The revoke tokens endpoint (/auth/revoke) is the only way to programmatically invalidate user tokens associated to your developer account without user interaction. This endpoint requires either a valid refresh token or access token for invalidation, as Sign in with Apple expects all apps to securely transmit and store these tokens for validation and user identity verification while managing user sessions. If you don’t have the user’s refresh token, access token, or authorization code, you must still fulfill the user’s account deletion request and meet the account deletion requirement. You'll need to follow this workaround to manually revoke the user credentials: Delete the user’s account data from your systems. Direct the user to manually revoke access for your client. Respond to the credential revoked notification to revert the client to an unauthenticated state Important: If the manual token revocation isn’t completed, the next time the user authenticates with your client using Sign in with Apple, they won’t be presented with the initial authorization flow to enter their full name, email address, or both. This is because the user credential state managed by Sign in with Apple remains unchanged and returns the.authorizedcredential state, which may also result in the system auth UI displaying the “Continue with Apple” button. Respond to the credential revoked notification Once the user’s credentials are revoked by Apple, your client will receive a notification signaling the revocation event:  For apps using the Authentication Services framework to implement Sign in with Apple, register to observe the notification named credentialRevokedNotification. For web services, if an endpoint is registered for server-to-server notifications, Apple broadcasts a notification to the specified endpoint with the consent-revokedevent type. When receiving either notification, ensure you’ve already performed the following operations to meet the requirements of account deletion: Deleted all user-related account data, including: The token used for token revocation; Any user-related data stored in your app servers; and Any user-related data store in the Keychain or securely on disk in the native app or locally on web client. Reverted the client to an unauthenticated state. Securely store user tokens for account creations For all new user account creations, follow the expected authorization flow below: Securely transmit the identity token and authorization code to your app server. Verify the identity token and validate the authorization code using the /auth/token endpoint.  Once the authorization code is validated, securely store the token response — including the identity token, refresh token, and access token. Validate the refresh token up to once per day with Apple servers (to manage the lifetime of your user session and for future token revocation requests), and obtain access tokens (for future token revocation, app transfer, or user migration requests). For information about verifying an identity token and validating tokens, visit Verifying a user and Generate and validate tokens. If you have questions about implementing these flows, including client authorization, token validation, or token revocation, please submit a Technical Support Incident.

Is there any documentation about the server to server notification, specifically what sort of data Apple servers send to our server when there is an update to users who used Sign in with Apple?

When I use the Generate and Validate Tokens endpoint - https://developer.apple.com/documentation/sign_in_with_apple/generate_and_validate_tokens with an Authorization Grant Code, the endpoint returns a refresh_token and id_token among other things. When the id_token expires, I can use the refresh_token to create a new one. However, when I use the refresh token on this endpoint, it doesn't return a new refresh_token. Why is that?

We have changed return URLs for one Service ID, but the change is not propagated. The old return URL still works and we get "Invalid web redirect URL". We even tried deleting Service ID with old return URLs and created new Service ID with new redirect URLs. But the only one that works is the one that we deleted.

My existing chrome extension has "Sign in with Apple" given that we have iOS users. When user clicks "Continue with Apple" button in the extension log in pop up, this is what we do: javascript window.open( 'https://appleid.apple.com/auth/authorize?client_id=' + clientID + '&redirect_uri=' + backEndURL + '&response_type=id_token%20code&response_mode=form_post&scope=email%20name', 'Sign in with Apple', 'height=500,width=400,left=600,top=200,status=no,location=no,toolbar=no,menubar=no' ) In chrome, this opens a popup window with that URL. In Safari Converted Web Extension, it opens custom Apple sign in flow, where it says: "Do you want to sign in to *** with your Apple ID YYY?" and then with my mac password I'm able to authenticate. Afterwards, nothing happens. Expected: a redirect to the URL specified in the window.open. Now let's do a trick: I'll wrap the above window.open code into javascript setTimeout (() = {window.open (...)}, 3000) Because of security reasons, safari then won't open the popup after 3s and will display a notification in the toolbar "Popup blocked..". If we allow the popup, then it finally opens as a normal window popup and after sign in, it redirects to our backend and it successfully authenticates. Any ides what how to solve this? P.S. We're not able to use embedded Sign in with Apple JS - https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_js/configuring_your_webpage_for_sign_in_with_apple script because we can't host a remote code in the extension (it will be deprecated soon). So, we arere using this. - https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_js/incorporating_sign_in_with_apple_into_other_platforms

After successfully logging in using apple sign-in. I get back the default response: the authorization code. I send the entire payload to my backend to which I then, use the docs - https://developer.apple.com/documentation/sign_in_with_apple/generate_and_validate_tokens to verify the auth_code. I get back this response. { "error": "invalid_grant", "error_description": "client_id mismatch. The code was not issued to com.example.bundle." } I've checked the bundleId several times. I've created new Identifiers and keys, used those new values instead and I get the same issue. According to the errorResponse - https://developer.apple.com/documentation/sign_in_with_apple/errorresponse documentation: invalid_grant The authorization grant or refresh token is invalid, typically due to a mismatched or invalid client identifier, invalid code (expired or previously used authorization code), or invalid refresh token. Any recommended test solutions to diagnose this issue?

