The revoke tokens endpoint (/auth/revoke) is the only way to programmatically invalidate user tokens associated to your developer account without user interaction. This endpoint requires either a valid refresh token or access token for invalidation, as Sign in with Apple expects all apps to securely transmit and store these tokens for validation and user identity verification while managing user sessions.
If you don’t have the user’s refresh token, access token, or authorization code, you must still fulfill the user’s account deletion request and meet the account deletion requirement. You'll need to follow this workaround to manually revoke the user credentials:
Delete the user’s account data from your systems.
Direct the user to manually revoke access for your client.
Respond to the credential revoked notification to revert the client to an unauthenticated state
Important: If the manual token revocation isn’t completed, the next time the user authenticates with your client using Sign in with Apple, they won’t be presented with the initial authorization flow to enter their full name, email address, or both. This is because the user credential state managed by Sign in with Apple remains unchanged and returns the.authorizedcredential state, which may also result in the system auth UI displaying the “Continue with Apple” button.
Respond to the credential revoked notification
Once the user’s credentials are revoked by Apple, your client will receive a notification signaling the revocation event:
For apps using the Authentication Services framework to implement Sign in with Apple, register to observe the notification named credentialRevokedNotification.
For web services, if an endpoint is registered for server-to-server notifications, Apple broadcasts a notification to the specified endpoint with the consent-revokedevent type.
When receiving either notification, ensure you’ve already performed the following operations to meet the requirements of account deletion:
Deleted all user-related account data, including:
The token used for token revocation;
Any user-related data stored in your app servers; and
Any user-related data store in the Keychain or securely on disk in the native app or locally on web client.
Reverted the client to an unauthenticated state.
Securely store user tokens for account creations
For all new user account creations, follow the expected authorization flow below:
Securely transmit the identity token and authorization code to your app server.
Verify the identity token and validate the authorization code using the /auth/token endpoint.
Once the authorization code is validated, securely store the token response — including the identity token, refresh token, and access token.
Validate the refresh token up to once per day with Apple servers (to manage the lifetime of your user session and for future token revocation requests), and obtain access tokens (for future token revocation, app transfer, or user migration requests).
For information about verifying an identity token and validating tokens, visit Verifying a user and Generate and validate tokens.
If you have questions about implementing these flows, including client authorization, token validation, or token revocation, please submit a Technical Support Incident.
Sign in with Apple
RSS for tagSign in with Apple enables users to sign into apps and websites using their Apple ID.
Posts under Sign in with Apple tag
138 Posts
Sort by:
Post
Replies
Boosts
Views
Activity
Hello,
I have implemented Sign in with Apple in my iOS app and am currently trying to implement the revocation feature. However, I keep encountering an invalid_client error when calling the Apple authentication/revocation API.
Here are the details of my configuration:
Team ID: HUGD2H952H
Client ID: com.puppylink.puppylinkapp
Key ID: KXSYK98424
I am using these details to generate a client secret with the JWT ES256 algorithm. Below is the code I am using on the backend server to generate the client secret:
private fun makeClientSecret(): String {
val now: ZonedDateTime = ZonedDateTime.now(ZoneOffset.UTC)
val expirationTime: ZonedDateTime = now.plusMinutes(5) // Setting expiration time to 5 minutes
return Jwts.builder()
.setHeaderParam(JwsHeader.KEY_ID, appleProperties.keyId)
.setHeaderParam("alg", "ES256")
.setIssuer(appleProperties.teamId)
.setIssuedAt(Date.from(now.toInstant()))
.setExpiration(Date.from(expirationTime.toInstant()))
.setAudience("https://appleid.apple.com")
.setSubject(appleProperties.clientId)
.signWith(getPrivateKey(), SignatureAlgorithm.ES256)
.compact()
}
private fun getPrivateKey(): PrivateKey {
val resource = ClassPathResource(appleProperties.privateKeyFile)
val privateKey = String(Files.readAllBytes(Paths.get(resource.uri)))
val pemReader: Reader = StringReader(privateKey)
val pemParser = PEMParser(pemReader)
val converter = JcaPEMKeyConverter()
val keyInfo = pemParser.readObject() as PrivateKeyInfo
return converter.getPrivateKey(keyInfo)
}
}
Additionally, here is the code used to call the Apple authentication API from the backend server:
@Service
class AppleAuthService(
private val appleProperties: AppleProperties,
