Original discussion pre iOS 26 Our app uses Auth0 with HTTPS callback, we've found the issue where AASA file is not ready immediately when app is initially launched, which is the exact issue from the above link. The issue seems mostly fixed on later versions on iOS 18, however, we are seeing some indications of a regression on iOS 26. Here's some measurement over the last week. | Platform | iOS 18 | iOS 26 | |---------------|----------|--------| | Adoption rate | 55% | 45% | | Issue seen | 1 | 5 | | Recover? | Yes | No | This only 1 iOS 18 instance was able to recover after 1 second after the first try, however, all iOS 26 instances were not able to recover in couple tens of seconds and less than 1 minute, the user eventually gave up. Is there a way to force app to update AASA file? Are there some iOS setting (like using a VPN) that could potentially downgrade the AASA fetch? Related Auth0 discussion: https://community.auth0.com/t/ios-application-not- recognizing-auth0-associated-domain/134847/27

We have a login flow where the user authenticates in Safari, and at the end of the process the authentication server redirects back to our app using a Universal Link. On most devices, the app opens automatically without any confirmation banner. However, on several iPads, Safari always shows the “Open App A?” banner after the redirect. The user must tap Open every time. Other devices running the same iOS version do not show this issue. Expected Flow (working devices): Start authentication Safari login Authentication server redirects using a Universal Link App A opens automatically Problematic Flow (several iPads): Start authentication Safari login Authentication server redirects using a Universal Link Safari shows “Open App A?” confirmation banner User must tap Open App A starts Questions: Is this a known issue in iOS? Or is this expected behavior under certain conditions (i.e., is there a specific Safari/iOS specification that causes this banner to appear)? Is there any way to prevent Safari from showing the “Open App A?” banner and allow automatic redirection? ＊This issue did not occur on iOS 16, but it started appearing after updating to iOS 17. Devices : iPad 9th Gen/iPad 10th Gen

Subject: iOS Fails to Fetch AASA File for Internationalized Domain Names (IDN) in Unicode or Punycode Format Dear Apple Developer Relations Team And Community Members, We are reporting a critical bug in the iOS Associated Domains feature that prevents Universal Links from working for apps using Internationalized Domain Names (IDN). Problem Description: The iOS operating system does not attempt to download the apple-app-site-association (AASA) file for domains containing non-ASCII characters (e.g., diacritics, Cyrillic). This failure occurs regardless of whether the domain is specified in the app's entitlements in its human-readable Unicode format (e.g., montréal.ca) or its encoded Punycode format (e.g., xn--montral-fya.ca, xn--e1afka0abm4b.xn--p1ai). Without fetching and validating this file, Universal Links are not activated, and the system fails to establish a connection between the website and our app. Steps to Reproduce: Create an app with the Associated Domains entitlement enabled. Add an IDN to the entitlement. We tested both formats: Format A (Unicode): applinks://montréal.ca Format B (Punycode): applinks://xn--montral-fya.ca Host a valid AASA file on our server at the correct, accessible well-known URLs for both domain representations: For montréal.ca: https://montréal.ca/.well-known/apple-app-site-association and https://xn--montral-fya.ca/.well-known/apple-app-site-association Install the app on a device running the latest iOS version. Monitor network traffic using a tool like Charles Proxy. Observed Result: No HTTP GET request is made to any of the AASA URLs for the domains montréal.ca (in either Unicode or Punycode format) upon app installation. The system does not initiate the domain validation process. In contrast, for a standard ASCII domain (e.g., applinks://example.com), the AASA fetch is triggered immediately and is observed in the network log. Expected Result: iOS should correctly resolve the Internationalized Domain Name (whether specified in Unicode or Punycode format in the entitlement) and perform an HTTP GET request to fetch the AASA file from the /.well-known path, identical to its behavior for ASCII domains. Evidence & Configuration: Our server is configured correctly: SSL certificates are valid, the AASA file is served with the correct application/json MIME type, and is directly accessible via a browser or curl. The AASA file's syntax has been validated and is correct. The issue is reproducible on the latest versions of iOS. Impact: This bug blocks a core platform feature for millions of users in regions that use non-Latin scripts (e.g., France, Russia, China, Arab states). It makes it impossible to use Universal Links with our primary domains, severely degrading the user experience and forcing us to seek suboptimal workarounds like registering separate ASCII domains. Request: We kindly request that you investigate and log this issue as a bug in iOS and forward it to the appropriate engineering team for a fix in an upcoming update. We are prepared to provide any additional information, demo projects, or server access to assist in diagnostics. Thank you for your attention to this serious matter.

