Hello, I have a question regarding the lifecycle of user consent and tokens in "Sign in with Apple." Specifically, I would like to understand the behavior of the auth/revoke API in relation to App Store Connect status changes. Impact of App Status Changes If an app is "Removed from Sale" or "Deleted" from App Store Connect, does Apple automatically revoke all associated user tokens and consent? Or is it still the developer's responsibility to programmatically revoke each user's token via the REST API to ensure the app is removed from the user’s "Apps Using Apple ID" list? API Availability after Removal Once an app is no longer available on the App Store (or its record is deleted in App Store Connect), is the auth/revoke REST API still accessible? I want to ensure that a developer can still perform necessary privacy clean-up tasks (revoking consent) even if the app is not currently distributed. Specific User Impacts of Non-Revocation If we do not call the revocation API, besides the app remaining in the "Sign in with Apple" list, what are the specific consequences for the user? Thank you for your guidance.

Hi I am experiencing a persistent 'invalid_client' error when attempting to exchange the authorization code for an access token using Sign in with Apple for my website (https://www.vitamarinaweb.com). Current Setup & Steps Taken: Identifier: I am using the Service ID com.vitamarinaweb.web1, which is correctly linked to the Primary App ID com.vitamarinaweb.web. Client Secret: I have generated a fresh Client Secret (JWT) using a valid Key (.p8) and confirmed the Team ID (29J763Q88J) and Key ID (RRW6536D27) are correct. Redirect URIs: My Return URL is set to https://www.vitamarinaweb.com/login.php and I have verified there are no trailing spaces or mismatches. Manual Test (CURL): When I perform a manual POST request via CURL using the generated Client Secret, I receive an 'invalid_grant' response (meaning the Client Secret and Client ID are accepted, and only the temporary code is rejected as expected). The Issue: Despite the CURL success, every request initiated through the web browser/PHP application returns {"error":"invalid_client"}. Verification Requested: Could you please verify if there is a synchronization delay or a specific block on Service ID com.vitamarinaweb.web1? Is there any internal mismatch between the Key ID RRW6536D27 and its association with the newly created Service ID? I have already cleared browser caches and tried multiple devices (different IP addresses) with the same result. Thank you for your assistance."

Hello, is there a way to get MCC/MNC carrier codes on iOS? I'm also wondering if there's a private API. I want to obtain network information while I am abroad to determine the country of residence.

I have a user (myself, during development) who originally signed in with Apple successfully. I attempted to revoke access via Settings > Apple ID > Sign-In & Security > Sign in with Apple, but the app appears stuck in the list and cannot be fully removed. Now when attempting to sign in again, the identity token contains the correct sub but email is undefined. According to Apple's documentation, "Apple provides the user's email address in the identity token on all subsequent API responses." I've tried programmatically revoking via the /auth/revoke endpoint (received 200 OK), and I've implemented the server-to-server notification endpoint to handle consent-revoked events, but subsequent sign-in attempts still return no email. The same Apple ID works fine with other apps. Is there a way to fully reset the credential state for a specific app, or is this a known issue with partially-revoked authorizations?

I have a user (myself, during development) who originally signed in with Apple successfully. I attempted to revoke access via Settings > Apple ID > Sign-In & Security > Sign in with Apple, but the app appears stuck in the list and cannot be fully removed. Now when attempting to sign in again, the identity token contains the correct sub but email is undefined. According to Apple's documentation, "Apple provides the user's email address in the identity token on all subsequent API responses." I've tried programmatically revoking via the /auth/revoke endpoint (received 200 OK), and I've implemented the server-to-server notification endpoint to handle consent-revoked events, but subsequent sign-in attempts still return no email. The same Apple ID works fine with other apps. Is there a way to fully reset the credential state for a specific app, or is this a known issue with partially-revoked authorizations?