) {
private val logger = LoggerFactory.getLogger(javaClass)
private val restTemplate = RestTemplate()
fun getTokens(authorizationCode: String): TokenResponse {
try {
val clientSecret = makeClientSecret()
val formData: MultiValueMap<String, String> = LinkedMultiValueMap()
formData.add("client_id", appleProperties.clientId)
formData.add("client_secret", clientSecret)
formData.add("code", authorizationCode)
formData.add("grant_type", "authorization_code")
val headers = HttpHeaders()
headers.contentType = MediaType.APPLICATION_FORM_URLENCODED
val requestEntity = HttpEntity(formData, headers)
val response =
restTemplate.postForObject(
"https://appleid.apple.com/auth/token",
requestEntity,
TokenResponse::class.java,
)
return response ?: throw RuntimeException("Failed to retrieve tokens from Apple")
} catch (ex: Exception) {
logger.error("Error retrieving tokens: ", ex)
throw ex
}
}
data class TokenResponse(
val access_token: String,
val expires_in: Long,
val id_token: String,
val refresh_token: String,
val token_type: String,
)
Despite generating the client secret correctly, I am still receiving the invalid_client error when calling the API. Could you please help me identify the cause of this error and provide guidance on how to resolve it?
Thank you.
I have an app at work that supports Sign In With Apple so that users can create accounts and have their data synced to servers.
A couple of years ago one of the users created an account using Sign In With Apple, choosing to use Hide My Email as well (so that their email that the app received looks like *****@privaterelay.appleid.com).
The legacy in-house backend of the app unfortunately uses email addresses as user identifiers with the unlucky assumption that emails remain the same. The app doesn't offer users the ability to change email addresses.
The user in question recently reported that since very recently they are no longer able to use the app. It turns out that their Sign In With Apple email address for my app had changed at some point. They shared an iPhone screenshot of their Sign In With Apple settings for the app. The screenshot says that they created an account for this app two years ago, but the email address in the "This app received" field is different to one that they initially signed up with, and it's also a Hide My Email address.
It's important to note that this app was also transferred between developer accounts about a year ago, and since then this user, including thousands of other users didn't have issues using Sign In With Apple.
So my main question is: in what scenario it's possible for the email associated with a Sign In With Apple account for an app to change without creating a new account?
I'm trying to set up Apple OAuth on my website. Whenever I go to Certificates, Identifiers & Profiles, It gives me the error 'Unable to find team with the given Team ID'
Good afternoon, I am developing an app integrating "sign in with apple". But I can't find how to get the user's profile photo. Apart from the first name, last name and Email, can I obtain the image or its URL?
For Sign in With Apple I recieve an expected flow including an ask to share or hide my email along with a message like this
'Create an account for Apple {some_company} using your Apple ID “{email}”.'
However when i sign into an existing account i get the same flow, where on other apps i see a message like this ~ "Do you want to continue using {some_company} with your Apple ID “{email}”?
How can i configure this for my own app?
Note: it always logs me into the correct existing account, i'm just trying to make sure users go through the correct flow in the apple popup when their account already exists.
Apple SSO response "invalid_client"
Process
Access apple auth token url
Showed apple login view
Login as genuine apple user(email, password)
Authenticate apple user
Confirm "continue for AppleID '*****@example.com' to 'App'?"
Redirect responsed "400 Bad Request {"error":"invalid_client"}"
What is causing the error?
verification
Using apple_client_token is jwt. We checked on https://jwt.io/ "Signature Verified".
The apple_client_token used in the request was correct.
Original text(japanese)
Apple SSO response "invalid_client"
Since my question exceeds 700 words, please check it in the attachment. Thank you!
Question
My App needs to send and receive messages to the server, but my server does not have SSL, so I can only disable ATS in the development stage. But if I want to put the app on the shelf, then I still disable ATS when I put it on the shelf, and the server still does not have SSL. Will it be packaged? Is pp warned and terminated by Xcode? Will it be rejected by the Apple audit department? Can it be put on the App Store normally and provided to all users?
Note: My server is completely safe without any security risks. I didn't apply for SSL just because I didn't have enough funds.
I'm using Apple Sign In in the JS app and I got a requirement to display some notes with links to privacy policy and terms of service inside the Apple modal, so users don't have to accept them after finishing authentication in the modal.