I am sending a user to the apple authentication site where they fill in their apple login information on a form: const signInWithApple = () => { const params = { client_id: Config.APPLE_AUTH_CLIENT_ID, redirect_uri: 'https://www.example-site.com/auth/apple/', scope: 'name email', response_type: 'code', response_mode: 'form_post', }; const loginUrl = `https://appleid.apple.com/auth/authorize?${queryString.stringify(params)}`; window.open(loginUrl, '_blank', `scrollbars=yes, width=520, height=570`); }; After it has authenticated the user, it redirects the user to the URL that is defined in the redirect_uri property. Then I verify the token and log in the user on my end. That works beautifully. The problem occurs when, instead of opening the window with the form fields, it opens a sheet at the bottom of the Safari mobile browser to allow the user to use face id. If you follow through with that, it looks like it recognizes your face and closes the sheet but it never redirects the user to my URL page where I log in the user after verifying their token. Has anybody encountered this? I would love some ideas on how to solve this please!

We recently are adding apple signup in our app and in our db we have 50 chars as max length of user identifiers. i was wondering how long they can be on apple and whether we should tweak the max length on our side.

Hi everyone! I am in the process of transferring an app from account (A) to account (B), and I am wondering how the various steps in the documentation link to the transfer process. In particular: https://developer.apple.com/documentation/sign_in_with_apple/transferring_your_apps_and_users_to_another_team -> I understood that this process can be done BEFORE the migration to create all the transfer_sub beforehand. https://developer.apple.com/documentation/sign_in_with_apple/bringing_new_apps_and_users_into_your_team -> when can this be done? After initiating the transfer or only after the transfer is completed? Moreover, what about the private key used for Sign in With Apple from the old team? Will it still work before/after the transfer, or in which step it will stop work? For example, in Firebase we set-up the Apple Sign in using the (A) team_id and private_key. When should we change this in Firebase? After initiating the transfer, after the transfer is completed? Will the old key stop working after the transfer is completed? Thank you!

Hello, I have implemented a while ago Sign IN with REST API in PHP code. It worked. Now it doesn't. When I redirect to apple with a request: https://appleid.apple.com/auth/authorize?scope=name%20email&state=fffffffstateherefffffff&response_type=code&approval_prompt=auto&redirect_uri=https%3A%2F%2Fmydomain.pl%2Fconnect%2Fapple%2Fcheck&client_id=pl.myclientid&response_mode=form_post I can login via Apple ID and then I am redirected to my webpage. But instead of POST redirect with a code param, I am redirected with GET wihtout the code. The docs says that if I use response_mode=form_post Apple should redirect to me with POST method. But it doesn't. I cannot figure out why. Is this a bug?

Hi guys, I have been using a services id for my apps and websites to use Sign in with Apple feature over 3 months. All of a sudden the website urls and return urls I newly add to the services id don't work. I am getting "invalid_request Invalid web redirect url." errrors. I have checked the urls carefully, (https), I also added many new ones but none of them worked. In order to test it I also removed some of the current return urls from my websites to see if it will stop working but no, the ones I removed still work which kind of confirms my theory that it does not update the list, it is bugged. Quite weirdly, the new native apps I submitted to the store also does not work, it gives the error "Sign-up Not Completed" Does any one have any idea? Such a weird problem all of a sudden

Some background: A user must sign up for an account on our platform via a browser before they can sign in to our iOS app using an Apple ID otherwise we present the following error message as shown in the attached image. Authentication and session management is handled using AWS Cognito on our platform and we believe AWS Cognito is using the relevant API for Apple ID Sign Ins. For account deletion we are providing an account deletion option within the app to the user (who has to be signed in) under Account Settings. For a valid deletion request, we are deleting a user’s records from our database. For revoking, generating, and validating tokens we are using AWS cognito to handle token revocation, generation, and validation. Ask: Apple reviewers provided additional information (shown below) to help us resolve this issue. But i am not clear how this addresses their concern and would appreciate some guidance on how i could resolve it. Apple reviewer recommendation Apps that offer Sign in with Apple should use the REST API to revoke user tokens. If you have not retained the user’s refresh token, access token, or authorization code, you must still fulfill the user’s account deletion request. To learn more, we recommend reviewing the following resources: Handling account deletions and revoking tokens for Sign in with Apple Revoke tokens Generate and validate tokens