Hello, I am currently process of migrating an app from Team A to Team B and attempting to generate transfer identifiers using the migration endpoint: POST https://appleid.apple.com/auth/usermigrationinfo. Content-Type: application/x-www-form-urlencoded However, I am consistently receiving an { "error": "access_denied" } response. [Current Configuration] Team A (Source): Primary App ID: com.example.primary Grouped App IDs: com.example.service (Services ID for Web) com.example.app (App ID for iOS - The one being transferred) All identifiers are under the same App Group. Team B (Destination): New App ID and Key created. [Steps Taken] Created a Client Secret (JWT) using Team A's Key ID and Team ID. The sub (subject) in the JWT is set to the Primary App ID of Team A. Requesting with client_id (Primary App ID), client_secret (JWT), and user_token. [Questions] 1. App Group Impact: Does the fact that the App being transferred is a Grouped App ID (not the Primary) affect the usermigrationinfo request? Should I use the Primary App ID or the specific Grouped App ID as the client_id? 2. Ungrouping Safety: If I need to ungroup the App ID from the Primary App ID to resolve this: Will existing users still be able to sign in without issues? Is there any risk of changing the sub (user identifier) that the app receives from Apple? Will this cause any immediate service interruption for the live app? Any insights on why access_denied occurs in this Primary-Grouped configuration would be greatly appreciated.

I'm testing app transferring, before, I have migrate user from teamA to teamB, including subA->transferSub->subB process, now I'm transfer the app from teamB to teamC, after the transfer requested, I can't get transfer_id by /usermigrationinfo api, which response 400 invalid request. the question is I can still get transfer sub by the auth/token api(grant_type: authorization_code) with teamB parameters(teamIdB/clientIdB/appSecretB/redirectUrlB/subB)，but the value is same as first time transfer_id which get during teamA to teamB. when use parameters above with target(teamIdC) to request /usermigrationinfo, invalid request was responsed. im sure that all parameters is correct, dose it cause by teamB still in 60-days first transferring(sure already accepted)?

Since last year, our company has been signing in new users to Apple Store Connect using our private email domain. However, since last week, when we try to sign in with this same domain, we receive the following error: "Your primary email address cannot end in @mydomain.com.br. Choose a different email address."

Hello, We are building a new app that would be kinda extension of the other and we want to let our community share the same account in between. We use Apple Sign in and we want Appel sign in system to give the same identity when people use apple relay. One of our app is alreadey released, can we still do it to share the same Apple login?

We need to transfer an App to other developer account, both the account are belong to our company. As we know, our app is using the Sign in with Apple function that we need to do some transfer job and we refer to this document: https://developer.apple.com/documentation/technotes/tn3159-migrating-sign-in-with-apple-users-for-an-app-transfer. There is a lot of users using the Sign in with Apple in our app, totally serval millions. To avoid risks as much as possible that we have to make the work flow very clearly, so we're seeking help here. I have serval questions, some I've got the answers from Google gemini and this Forums, I will list them below, please take a look what I understanding is correct or not, thanks. A. From the document above, can I performed the Steps 1&2 before the app transfer? if so, is there a maximum lead time for these transfer_subs? B. Regarding Step 5(Team B exchanging transfer identifiers via https://appleid.apple.com/auth/usermigrationinfo) are there specific rate limits (requests per second/minute) for this endpoint? Cause we have a huge number of user whose using the Sign in with Apple, we have to transfer the sub values as soon as possible. C. Cause we have a huge number of user whose using the Sign in with Apple again, This transfer job involves huge risks. So, is there any way to simulate these whole operations? Answer by my self: NO.