Subject: Unexpected system confirmation dialog when opening a Universal Link Description of the issue: We’re implementing a login flow using Native iOS apps, Universal Links, and OpenID Connect authentication. Our domain is correctly configured with the apple-app-site-association file, and Universal Links work as expected. However, under certain circumstances, the behavior differs on the same login page: The user connects to the OIDC provider in their mobile browser. Instead of automatically switching to the Native application, a popup asks the user to open the app. The behavior depends on how the login page is opened: When opened in a new browser tab, the Universal Link opens the app immediately without showing any system confirmation dialog. When the same tab is reused without a page refresh, iOS displays a system confirmation dialog asking the user to open the link in the app. This confirmation dialog doesn’t appear in the first scenario. This additional system dialog impacts the user experience, as we aim for a frictionless and seamless login flow with minimal confirmation steps. Question: Why does the app switch work automatically only the first time? Is this intentional iOS behavior? If so, what security requirement or system rule causes a confirmation dialog when reusing the same tab, but not when redirecting in a new tab or pressing a button on the reused tab? Is this expected design, or should we adjust our side to avoid this dialog? Environment details: Verified on two devices iOS versions: 18.7.2, 26.1 Thanks for your help.

Hello, I’m encountering an issue with Universal Links in my iOS app. After some investigation, I found that the root cause seems to be that Apple’s request through there CDN server to access the .well-known/apple-app-site-association file is blocked by our firewall, which enforces geographic access restrictions as part of our security policy. Because of this restriction, Apple’s validation or link verification requests are being denied, and the Universal Links are not working as expected. I’d like to get some guidance from the community or Apple engineers on the following: 1. Does Apple provide an official list of IP ranges or domains that need to be allowed through the firewall for Universal Link validation? 2. Are there alternative methods to handle Universal Link verification in environments with geographic restrictions? 3. Would whitelisting specific Apple services or endpoints be a recommended or safe solution? Any input or recommendations would be greatly appreciated. Environment Details: • iOS app using Universal Links • Server protected by a firewall with regional restrictions • AASA file hosted correctly and accessible via browser Thanks in advance for your help and insights.

Hello, I would like to clarify how link association and app-opening preferences work in iOS, specifically when a user opens a URL in a browser that can be handled by an installed application. I have noticed the following behavior: When a user taps a URL that can be opened by an app, iOS sometimes asks whether to open the link in the app or continue in the browser. After choosing an option once (for example, "Open in App" or "Stay in Browser"), it seems that this preference becomes persistent. Even after deleting the application and reinstalling it, the browser (Safari or third-party browsers) sometimes continues to open the link directly in the browser without asking the user again. In some cases, it appears impossible to reset or clear this association, and the user is not prompted again to choose how the link should be opened. My questions are: How exactly does iOS store link-handling preferences between apps and browsers? Are these preferences saved on the system level, inside Safari, or associated with the app installation itself? Is there a way for a user to manually reset or clear these link-opening associations? Should deleting and reinstalling the app reset these preferences, or is the behavior expected to persist? Is this behavior different for Universal Links, App Clips, or for regular URL scheme associations? This situation is important for us because it affects user experience, and at the moment it is difficult to understand or reproduce the internal logic behind these link associations. Thank you in advance for your clarification.

Hello, When using ASWebAuthenticationSession with an HTTPS callback URL (Universal Link), I receive the following error: Authorization error: The operation couldn't be completed. Application with identifier jp.xxxx.yyyy.dev is not associated with domain xxxx-example.go.link. Using HTTPS callbacks requires Associated Domains using the webcredentials service type for xxxx-example.go.link. I checked Apple’s official documentation but couldn’t find any clear statement that webcredentials is required when using HTTPS callbacks in ASWebAuthenticationSession. What I’d like to confirm: Is webcredentials officially required when using HTTPS as a callback URL with ASWebAuthenticationSession? If so, is there any official documentation or technical note that states this requirement? Environment iOS 18.6.2 Xcode 16.4 Any clarification or official references would be greatly appreciated. Thank you.