I have the below code block to call the token endpoint. The endpoint succeeds from Postman with JSON response but from my web application, it fails with CORS error. What could be the reason for this behavior? const axios = require('axios'); const qs = require('qs'); let data = qs.stringify({ 'grant_type': 'authorization_code', 'code': 'xxxxxxyyyyybbb, 'redirect_uri': 'https:myApp/login', 'client_id': 'com.myclient_id', 'client_secret': 'myworkingsecret' }); let config = { method: 'post', maxBodyLength: Infinity, url: 'https://appleid.apple.com/auth/token', headers: { 'Content-Type': 'application/x-www-form-urlencoded' }, data : data }; axios.request(config) .then((response) => { console.log(JSON.stringify(response.data)); }) .catch((error) => { console.log(error); });

Hey i am trying to Link Zelle API with SWIFT Based Ecommerce Store , Getting error code 8889275440 , and 18889275440 , Am trying to track and put balance into users account as i receive the payment from user and post directly to his account when he tries to add funds , But getting the above two error codes

Hi, We have a iOS app where users can purchase videos from others. Purchasing happens through In-app purchasing and our client get the money. So when the owner of the videos need to cashout the money he gets from the video selling, we need to implement an option for that. Currently we have a manual process for that. Our major mode of receiving payments is CashApp but when automating it with custom API it is giving error code : 8447435879 , 18447435879 Can Anyone tell me what exactly is this error code about? Note : we are synchronising the API with REST API

Hello, I need to use a apple sign in in ios application, i get my authorization code from hybryde apllication : let options: SignInWithAppleOptions = { clientId: ConstConfig.APPLE_CLIENT_ID, redirectURI: ConstConfig.APPLE_REDIRECT_URI, scopes: ConstConfig.APPLE_SCOPES, state: ConstConfig.APPLE_STATE, nonce: ConstConfig.APPLE_NONCE }; SignInWithApple.authorize(options) .then((result: SignInWithAppleResponse) => { this.authenticate.appleAuthorizationCode = result.response.authorizationCode; this.authenticate.appleUser = result.response.user; this.authenticate.appleIdentityToken = result.response.identityToken; i send this 3 value to my backend JAVA to validate the accessToken and get the refrsh token, validate java Method : logger.info("Apple authorization validation"); // get the subject received from the client String clientSubject = getSubject(identityToken); // verifying the code by the apple server String token = getToken(); logger.debug("Authorize with token:" + token); Map<String, String> params = new HashMap<>(); params.put("client_id", APPLE_CLIENT_ID); params.put("client_secret", token); params.put("code", authorisationCode); params.put("grant_type", "authorization_code"); params.put("redirect_uri", ""); if (redirectURI != null) { } String response = post(APPLE_AUTH_URL, params); logger.info("Apple authorization response:" + response); AppleTokenResponse tokenResponse = objectMapper.readValue(response, AppleTokenResponse.class); if (tokenResponse.getError() != null && tokenResponse.getError().length() > 0) { logger.warn("Error during verification of the code. Reason:" + tokenResponse.getError()); return null; } String serverSubject = getSubject(tokenResponse.getId_token()); if (!serverSubject.equals(clientSubject)) { logger.warn("Validation failed, subject does not match!"); return null; } return getClaims(tokenResponse.getId_token()); the JWT TOken : return Jwts.builder() .setHeaderParam(JwsHeader.KEY_ID, APPLE_KEY_ID) .setHeaderParam(JwsHeader.ALGORITHM,"ES256") .setIssuer(APPLE_TEAM_ID) .setAudience(APPLE_APPLE_ID_URL) .setSubject(APPLE_CLIENT_ID) .setExpiration(new Date(System.currentTimeMillis() + (1000 * 60 * 5))) .setIssuedAt(new Date(System.currentTimeMillis())) .signWith(SignatureAlgorithm.ES256, pKey) .compact(); how i get my private key : File file = new File(APPLE_CERTIFICATE_PATH); try { PEMParser pemParser = new PEMParser(new FileReader(file)); JcaPEMKeyConverter converter = new JcaPEMKeyConverter(); PrivateKeyInfo object = (PrivateKeyInfo) pemParser.readObject(); APPLE_PRIVATE_KEY = converter.getPrivateKey(object); logger.info("load apple private keys Ok."); } catch (Exception ex) { logger.error("error on generate apple sign in private Key : ", ex); } thr response still return : {"error":"invalid_grant","error_description":"client_id mismatch. The code was not issued to bundleID"}, i don't know the reason. i read that i nedd to check in testFlit, ido but i still get the same error, i also put the same redirect_url in front and back (for me that not needed because i dont use u web sign in ) but i still get the same error. for my bundle id i use the APP Identifier not the service Identifier in front and back. its correct ? thank for your help.