PLATFORM AND VERSION iOS Development environment: Xcode 26.2, macOS x Run-time configuration: iOS The issue does not seem to be limited to a specific version. DESCRIPTION OF PROBLEM We are reaching out to request in-depth technical assistance regarding an intermittent issue with Sign in with Apple implementation in our application. [Technical Status] We have confirmed that our technical implementation is correct. All necessary code and Xcode Capabilities are properly configured, and the service is working perfectly for the vast majority of our users. However, a small subset of users is consistently encountering "Unknown" Error (Error Code 1000), which prevents them from logging in entirely. [Identified Scenario] Currently, the only reproducible case we have found involves Child Accounts (protected accounts) under Family Sharing, specifically when the user's age is set below the regional requirement for a standalone Apple ID. However, we are receiving reports from other users who do not seem to fall into this category. [Requests for Clarification] To resolve this issue and support our users, we would like to obtain clear answers to the following questions: Root Cause: Why does Error 1000 occur specifically for a small number of users while the service works for most others? Other Scenarios: Are there any known cases or conditions other than the "Child Account" age restriction that trigger this specific error? Account-side Issues: If our code and configurations are verified to be correct, should we conclude that this is an issue specific to the individual's Apple ID/Account status? If so, could you provide a troubleshooting guide or official recommendation that we can share with these users to help them resolve their account-related issues? We are committed to providing a seamless authentication experience and would appreciate your expert insight into these edge cases. Thank you for your support. - (void) quickLogin:(uint)requestId withNonce:(NSString *)nonce andState:(NSString *)state { #if AUTHENTICATION_SERVICES_AVAILABLE if (@available(iOS 13.0, tvOS 13.0, macOS 10.15, *)) { ASAuthorizationAppleIDRequest *appleIDRequest = [[self appleIdProvider] createRequest]; [appleIDRequest setNonce:nonce]; [appleIDRequest setState:state]; ASAuthorizationPasswordRequest *keychainRequest = [[self passwordProvider] createRequest]; ASAuthorizationController *authorizationController = [[ASAuthorizationController alloc] initWithAuthorizationRequests:@[appleIDRequest, keychainRequest]]; [self performAuthorizationRequestsForController:authorizationController withRequestId:requestId]; } else { [self sendsLoginResponseInternalErrorWithCode:-100 andMessage:@"Native AppleAuth is only available from iOS 13.0" forRequestWithId:requestId]; } #else [self sendsLoginResponseInternalErrorWithCode:-100 andMessage:@"Native AppleAuth is only available from iOS 13.0" forRequestWithId:requestId]; #endif } - (void) loginWithAppleId:(uint)requestId withOptions:(AppleAuthManagerLoginOptions)options nonce:(NSString *)nonce andState:(NSString *)state { #if AUTHENTICATION_SERVICES_AVAILABLE if (@available(iOS 13.0, tvOS 13.0, macOS 10.15, *)) { ASAuthorizationAppleIDRequest *request = [[self appleIdProvider] createRequest]; NSMutableArray *scopes = [NSMutableArray array]; if (options & AppleAuthManagerIncludeName) [scopes addObject:ASAuthorizationScopeFullName]; if (options & AppleAuthManagerIncludeEmail) [scopes addObject:ASAuthorizationScopeEmail]; [request setRequestedScopes:[scopes copy]]; [request setNonce:nonce]; [request setState:state]; ASAuthorizationController *authorizationController = [[ASAuthorizationController alloc] initWithAuthorizationRequests:@[request]]; [self performAuthorizationRequestsForController:authorizationController withRequestId:requestId]; } else { [self sendsLoginResponseInternalErrorWithCode:-100 andMessage:@"Native AppleAuth is only available from iOS 13.0" forRequestWithId:requestId]; } #else [self sendsLoginResponseInternalErrorWithCode:-100 andMessage:@"Native AppleAuth is only available from iOS 13.0" forRequestWithId:requestId]; #endif } - (void) getCredentialStateForUser:(NSString *)userId withRequestId:(uint)requestId { #if AUTHENTICATION_SERVICES_AVAILABLE if (@available(iOS 13.0, tvOS 13.0, macOS 10.15, *)) { [[self appleIdProvider] getCredentialStateForUserID:userId completion:^(ASAuthorizationAppleIDProviderCredentialState credentialState, NSError * _Nullable error) { NSNumber *credentialStateNumber = nil; NSDictionary *errorDictionary = nil; if (error) errorDictionary = [AppleAuthSerializer dictionaryForNSError:error]; else credentialStateNumber = @(credentialState); NSDictionary *responseDictionary = [AppleAuthSerializer credentialResponseDictionaryForCredentialState:credentialStateNumber errorDictionary:errorDictionary]; [self sendNativeMessageForDictionary:responseDictionary forRequestId:requestId]; }]; } else { [self sendsCredentialStatusInternalErrorWithCode:-100 andMessage:@"Native AppleAuth is only available from iOS 13.0" forRequestWithId:requestId]; } #else [self sendsCredentialStatusInternalErrorWithCode:-100 andMessage:@"Native AppleAuth is only available from iOS 13.0" forRequestWithId:requestId]; #endif }

