The revoke tokens endpoint (/auth/revoke) is the only way to programmatically invalidate user tokens associated to your developer account without user interaction. This endpoint requires either a valid refresh token or access token for invalidation, as Sign in with Apple expects all apps to securely transmit and store these tokens for validation and user identity verification while managing user sessions. If you don’t have the user’s refresh token, access token, or authorization code, you must still fulfill the user’s account deletion request and meet the account deletion requirement. You'll need to follow this workaround to manually revoke the user credentials: Delete the user’s account data from your systems. Direct the user to manually revoke access for your client. Respond to the credential revoked notification to revert the client to an unauthenticated state Important: If the manual token revocation isn’t completed, the next time the user authenticates with your client using Sign in with Apple, they won’t be presented with the initial authorization flow to enter their full name, email address, or both. This is because the user credential state managed by Sign in with Apple remains unchanged and returns the.authorizedcredential state, which may also result in the system auth UI displaying the “Continue with Apple” button. Respond to the credential revoked notification Once the user’s credentials are revoked by Apple, your client will receive a notification signaling the revocation event:  For apps using the Authentication Services framework to implement Sign in with Apple, register to observe the notification named credentialRevokedNotification. For web services, if an endpoint is registered for server-to-server notifications, Apple broadcasts a notification to the specified endpoint with the consent-revokedevent type. When receiving either notification, ensure you’ve already performed the following operations to meet the requirements of account deletion: Deleted all user-related account data, including: The token used for token revocation; Any user-related data stored in your app servers; and Any user-related data store in the Keychain or securely on disk in the native app or locally on web client. Reverted the client to an unauthenticated state. Securely store user tokens for account creations For all new user account creations, follow the expected authorization flow below: Securely transmit the identity token and authorization code to your app server. Verify the identity token and validate the authorization code using the /auth/token endpoint.  Once the authorization code is validated, securely store the token response — including the identity token, refresh token, and access token. Validate the refresh token up to once per day with Apple servers (to manage the lifetime of your user session and for future token revocation requests), and obtain access tokens (for future token revocation, app transfer, or user migration requests). For information about verifying an identity token and validating tokens, visit Verifying a user and Generate and validate tokens. If you have questions about implementing these flows, including client authorization, token validation, or token revocation, please submit a Technical Support Incident.

Hi, Please see TN3159: Migrating Sign in with Apple users for an app transfer for more information on the expected end-to-end app transfer and user migration flow. Additionally, if you'd like for the iCloud and App Store engineering teams to confirm if the errors are related to a revoked authorization to previous users accounts, please submit a report via Feedback Assistant and include the following information: Gathering required information for troubleshooting Sign in with Apple user migration To prevent sending sensitive JSON Web Tokens (JWTs) in plain text, you should create a report in Feedback Assistant to share the details requested below. Additionally, if I determine the error is caused by an internal issue in the operating system or Apple ID servers, the appropriate engineering teams have access to the same information and can communicate with you directly for more information, if needed. Please follow the instructions below to submit your feedback. For issues occurring with your user migration, ensure your feedback contains the following information: the primary App ID and Services ID the client secret for the transferring team (Team A) and the recipient team (Team B) the failing request(s), including all parameter values, and error responses (if applicable) the timestamp of when the issue was reproduced (optional) screenshots or videos of errors and unexpected behaviors (optional) Important: If providing a web service request, please ensure the client secret (JWT) has an extended expiration time (exp) of at least ten (10) business days, so I have enough time to diagnose the issue. Additionally, if your request requires access token or refresh tokens, please provide refresh tokens as they do not have a time-based expiration time; most access tokens have a maximum lifetime of one (1) hour, and will expire before I have a chance to look at the issue. Submitting your feedback Before you submit via Feedback Assistant, please confirm the requested information above (for your native app or web service) is included in your feedback. Failure to provide the requested information will only delay my investigation into the reported issue within your Sign in with Apple client. After your submission to Feedback Assistant is complete, please respond in your existing Developer Forums post with the Feedback ID. Once received, I can begin my investigation and determine if this issue is caused by an error within your client, a configuration issue within your developer account, or an underlying system bug. Cheers, Paris X Pinkney |  WWDR | DTS Engineer

Hi, We currently have in our application homemade authentication system. We are planning on integrating itsme ( https://www.itsme-id.com/en-BE/business/developer ) as an authentication system in our app (more infos: https://belgianmobileid.github.io/doc/ ). itsme is an official Belgian digital identity provider, which provides a platform to quickly and effortlessly identify a user on a website or an application. It is widely used across Belgium (our target market) as a e-ID to authenticate users: https://www.itsme-id.com/en-BE/business/industries/government In regards of this part of the documentation https://developer.apple.com/app-store/review/guidelines/#login-services : I understand that our use case with itsme complies to the following exception: "Your app uses a government or industry-backed citizen identification system or electronic ID to authenticate users" Can you confirm me that this is the case and with the documentation linked above to assess that my understanding of the itsme product in regard to the Appstore guidelines, we don't need to implement Apple Sign In? Thank you in advance. Kind regards

