developer team. We’ve already read and absorbed the following documents from Apple, but we still have questions that aren’t covered in these documents, due to the unique nature of our use case. Transferring Your Apps and Users to Another Team Bringing New Apps and Users Into Your Team Resolving Sign in with Apple Response Errors Background: We have a suite of three apps that we are tranferring to another developer team. Each app supports Sign In With Apple. Our accounts/users are shared among all three apps. We have all three apps currently grouped together for SIWA. We’re aware that we will need to un-group them before doing the SIWA user transfer. Questions: The API for generating and exchanging transferIDs for users (endpoint /auth/usermigrationinfo) requires a parameter client_id which is described in the docs as "The identifier (App ID or Services ID) for the transferring app." Since we are transferring a set of three apps which share users, we aren’t sure which AppID to use, or whether it matters? We’re assuming we only need to transfer the users once in total (not once-per-app), is this correct? Does it matter which of the three apps’ AppID we use for this? To give more specific context to this question, here’s a more detailed example: For simplicity’s sake, let’s say we have 10 user accounts total, and any of them could sign into any of our three apps. Users 1-7 have signed into all three apps previously User8 has only signed into AppA User9 has only signed into AppB User10 has only signed into AppC Ideally we want to transfer all 10 users all at once. Does it matter which AppID we use for client_id? For example, if we use AppA as the client_id, will we still be able to transfer all 10 users (including User9 and User10)? We’ve tested this on the sender team side, and we’re able to successfully create transferIDs for all 10 users using AppA as client_id. But we’re not sure if this will still work on the recipient side, that we’ll be able to exchange the transferID for all 10 users. . To add another wrinkle, there is a possibility that we won’t be able to transfer one of our three apps (due to one of Apple’s limitations for app transfer). In that case we’ll have to create a new app on the recipient team and shut down the old one on the sender team. But the other two apps in the suite would still be transferred normally. We’d still want all 10 users to be transferred, as the intention is still that all our users can sign into any of their existing accounts in any of the three apps. Would this scenario change the answer to question 1? For example, say we aren’t able to transfer AppC over to the new development team, but instead had to create a new app, AppCNew on the new development team. But we still are able to transfer AppA and AppB. Would we still be able to transfer all 10 users using AppA as the client_id? Including User10 who only ever signed in to AppC (which isn’t being transferred)? We'd really appreciate any answers or guidance that anyone can provide. Thank you, Adam

Hello, We recently transferred our iOS app from an individual developer account to a corporate account. By following this guide (link), we successfully obtained the transfer identifiers for all our current users and have stored the data fetched from Apple. Now that the transfer has been completed for about 10 hours, we're attempting to remap the old identifiers to the new ones using this guide (link). Unfortunately, all our requests are returning an 'invalid_request' error. I've noticed others have faced the same problem, but I haven't found a solution yet. Can anyone help me resolve this issue?

https://developer.apple.com/documentation/sign_in_with_apple/revoke_tokens/ As shown in the documentation, when I tested via curl, I received a response with status 200, but when I logged in to account.apple.com with the linked account, it shows that it is still connected. I would like to know if there is any additional way to verify that the revoke api is working properly.

Hello Developers, I have ran into a problem while sending mail to apple private relay email. We have built a mobile application where user can sign up through apple and they can sign up using hide-my-email feature. Which provides private relay address for us. Now we want to communicate with them using private relay mail address. The technology we are using to send emails are amazon SES, have done SPF, DMIK, DMARC and added domains in apple identity services for mail communication, passed an SPF check as well. But still mail is not getting delivered what am i doing wrong or apple doesn't support third party apps for sending emails to private relay? Is there any other way to achieve this please let me know Using the same body as attached in image is working fine for rest emails.

Hi there - I maintain the react-native-apple-authentication module which allows react native developers to implement sign in with Apple When testing we noticed that code working perfectly in iOS17 Simulators now fails on iOS18/18.1 Simulators. Specifically, the credential status is always revoked when testing on an iOS18+ Simulator. The same code works perfectly on a real device running iOS18 or 18.1 so this appears to be a Simulator bug. This is problematic because App review is frequently performed on a Simulator, so there are false-negative test results for Sign In With Apple from reviewers when they use iOS18 emulators, resulting in App submission rejections. We're tracking this here, with some results posted and an example app in-repo that demonstrates the issue: https://github.com/invertase/react-native-apple-authentication/issues/356 It would be great to see the Simulator fixed so that it works correctly with Sign In With Apple again. Thanks

I am researching to apply Apple Sign In to my app. I see response data from Apple just include user name and email (phone number is not required also), but currently my app has only one login method that is by phone number. So I would like to ask:
 Can I request an phone number (by an customize popup) from the user after Signin Apple successfully? If not then which approach that can I apply? Many thanks!