Hi all, Submitted first ever app for review to app store and got rejected. My app isn't live and I have demo accounts too which they seemed to use. For context my app is free on launch, no in app transactions, and it is a marriage app. What I did not account for is them going through apple sign in and right now I have no way to catch that so that account doesn't mix with real users. I've thought about adding a tap feature and disclosing it, so they tap something x times and it is marked as reviewer account, but that violates guideline 2.3.1. Also thought about adding just visible text for reviewers, but then real users would see that too so its a no go. Asked Claude and it says to try Sandbox Receipt Detection, which should work for a free app, but I'm not sure and would rather ask then implement, submit and find out it doesn't work. Appreciate any help y'all can give me! Thanks!

We are integrating Sign in with Apple for our web application and have been stuck on an invalid_client error during the token exchange step. The Problem The authorization step works fine — the user authenticates on Apple's page and a valid authorization code is returned to our callback URL. However, when we exchange that code at https://appleid.apple.com/auth/token, it returns: {"error": "invalid_client"} The Puzzling Part When we send a dummy/expired authorization code with the exact same client_id and client_secret, Apple returns: {"error": "invalid_grant", "error_description": "The code has expired or has been revoked."} This confirms that our client credentials (client_id + client_secret JWT) are valid and accepted by Apple. The invalid_client error only occurs when a real, freshly-issued authorization code is used. Configuration Service ID configured with Sign in with Apple enabled Primary App ID with Sign in with Apple capability enabled Domain verified, Return URL registered Key created with Sign in with Apple enabled, linked to the correct Primary App ID Client Secret JWT Generated per Apple's documentation: Header: alg: ES256, kid set to our Key ID Claims: iss: Team ID iat: current timestamp exp: iat + 6 months (within Apple's limit) aud: https://appleid.apple.com sub: Service ID (matches the client_id used in authorization) Signed with: the .p8 private key associated with the Key Token Exchange Request POST https://appleid.apple.com/auth/tokenContent-Type: application/x-www-form-urlencodedclient_id=client_secret=code=grant_type=authorization_coderedirect_uri= What We've Tried Standalone test endpoint — built a minimal endpoint (no framework) that does the token exchange via server-side curl. Same invalid_client. Multiple Service IDs — created and tried 3 different Service IDs. All produce the same error with real codes. Multiple Keys — tried 2 different keys. Same error. Verified redirect_uri matches exactly between the authorization request and token request. Verified client_id matches exactly between the authorization URL and token request. Used client_secret_post (credentials in body, not Basic auth header). Freshness — code is used immediately upon receipt (within seconds), well before the 5-minute expiry. Filed a Developer Support case — was directed to Forums. Summary Scenario code Result Dummy/expired code abc123 invalid_grant (credentials accepted) Real fresh code from Apple callback invalid_client This pattern suggests something goes wrong specifically when Apple validates the authorization code against the client — even though the client credentials themselves are accepted in isolation. Has anyone encountered this behavior? Is there a known configuration issue that could cause invalid_client only with valid authorization codes? Any guidance would be greatly appreciated.

For my api I have a domain scheme of env.service.example.com. I am trying to setup sign in with apple, however, when trying to set my return urls, the env subdomain is stripped, making the return url incorrect. For example, when I try to set https://env.service.example.com/ it is changed to https://service.example.com/ when submitted. Is there any way around this issue?