Is there a way to add something like that?
I have implemented Apple Sign In using this doc: https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_js/configuring_your_webpage_for_sign_in_with_apple
Our company was re-formed under a new name. Rather than rename the organization on the App Store, we were advised by support to create a new organization and then transfer the app to that organization, which we have done.
Our app implements Apple Authentication. We did not not migrate the users of the app (as instructed here: https://developer.apple.com/documentation/sign_in_with_apple/transferring_your_apps_and_users_to_another_team)
Is it possible to now migrate the users, after the app has been transferred? Our attempt to get an authorization token with scope "user.migration" results in HTTP error 400 with body: "invalid_client".
Hi @everyone, I have set up the proper app id, serviced ID along with return URL, domains and subdomains(Example domains and subdomains: asdfjkl.firebaseapp.com and return URL: https://asdfjkl.firebaseapp.com/__/auth/handler) in developer.apple.com.
And I have created the key as well and added key ID and private key, services ID in firebase apple sign in console as well. But I'm getting Error as "Invalid web redirect url".
I haven't provided the App ID, services ID, firebase project ID, Key secret here as they're confidential. Please let me know if any further details are needed.
import AppleProvider from 'next-auth/providers/apple';
export const appleProvider = AppleProvider({
name: 'Apple',
clientId: process.env.NEXT_PUBLIC_APPLE_CLIENT_ID as string,
clientSecret: process.env.NEXT_PUBLIC_APPLE_CLIENT_SECRET as string,
idToken: true,
authorization: {
url: 'https://appleid.apple.com/auth/authorize',
params: {
clientId: process.env.NEXT_PUBLIC_APPLE_CLIENT_ID as string,
scope: 'openid email name',
response_type: 'code',
response_mode: 'form_post',
},
},
token: {
url: 'https://appleid.apple.com/auth/token',
async request(context) {
console.log('----context', { context });
const url =
https://appleid.apple.com/auth/token +
?code=${context.params.code} +
&client_id=${context.provider.clientId} +
&client_secret=${context.provider.clientSecret} +
&redirect_uri=${context.provider.callbackUrl} +
&grant_type=authorization_code;
const response = await fetch(url, {
method: 'POST',
headers: {
'Content-Type': 'application/x-www-form-urlencoded',
},
});
console.log('----response', { response });
const tokens = await response.json();
console.log('----tokens', { tokens });
return { tokens };
},
},
});
Hello, I bought an iPhone 13 second hand. The previous owner does not remember the apple id information. The phone hangs on the welcome screen. please help.
imei 35 561122 88892 1
Hello, I need to verify my domain and email with spf
I need to use Signin with apple with private relay service
Here is my records of DNS Service(AWS Route53)
My domain is metapocket.io
DKIM
record : sig1._domainkey.metapocket.io
value : sig1.dkim.metapocket.io.at.icloudmailadmin.com.
SPF
"v=spf1 include:zoho.com ~all"
"v=spf1 include:icloud.com ~all"
"v=spf1 include:metapocket.io ~all"
"v=spf1 include:amazonses.com ~all"
TXT
"zoho-verification=zb03635298.zmverify.zoho.com"
"apple-domain-verification=RaNdOmLeTtErSaNdNuMbErS"
"apple-domain=4oc6zwBOLpmdRGr9"
Something wrong here??
Why i got failed spf verification.. Please help me
We are using aws amplify for our social logins with signInWithRedirect.
When a user selects apple login on iphone and cancels the appleId popup, the user can't click any social login buttons anymore, including the apple one.
Refreshing the page resolves this.
Hello,
We are currently facing an issue with Apple Sign In that only occurs very rarely, and that for some reason mainly affects the Apple Review team, as everyone in the company can register with their personal Apple Account, and we can see multiple users in production using Apple Login.
The problem is that when our BackEnd tries to validate the information on https://appleid.apple.com/auth/token we receive a "{"error":"invalid_request"}". We have no idea what is causing this intermittent issue and we currently have no way to reproduce it.