I am experiencing an issue with Apple Sign-In on Vision Pro. When I build and run the app from Xcode, everything works fine—after signing in, the app returns to the foreground as expected. However, when I launch the app directly on Vision Pro (not from Xcode), after completing the sign-in process, the app does not reopen from the background automatically. Instead, it closes, and I have to manually tap the app icon to reopen it. Has anyone else encountered this issue? Is there a way to ensure the app properly resumes after sign-in without requiring manual intervention?

We have 2 developers: Developer A created a Bundle ID and configured Sign in with Apple, but didn't create a corresponding App. This Bundle ID is only used for login on our official website. Developer B created a Bundle ID, configured Sign in with Apple, and has a corresponding App. The issue we're encountering is that because these two Bundle IDs are under different teams, when using the same Apple ID to log into these two applications, different accounts are generated. (We've tested that when creating Service IDs under the same team, logging in with Bundle IDs under the same team generates the same account.) Since Developer A's Bundle ID doesn't have a created app, it cannot be transferred to Developer B. Therefore, we'd like to know if there's any way to make the accounts generated from logging in with the same Apple ID be identical across these two teams?

Hello, I have tried to add Sign in with Apple to my application, and I get to the point where the app asks which AppleID to use and does succesfull facial recognition, but does not return failed or successful validation - the loading animation does not end and just keeps going. I have tried to create the sertificates and provision profiles again. I have also set the entitlements file Apple access level to Default. I don't understand what is going wrong here. Can the certificates be in wrong place? Is something wrong with the code?

My app has been rejected by App Store review because the sign in with Apple functionality is not working properly. I'm able to reproduce the issue on my end but I don't understand why it's happening. I have two other apps that implement the same OAuth flow in an identical manner, and those apps have no issues signing in with Apple. I've copied my OAuth flow to a fresh project to see if that would make a difference, and it gives me the exact same error. In the simulator I get "invalid_request, invalid web redirect URL", and on-device the FaceID authentication fails with a very non-specific "Sign Up Not Completed" error. I'm completely out of ideas here, so any guidance would be appreciated. Thanks!

We're developing a web app and want to add "Sign in with Apple" functionality. We don’t have a native iOS app, but it looks like a native app bundle ID (Primary App ID) is required for configuration. Does this app need to be published on the App Store, or can we create a "dummy" app and use its ID as the Primary App ID? We only need the web experience and don’t plan to build a native app.

Hi, I know it's been discussed before, but I'm testing the Sign in with Apple feature, and I only get the user info on the first try. Now, I know that you're supposed to go to the account settings, and look for the list of accounts that you used your Apple account to sign in with, and it used to work a few months back. But for the last few weeks I haven't been able to get the user info, even after deleting the entry from my Sign In With Apple app list. Has there been a recent change to Apple security policy that prevents such a move from working ? Or am I doing something wrong ? Thank you

In response to inquiries from users, we have confirmed the following phenomenon. If you select "Private email address" in the flow of new user registration with Apple ID, you will not receive the verification code email when performing two-factor authentication. ■User impact If you use your Apple ID to link an external account without making your email address public, you will not receive the authentication code during two-factor authentication and will not be able to proceed. The date and time of the impact is currently unknown. ◎Impact 1: New registration If you select "Private email address" in the flow of registering a new user with Apple ID, the verification code will not be received during two-factor authentication and registration will not be completed. ◎Impact 2: Login of existing account When two-factor authentication is required for an existing account registered with Apple ID set to "Private email address," the verification code is not received and the user cannot log in. →If you have not registered a login method other than Apple ID for the relevant account, there is no other way to log in. ■About workarounds ・I thought that I could avoid this issue by canceling the private setting of my Apple ID, but I was unable to do so. →There is currently no workaround found for existing users who are experiencing this issue. ・However, the scope of influence is limited. ■Cause investigation status Premise: For an Apple ID whose email address is not made public, the two-factor authentication authentication code email follows the following route. ①CDC/GIGYA miraiz-persol.jp (SendGrid) Apple's email server (relay server to hide the user's real email address) User mailbox →Since '1' are working, the problem seems to have occurred after the connection from ② or ③. (At this stage, we cannot determine who is at fault: the user, MIRAIZ, or Apple. We are currently investigating.) ◎Hypothesis ・Is there something wrong with Apple's mail server? ・Is it not delivered because the user's mailbox is full? ■Questions, research, and responses we would like to receive Please check the following two points and reply. 1st point As shown in the attached image, there seems to be no problem with the SPF settings. Is it possible to check to see if any errors have occurred with Apple's mail server? 2nd point Are there any cases where you still can't receive emails even if you deactivate your Apple ID? I would like to know if there are any patterns in which emails are not being delivered in terms of past inquiries or overall specifications