Hi, we are experiencing a specific issue with the Private Email Relay service. Our domain e.glassesdirect.co.uk consistently fails SPF verification while our other domains pass. The Pattern: We've noticed that domains with SPF records fitting in 1-2 TXT strings pass, but this specific domain (~750 chars, 3 TXT strings) fails. Technical Details: Team ID: SM2J7LWD33 Domain: e.glassesdirect.co.uk SPF Record length: ~750 characters Third-party tools (MxToolbox) confirm the record is valid. We suspect Apple's verification parser might be failing to handle concatenated TXT strings or hitting a size limit. Could any Apple engineers confirm if there is a character limit or a bug in handling multi-part TXT records?

Hi, it's very urgency! https://developer.apple.com/forums/thread/818346 After long time preparation, We finally execute this transfer operation today. Works fine at preliminary stage, lots of users had been transferred successfully. However, about 25% users transferred failed at the end, 'invalid_request' response from https://appleid.apple.com/auth/usermigrationinfo. No matter how many times we retry, it does work. Please help! 700,000 users are waiting us!

Sign-in with Apple suddently broke in my App. The button trigger the system Apple sign in modal, I can sign in without errors but then nothing happens on my App. It seems it never goes in the onCompletion. SignInWithAppleButton( .signIn, onRequest: { }, onCompletion: { // Never get called } ) The button is inside a custom modal.

Hello, I'm experiencing a critical issue with my Flutter iOS app on TestFlight where the app shows a completely black screen immediately after launch. The app does NOT crash (no .ips logs in iOS Settings → Analytics & Improvements), but Flutter Engine appears not to start at all. The same code runs perfectly on Android. PROJECT INFO: App Name: CNC AI Assistant Bundle ID: com.beratech.cncassistant Team ID: 958PPWZD27 Provisioning Profile UUID: 8122ca65-b15f-4daa-b0d2-1da5409c6859 Build CI: Codemagic Flutter Version: 3.41.5 iOS Deployment Target: 14.0 Test Device: iPad15,3 running iOS 26.x ISSUE BEHAVIOR: Build succeeds on Codemagic without errors IPA is signed with valid distribution certificate TestFlight processes and accepts the build Tester downloads/updates from TestFlight successfully App opens → completely BLACK SCREEN immediately LaunchScreen.storyboard does not appear App does not auto-close (must be manually killed) NO crash logs generated in iOS Settings Same exact codebase works on Android (Google Play Internal Testing) DEBUGGING ALREADY ATTEMPTED: Replaced main.dart with MINIMAL code (only Firebase init + single Scaffold with white background and Text widget) - still black screen Removed flutter_secure_storage package (had a known iOS 26 keychain init crash) - still black screen Updated IPHONEOS_DEPLOYMENT_TARGET from 13.0 to 14.0 in pbxproj to match Podfile platform - still black screen Tried both empty entitlements and entitlements matching the provisioning profile (com.apple.developer.applesignin + keychain-access-groups) - still black screen Verified GoogleService-Info.plist is registered in pbxproj Verified LaunchScreen.storyboard exists and is valid Verified Info.plist has UILaunchStoryboardName = LaunchScreen and ITSAppUsesNonExemptEncryption = false AppDelegate.swift contains only GeneratedPluginRegistrant.register PROVISIONING PROFILE ENTITLEMENTS: application-identifier: 958PPWZD27.com.beratech.cncassistant com.apple.developer.applesignin: Default keychain-access-groups: 958PPWZD27.*, com.apple.token com.apple.developer.team-identifier: 958PPWZD27 get-task-allow: false (production) INSTALLED PLUGINS (from GeneratedPluginRegistrant.m): firebase_auth, firebase_core, firebase_storage, cloud_firestore purchases_flutter, purchases_ui_flutter (RevenueCat) sign_in_with_apple, google_sign_in_ios shared_preferences_foundation, path_provider_foundation webview_flutter_wkwebview, video_player_avfoundation url_launcher_ios, image_picker_ios, file_picker permission_handler_apple, package_info_plus, device_info_plus app_links, open_filex QUESTIONS: What could cause a Flutter iOS app to silently fail to launch on iOS 26 with no crash logs? Is there a known incompatibility between iOS 26 and certain entitlement configurations? Could there be a mismatch issue between the provisioning profile entitlements and the app's actual entitlements that causes silent termination on iOS 26 specifically? How can I obtain detailed launch/crash logs from the test device when no .ips file is generated? (sysdiagnose only shows system services like BackgroundShortcutRunner, not my app) Are there any iOS 26-specific changes related to TestFlight builds or Flutter Engine initialization that I should be aware of? I have full access to: Complete pbxproj Info.plist, Runner.entitlements, Release.entitlements Codemagic build logs Generated IPA file Provisioning profile (.mobileprovision) Screenshots of black screen on test device Any guidance on diagnostic next steps or known iOS 26 issues would be greatly appreciated. Thank you in advance.