We have been loging both succesull request and failing request and all look very simmilar and we have no ideia what may be causing the 400
here is an example of a curl that generated the problem
curl --location 'https://appleid.apple.com/auth/token'
--header 'Accept: application/json'
--header 'Content-Type: application/x-www-form-urlencoded'
--data-urlencode 'client_id=----SECRET----''
--data-urlencode 'client_secret=----SECRET----'
--data-urlencode 'grant_type=authorization_code'
--data-urlencode 'code=----SECRET----''
--data-urlencode 'redirect_uri=----SECRET----''
Any ideia what may be causing this?
We are currently using "Sign in with Apple for the web": https://developer.apple.com/help/account/configure-app-capabilities/configure-sign-in-with-apple-for-the-web/ but we do not publish apps on the App Store.
Because of corporate re-structuring, we need to migrate to a new Apple Developer / App Store Connect account. So we are looking to migrate "Sign in with Apple" users to the new account.
Apple does provide guides on how to do it: https://developer.apple.com/documentation/technotes/tn3159-migrating-sign-in-with-apple-users-for-an-app-transfer but unfortunately, it only works if "Sign in with Apple" is used with an app published on the App Store (it requires app transfer).
Who should we handle this case? Please help.
Hello there,
I have been facing an issue with apple sign in on react native app.
I have been able to get the authorization and all codes in frontend part.
The issue is on backend that is in php.
We are firstly validating our identity token phone generated, and then we are creating a client secret and then trying to fetch the user info the issue relies in the api call of getAppleUser($authorizationCode, $clientId, $clientSecret);: function below where we are recieving error like:
{"error":"invalid_grant","error_description":"client_id mismatch. The code was not issued to com.marchup.prod.AppSSO."}
public function appleAuth($identityToken,$authorizationCode)
{
if (!$identityToken || !$authorizationCode) {
return $this->returnError(400,'Missing identity token or authorization code');
}
try {
// Validate identity token
$decodedToken = $this->validateAppleToken($identityToken);
// Generate client secret
$teamId = isset(Yii::$app->params['apple-auth']['teamId'])?Yii::$app->params['apple-auth']['teamId']:'';
$clientId = isset(Yii::$app->params['apple-auth']['clientId'])?Yii::$app->params['apple-auth']['clientId']:'';
$keyId = isset(Yii::$app->params['apple-auth']['keyId'])?Yii::$app->params['apple-auth']['keyId']:'';
$privateKey = isset(Yii::$app->params['apple-auth']['privateKey'])?Yii::$app->params['apple-auth']['privateKey']:'';
$clientSecret = $this->generateClientSecret($teamId, $clientId, $keyId, $privateKey);
// Get user info from Apple
$appleUser = $this->getAppleUser($authorizationCode, $clientId, $clientSecret);
// Verify the authorization code is valid
if (!isset($appleUser['id_token'])) {
throw new \Exception('Invalid authorization code');
}
// Extract user info from the identity token
$userId = $decodedToken->sub;
$email = $decodedToken->email ?? '';
// login or signup code need to know about object definition to add login and signup logic
return $this->returnSuccess('Request successful',200,[
'userId' => $userId, 'email' => $email
]);
} catch (\Exception $e) {
// Handle errors
Yii::error('Error on apple login '.$e->getMessage());
return $this->returnError(500,'Server Error');
}
}
**This function is where i am creating a clientSecret as per apples guidelines:
**
function createClientSecret($teamId, $clientId, $keyId, $privateKey) {
// $key = file_get_contents($privateKeyPath);
$key=$privateKey;
$headers = [
'kid' => $keyId,
'alg' => 'ES256'
];
$claims = [
'iss' => $teamId,
'iat' => time(),
'exp' => time() + 86400 * 180,
'aud' => 'https://appleid.apple.com',
'sub' => $clientId
];
return JWT::encode($claims, $key, 'ES256', $headers['kid']);
}
**This is the validate Apple Token that is not giving me error:
**
function validateAppleToken($identityToken) {
$client = new Client();
$response = $client->get('https://appleid.apple.com/auth/keys');
$keys = json_decode($response->getBody(), true)['keys'];
$header = JWT::urlsafeB64Decode(explode('.', $identityToken)[0]);
$headerData = json_decode($header, true);
$kid = $headerData['kid'];
$publicKey = null;
foreach ($keys as $key) {
if ($key['kid'] === $kid) {
$publicKey = JWK::parseKey($key);
break;
}
}
if (!$publicKey) {
throw new \Exception('Public key not found');
}
try {
$decoded = JWT::decode($identityToken, $publicKey, ['RS256']);
return $decoded;
} catch (\Exception $e) {
throw new \Exception('Token validation failed: ' . $e->getMessage());