Hey there, I’m currently exploring the possibility of integrating Sign in with Apple into my iOS app and backend. Regarding the iOS app, I’ve read that when a user is signed in, you always need to call getCredentialState on the app’s launch. Is this true? If so, how is it possible to sign the user out then? I intend to incorporate SwiftData and CloudKit into my application. In light of this, I’m curious about your approach to user management. Specifically, I’m wondering if you would store the user’s data in a Redis database after successful authentication on the backend. Or, would you separate the user data and save it using SwiftData/ CloudKit?

We have an app that has failed during the app review for the Japanese market but has been accepted in several other markets successfully. We need the user's name in native Katakana format as we need it to be displayed in our restaurant Point of Sale systems for workers to be able to read and understand. We use 'Sign up with Apple', but when doing so, if this returns an anglicised given and family name, we have to request the customer supply their Katakana format name so that our in-store systems and staff can process and fulfil their orders. When the App Review process automatically tests the app, it uses "Apple John" as a customer's name. Since this is not a Japanese name, we ask for it again in the correct format, or we cannot allow the user to register. This contravenes Apple's rules, and thus, our app is rejected. If the Apple identity used belonged to a user more typical of the target market, it would work as required. Does anyone else have this issue, and how did you work around it? Tim

I've just implemented Sign-In-With-Apple and everything is working perfectly, but my app seems to be in some strange state where users are unable to remove it from the Sign-In-With-Apple section of their settings. Things I've tried: -- Deleting from Mac. (It just stays in the list) -- Deleting from the iPhone (It stays in the list) -- Deleting from account.apple.com (same issue) -- I've noticed in the browser inspector tools I receive a 200 on the DELETE request, but the app remains. -- Multiple users Also have tried: -- Revoking the token through the REST API -- I get an email saying the token has been revoked, but it's still working -- Same code, different app id (works fine!) It seems like maybe my app is in some sort of weird state? Has anyone come across this before?

Hi everyone,  We’ve been trying to submit our app to the App Store for quite some time now, but we’ve encountered multiple rejections despite addressing all the feedback we’ve received. Initially, we resolved a few issues, but there is one recurring problem that continues to block us.  Every time, the review team reports an issue with the “Sign in with Apple” feature, specifically stating: “App did not produce further action when we tapped on Sign in with Apple.”  However, we’ve tested the feature on multiple devices, including iPads and iPhones, targeting all iOS versions from 17 and above. The login process works flawlessly in all our tests. We’ve ensured that we are following Apple’s best practices and have meticulously reviewed our implementation numerous times and also reviewed with another team which implemented it the same way and did got approved.  It’s becoming frustrating as the issue appears to be on the review side. We’ve even uploaded videos demonstrating various scenarios, yet we still receive no detailed feedback. Each review cycle takes about 24 hours, which is significantly delaying our iOS launch.  Has anyone experienced a similar situation, where a working feature consistently fails during App Store review? If so, how did you resolve it? We’re quite behind schedule and would appreciate any advice.   The app is made with Xcode 16.  Thank You!  ------- This is the reviewer notes -------  Guideline 2.1 - Performance - App Completeness Issue Description   The app still exhibited one or more bugs that would negatively impact App Store users.   Bug description: App did not produce further action when we tapped on Sign in with Apple.   Review device details:   Device type: iphone 13 mini & iPad Air (5th generation)  OS version: iPadOS 18.2  Next Steps   Test the app on supported devices to identify and resolve bugs and stability issues before submitting for review.   If the bug cannot be reproduced, try the following:   For new apps, uninstall all previous versions of the app from a device, then install and follow the steps to reproduce.  For app updates, install the new version as an update to the previous version, then follow the steps to reproduce. I have tested it on my ipad using testflight build & even on iphone 13 pro it is working absolutely fine for me. I am not able to reproduce the error on my side.

I am running a service available on both an app and a web platform with "Sign In with Apple." Should I store the tokens separately, or should I overwrite them in a single storage location? When a user requests to sign out, should I revoke both the app and web tokens, or will revoking the app token automatically cover the web token as well?