Hi everyone, I'm having a recurring issue with the "Sign in with Apple" integration in my web app, and I’m hoping someone here can help or share insights. Here’s the situation: I implemented "Sign in with Apple" following the official documentation, and it worked perfectly at first. After about two weeks, I started getting the "invalid_client" error when redirecting to the authentication page. I reviewed everything and discovered I hadn’t set up the email configuration properly in the Apple Developer Console. Once I fixed that, it worked fine again. Now, the same error ("invalid_client") has returned, and I’ve triple-checked every part of my configuration: The service ID, redirect URIs, and domain settings match exactly. The client_secret is generated correctly with all required fields (iss, iat, exp, aud, and sub) and signed with ES256. My server time is synchronized. Nothing has changed in my code or configuration since it last worked. This seems to be an issue on Apple’s end because everything was functioning perfectly before, and I’ve already resolved this once by updating settings in the Developer Console. Has anyone else faced this issue? Is there something I might be missing, or could this be a problem with Apple’s service? Any advice or guidance would be greatly appreciated!

Private relay emails are ending up in the spam folder, even though SPF and DKIM are set up correctly.

Hello I have a problem with provisionprofile file. I have created Identifier with Sign in with Apple capability turned on, created Profile with Developer ID selected and now I try to export archive with generated Developer ID provision file but it says "Profile doesn't support Sign in with Apple" Also interesting thing that default provisions like macOS App Development Mac App Store Connect don't show such error when I try to export archive Maybe this problem is only related to Developer ID provision and Direct Distribution doesn't support Sign in with Apple, but I havent found proves about this idea

Our product uses the “Sign in with Apple” feature, and now we need to transfer it to Apple. After reading the documentation, I still have questions and would like to get answers. Q1:Transfer App: After the receiving team receives the App, is the unique identifier obtained by the client App program login the original one? Or is it newly generated? If it is newly generated, from what point in time will it be newly generated? Q2:Transfer App: Is there any validity period for the transfer identifier? About how long? What will happen after the transfer identifier is expired? Q3:When does the transfer identifier (transfer identifier) start to be generated, when the transfer request is initiated or when the transfer is completed, and when I get the transfer identifier, can I directly exchange it for the receiving team's unique identifier? Looking forward to a reply, thanks!

Hey, There are two apps, App A and App B. Both apps do not have Sign in with Apple configured currently, so there are no Sign in with Apple users to transfer. I want to configure this for both apps. App A is on developer team A. App B is on developer team B. They are not on the same developer accounts. It is my understanding that both accounts need to be on the same developer team/account to get the same unique identifiers (e.g. sub id and private relay email address) for privacy reasons. Desired Behavior: When a single user logs into either app A or app B with the newly exposed Sign in with Apple functionality, I need apple to return me the same unique identifiers (e.g. sub and email), so that I can uniquely identify the same user across app A and app B. How can I do this without ANY customer impact.

We recently transferred our app from one developer account to a new one, internally. We're trying to transfer our sign in with apple users, but have hit a snag on the first step. I'm following the instructions here to "Obtain the user access token": https://developer.apple.com/documentation/sign_in_with_apple/transferring_your_apps_and_users_to_another_team This is my request as created in postman: curl --location 'https://appleid.apple.com/auth/token/' --form 'grant_type="client_credentials"' --form 'scope="user.migration"' --form 'client_id="com.XXXXX"' --form 'client_secret="XXXXX"' No matter what I try, I always receive invalid_client. I've uploaded example JWTs in FB15648650.

Hi everyone, I'm working on a hybrid web application that will serve as a unified login page for two of my existing apps. Both apps currently utilize Apple Sign In with separate app IDs. To provide a seamless user experience, I plan to create a unified login page that displays two distinct Apple Sign In buttons: "Log in with A Service" and "Log in with B Service". Each button will link to the respective Apple Sign In flow for that specific service and app ID. I'm seeking guidance on the following: Apple's Guidelines: Are there any specific Apple guidelines or restrictions that prohibit or discourage the display of multiple Apple Sign In buttons on a single page within a hybrid web app context? I appreciate any insights or suggestions you can provide. Thank you

Hi, I've been working to build Apple sign in into my application using a low code tool called GeneXus. The instructions seem pretty straight forward however it's not working when I try signing in from the app. See GeneXus instructions here: https://wiki.genexus.com/commwiki/wiki?44478,GAM+-+Apple+Authentication+type The only section that I didn't do was to verify the domain which according to the instructions is required for apple sign in to work. This was backed up by the GeneXus support team. I can't find how to verify the domain though? The support team seem to think Apple will send me the domain association file detailed in the link below and I simply add that to the server: https://developer.apple.com/documentation/xcode/supporting-associated-domains#Add-the-associated-domains-entitlement-to-your-app However I can't find where this file would be generated? I also can't see the button to register the domain in the first place!