Hi everyone, I'm experiencing a persistent issue with Sign in with Apple on my iOS app that I cannot resolve from my side. I've already opened a support case (ID: 20000115382721) and received a reply directing me back to the Developer Forum, so I'm posting here in hopes someone has encountered the same issue or can offer guidance. Error message: FirebaseAuthException: [firebase_auth/invalid-credential] Invalid OAuth response from apple.com Critical observation: The Apple authentication screen never appears. When the user taps "Continue with Apple", the error is returned immediately. This suggests the request is being rejected before reaching Apple's authentication servers — pointing to a backend configuration issue on Apple's side for my Team ID. My setup: Team ID: DHKU23JL7H Bundle ID: com.expensespy.app Framework: Flutter with sign_in_with_apple package v7.0.1 Backend: Firebase Authentication Other auth methods (Google Sign-In, Email/Password): working correctly Verified configuration (all done correctly): App ID (com.expensespy.app): Sign In with Apple capability is enabled Configured as a primary App ID Not grouped with any other App ID Service ID (com.expensespy.app.auth): Created and linked to the primary App ID Domain: expensespy-e11ab.firebaseapp.com Return URL: https://expensespy-e11ab.firebaseapp.com/__/auth/handler All other redundant Service IDs have been removed Sign In with Apple Key: Created with Key ID X8T9NLBT4Y Linked to the primary App ID .p8 file is available Firebase Apple provider: Tested with OAuth code flow fields populated (Services ID, Team ID, Key ID, Private Key) — same error Tested with OAuth code flow fields empty (recommended for iOS-only) — same error Client-side implementation: Proper nonce generation with SHA256 hashing OAuthProvider('apple.com').credential() with idToken and rawNonce Tested across 3 different builds (Build 12, 13, 14) Tested on multiple iOS devices (iOS 18+) What I've ruled out: Client-side code (tested 3 different implementations) Firebase configuration (tested both populated and empty) Multiple Service IDs (cleaned up to just one) App ID configuration (verified primary status) Context: During my Apple Developer Program enrollment, I experienced an error that was not fully resolved. I suspect this may have left my account in a state where Sign in with Apple is not fully activated on the Apple backend for my Team ID. Question: Has anyone encountered this where the Apple auth screen never appears at all? Is there a way to verify that Sign in with Apple is properly provisioned for a specific Team ID on Apple's backend? My App Store submission is blocked by this since Sign in with Apple is required when offering third-party authentication. Any guidance from Apple engineers or developers who solved a similar issue would be deeply appreciated. Thanks!

I've been struggling with "Sign in with Apple" for days. Firebase Authentication returns "configuration not found". I've tried everything. My configuration (all verified correct): App ID: com.pome.ai Services ID: come.pome.ai Key ID: 8UXM48JT9D (newly created) Apple Team ID: KDAMDMPNAW Domain: pome-ai.firebaseapp.com Return URL: https://pome-ai.firebaseapp.com/__/auth/handler What works: Android version (Google Sign-In) works perfectly Anonymous sign-in works What I tried: Created new Service ID and Key multiple times Verified Return URL has double underscore (__) Added authorized domains in Firebase Cleared iPhone cache, reinstalled app, restarted device Tested on different networks The error occurs only on iOS when tapping "Sign in with Apple". Firebase returns "configuration not found". Any help would be greatly appreciated.