Hello - migrated from darksky to WeatherKit in April of this year. With some difficulty finally got the REST API to work via the following resources: https://developer.apple.com/weatherkit/get-started/ which is horribly inadequate for JWT instructions. So i also used: https://dev.iachieved.it/iachievedit/weatherkit-rest-api/ which was quite helpful. As stated, in April i managed to get this working. About a week ago it stopped working. The response from my calls are 401 Unauthorized in the header and { "reason": "NOT_ENABLED" } in the body. I believe the key i created expired and thus WeatherKit stopped responding. So i tried to re-enable access using the same Apple key and a new JWT signature. That did not seem to work, so i removed the old key and created a new one. Downloaded the p8 file and used openssl on my ubuntu server to create pem and pub files for the jwt token. Still nothing. I have tried almost all combinations of keys and ID #s in the JWT.io console that i can think of. Importantly, nowhere in the official Apple documentation does it say what parameters the key creation and expiry dates can be. Does the key creation date have to match the date the key was created in Apple Developer Console??? What expiry dates are valid???? No idea. I have submitted a code level request, but they punted me to feedback which apparently does nothing. Still no resolution, nor have i been contacted once by an Apple representative. This is what my $200 developer fee gets me?! Unacceptable. If anyone has any idea on how to resolve this issue and/or create valid jwt tokens easier (via PHP preferably), i'm all ears. Thanks, airyt

I want to know if the user identity(sub) maintains the same when the user un-links the linked app from the Apple ID setting and re-links it. I would be grateful if you could give me an reply.

I'm in the process of setting up Apple Sign-In for our web portal. The web portal doesn't have a related Apple application. I've been reviewing the documentation provided at https://developer.apple.com/help/account/configure-app-capabilities/configure-sign-in-with-apple-for-the-web/ and attempting to set it up. It appears that this might not be possible without an existing Apple application associated with the web portal. According to https://developer.apple.com/help/account/configure-app-capabilities/configure-sign-in-with-apple-for-the-web/: To configure web authentication, you must create a Services ID and associate your website to an existing primary iOS, macOS, tvOS, or watchOS App ID enabled for Sign in with Apple. Does this imply that it's not feasible without an existing Apple application?

I'm using apple login in my web app and passing the redirect URI to apple URL. It's working fine on all browsers except Safari. On Safari instead of opening the URL in a new tab it's showing the finger touch enabled login popup. Which is causing the issue and my redirect URI is not getting passed and I'm not able to receive the code and other details from apple. Can anyone please help me resolve this issue. Angular Code: const openNewWindow = window.open( 'https://appleid.apple.com/auth/authorize?response_type=code&response_mode=form_post&scope=name%20email&state=W4cL2JgRJq&client_id=CLIENT_ID&redirect_uri='+ this.AppleURL',"_blank" ); try { openNewWindow.opener = window; window.addEventListener('message', event => { this.signInWithApple(JSON.parse(event.data)); });window.addEventListener('message', event => { this.signInWithApple(JSON.parse(event.data)); }); } catch (error) { console.log("error",error); } Redirect URI js code:

I am working on a financial application that falls under Indian jurisdiction, which has specific regulations prohibiting the use of relay or proxy emails for sign-up processes. Given that the "Hide My Email" feature in "Sign in with Apple" provides a relay email, I'm trying to understand how I can remain compliant with these regulations while offering "Sign in with Apple" as a sign-up option. My proposed flow: Allow users to use "Sign in with Apple" for authentication. Check if the user has opted for the "Hide My Email" feature. If they have, show an error message explaining the regulatory restriction and prompt them to either: a) Use "Sign in with Apple" without the "Hide My Email" option OR b) Use our standard "Sign up with Email and Password" flow. I would like to understand if such an approach is acceptable according to Apple's guidelines. Would there be any issues or recommendations from Apple's side on implementing this flow? Thank you for your assistance and guidance!