}
}
The response i got was :
{
aud: "com.abc"
auth_time: 1718017883
c_hash: "HSNFJSBdut5vk84QyK0xHA"
exp: 1718104283
iat: 1718017883
iss: "https://appleid.apple.com"
nonce:"2878cd1ac1fa121f75250f453edaac47365f5144f2e605e8b526a29cb62c83da"
nonce_supported: true
sub: "001703.2a52ec72cb874a93986522fa35742bd4.1219"
}
After that we are mainly getting error as
{"error":"invalid_grant","error_description":"client_id mismatch. The code was not issued to com.marchup.prod.AppSSO."}
in this function:
function getAppleUser($authorizationCode, $clientId, $clientSecret) {
try {
$client = new Client();
$response = $client->post('https://appleid.apple.com/auth/token', [
'form_params' => [
'client_id' => $clientId,
'client_secret' => $clientSecret,
'code' => $authorizationCode,
'grant_type' => 'authorization_code'
]
]);
if ($response->getStatusCode() !== 200) {
throw new \Exception('Failed to get user information from Apple. Status code: ' . $response->getStatusCode());
}
$data = json_decode($response->getBody(), true);
// Check if the response contains the expected data
if (!isset($data['access_token']) || !isset($data['id_token'])) {
throw new \Exception('Invalid response from Apple. Missing access token or ID token.');
}
// Return the decoded data
return $data;
} catch (\Exception $e) {
// Log any other unexpected errors
Yii::error('Unexpected error: ' . $e->getMessage());
// Re-throw the exception to propagate it further
throw $e;
}
}
Assumptions: bundleId = com.marchup
serviceId i created as client_id= com.marchup.prod.AppSSO
team ID= as usual
keyId= is the id i created in apple developer consonsole.
And the private key is the key inside the private key file.
Can anyone please answer.
What is mismatched here
Hello, I have some questions.
I need to use Signin in with apple with private email relay service
When last week. Suddenly Apple Login didn't work on Web
and I check my Service IDS on apple developer page, i got this message
Depending on your product, you may need to configure multiple components for Sign in with Apple – From registering domains for Web Authentication to providing email sources to communicate with your users through the Private Email Relay service.
I register my domain and email on Configure Sign in with Apple for Email Communication
I use AWS Route53 and AWS SES(Simple Email Service)
This is my DNS record of DKIM, SPF, MX
● DKIM
record : sig1._domainkey.metapocket.io
value : sig1.dkim.example.com.at.icloudmailadmin.com.
● SPF
value : "v=spf1 include:icloud.com ~all"
● MX
value >
10 mx02.mail.icloud.com
10 mx01.mail.icloud.com
Some wrong on my configuration of DNS ?
I register on 5days ago, but status if failed now
And how long does take of verification? My web service is error now
I'm currently working on a Swift app whose data storage and authentication part is managed by Firebase.
I would like to offer my users the possibility of using their Apple account for account creation.
To do this I added Apple as a “Connection Provider” in the Firebase console settings.
This part works without problem, when the user clicks on the “Sign in with Apple” button a popup appears asking if they agree to share this information (first and last name / email address) for account creation.
After entering the password, the user is authenticated and their account is created on Firebase.

If I go to the iPhone settings in the Connection and Security section > Sign in with Apple, I can see my app in the list.

Now my problem is at the time of deleting the user's account. When the account is deleted it no longer exists in Firebase as we expected.

An email is also sent by Apple to warn that the application has revoked the account that had been created with “Sign in with Apple”.
And the application no longer appears in the list of applications in the Connection and Security > Connection with Apple from iPhone section.
However, when I click on the “Sign in with Apple” button again, I don’t see the window that asks me if I want to share my connection information.
The app behaves as if I was simply logged out but when I enter my iCloud password I am logged in except in reality it is a new account.
When I look in Firebase I have a new id for my user.

In addition, the user is not really connected to the application since certain views behave as if the user session was empty. The only way is to erase the emulator and make a new build.
I need help finding what's not working in my current code because I've been going around in circles for several days and I really don't understand what's going on.
Here my entire AuthentificationViewModel:
AuthentificationViewModel.txt