I have add my domani and email address to Configure Sign in with Apple for Email Communication (https://developer.apple.com/account/resources/services/configure) and it pass SPF already but when it send from server that i setup is had "Error Description : Permanament error. Please do not try again, according to the information returned by the other party to confirm the specific cause of the error. Cause:550 5.1.1 : unauthorized sender" a mail service is on Alibaba Cloud the email that i want to sending to is ending with @privaterelay.appleid.com it that have any solve problem or i missing any thing else ?

Our service has ended and the app has been removed from the App store. This app supported Sign in with Apple, but even if I try to revoke the account from the iOS settings or account.apple.com on the web, but can't delete it and no error is displayed. Does anyone know the cause of this problem or have encountered it? I'm not sure if it's related, but this app was previously transferred from another organization.

Our service includes the Apple web login feature to support "Sign in with Apple" on iOS 12. However, at some point, an error started occurring on the Apple login page in iOS 12, preventing users from proceeding further. Upon checking the Web Inspector console, we found the following error: Failed to load resource: the server responded with a status of 503 (Service Temporarily Unavailable) Please help us resolve this issue so that users can continue using "Sign in with Apple" on iOS 12.

Hello We would like to proceed with the transfer of ownership of the launched app based on the Cafe24 platform.(Web App) Last month, I inquired about how to transfer the Apple account login function together when transferring ownership and received a related manual. When I asked and inquired about help from several developers regarding that part, they all received different answers. Please review the answers below, and I would really appreciate it if you could guide me on how to proceed. Developer 1: Cafe24-based launch apps require a separate transfer of the login function. It does not affect if you do not delete the existing member data in the database, and you only need to activate the login function to the new developer account. Developer 2: Checking and analyzing existing servers and data - Transfer user data to Apple using Apple's Legacy User Identifier - Synchronize user data - Test and modify It has to proceed to the above four steps, and synchronization work is also required to maintain all of the existing user's data because all of the user's identification values change when the login function is transferred. Developer 3: It appears to be a task that needs to be stored in the server database by migrating from the user identifier created in the existing developer account to the user identifier to be used in the new developer account, which is not what the app is supposed to do, and it is recommended to find other experts. Thank you.

I am developing an app that uses Sign In with Apple for authentication, and I need to test different scenarios, such as when a user chooses not to share their email. However, after logging in for the first time, I cannot reset the permissions flow to test again. Even after uninstalling the app, revoking access to the Apple ID in ‘Settings > Apps Using Apple ID,’ and attempting to log in again, only the token (identityToken) is returned, while the full information (email, name, surname) is no longer provided. This makes it difficult to simulate the initial user behavior, especially when choosing to share or not share their email. I would like to know: 1. Is there a way to completely reset the permissions flow so I can test as if it were the first time using the same Apple ID? 2. Are there any recommended solutions for development scenarios without needing to create multiple Apple IDs? Thank you for any guidance on how to proceed.

I was testing an app with AppleSignIn with a Firebase backend and wanted to test account deletion functionality. I was unaware of needing to revoke the token with Apple before proceeding with account deletion. Now, when I try to create a new account with the same appleId email, the token passed to Firebase is invalid and the login fails. As such, I am blocked from testing my app with authenticated Apple users, so I'm trying to understand what the workaround is. Thanks in advance!

Hello Apple Developer Community, We are experiencing an issue with email delivery when users sign in using "Sign in with Apple" on our platform. We need assistance in understanding and resolving this problem. Issue Description: When users choose to hide their email during the "Sign in with Apple" process, Apple provides a private relay email address (e.g., xxxx@***). These private relay email addresses are successfully received and stored in our system via the OIDC protocol implemented on Keycloak. Verification emails are sent from our configured email address to the private relay email addresses. However, users do not receive these emails, and we suspect they are not being forwarded to the user’s actual email address. Steps Taken: Sender Address Configuration: We have verified that our email is properly set up and authorized to send emails. DNS Records: Our DNS records (SPF, DKIM, and DMARC) are configured to comply with email authentication standards. Whitelisting Sender Address: We attempted to whitelist the sender address as per recommendations but have not seen any improvement. Questions: Are there additional DNS configurations or records required for the Apple private relay to forward emails properly? Is there a process to validate our sender address with Apple to ensure email forwarding works? Are there specific guidelines or restrictions for sending emails to privaterelay.appleid.com addresses that we should follow? Is there a way to verify if Apple’s private relay email service is functioning correctly for our domain? Relevant Information: We use Keycloak to implement the OIDC protocol and store the private relay email address during the "Sign in with Apple" process. Our verification emails are sent from our email address. We have referred to the Apple documentation and community posts but could not find a clear resolution. Any guidance or recommendations from the community would be greatly appreciated. Thank you in advance for your support!