Hi everyone, I’ve been stuck on an issue with iOS Universal Links for about a week and could really use some help. The problem When tapping a Universal Link on iOS, my Flutter app opens correctly (desired behavior) — but immediately afterward, Safari opens the same link in the browser. So both the app and the browser open. This only happens on iOS. On Android everything works as expected. What works If the link is simply the domain, like: https://mydomain.com …then the app opens without triggering the browser afterward. This is the correct behavior. What doesn’t work If the link includes a path or parameters, like: https://mydomain.com/path https://mydomain.com/path?param=value …then the app opens, and then the browser opens immediately after. What I’ve tried Verified my AASA file using Branch’s validator: https://branch.io/resources/aasa-validator/ → The AASA file is valid. Universal Links do open the correct screen inside the app — the issue is the unwanted second step (Safari opening). Behavior is consistent across different iOS devices. Extra details Using Flutter. Universal Links set up with the standard configuration (associatedDomains, AASA hosted at /.well-known/apple-app-site-association, etc.). Question Has anyone encountered this issue where Universal Links with paths/params open the app and then open Safari? What could cause iOS to trigger the browser fallback even when the AASA file is valid and the app handles the link correctly? Any insights, debugging tips, or known edge cases would be incredibly appreciated!

My app has been published by 2 months now I still I cant get Universal Links to work. I checked a lot of docs as well as videos about setting up universal links. Everyone with clear steps: Add the well-known json file to the server. Already validated by AASA web validator. Add the Associated domain on project capabilities, with the Web page root only. Eg: applinks:example:com. Install the app and trying clicking a link from notepad. Or instead make a long press to deploy contextual menu to see if my app is on the selectable options to open the link. My app is not been open in any of my attempts and the console always trying to use safari. I had a couple of screenshots of my testing. I really need help with this.

Hi Everyone, When we first hosted our apple-app-site-association file, our hosting provider was unintentionally blocking Apple’s crawler. As a result, Apple’s CDN seems to have cached a timeout / missing file response. We’ve since corrected the issue — the AASA file is now valid and accessible at: https://our-domain.com/.well-known/apple-app-site-association sidenote: I am using "our-domain" as an alias. It is not our actual domain. We have verified that we return a valid JSON, HTTPS 200, correct MIME type. We used apple recommended tools to check this as well as other tools we found on the internet. However, when fetching through the Apple CDN: https://app-site-association.cdn-apple.com/a/v1/our-domain.com we still receive: Apple-Failure-Reason: SWCERR00301 Timeout Apple-Failure-Details: {"cause":"context deadline exceeded (Client.Timeout exceeded while awaiting headers)"} This has persisted for several days. Tools like getuniversal.link and yURL show that the CDN works fine in U.S. regions, but in Europe it continues serving the old timeout response. I’ve already opened a support ticket (Case ID: 102734912696), but the current support channel seems to be general developer account assistance rather than technical. They claim they can only assist us with account related issues (even though I used the code-support form...) Can someone please advise or help us escalate this to the appropriate internal team to refresh the Apple CDN cache for our domain? Thank you so much for your time and help.

~5% of our users when downloading the iOS application from the Apple Store for the first time are unable to enrol a Passkey and experience an error saying the application is not associated with [DOMAIN]. The error message thrown by the iOS credentials API is "The operation couldn't be completed. Application with identifier [APPID] is not associated with domain [DOMAIN]" We have raised this via the developer support portal with case id: 102315543678 Question: Why does the AASA file fail to fetch on app install and is there anything that can be done to force the app to fetch the file? Can this bug be looked at urgently as it is impacting security critical functionality? Other Debugging Observations We have confirmed that our AASA file is correctly formatted and hosted on the Apple CDN. Under normal circumstances the association is created on install and Passkey enrolment works as intended. We have observed that when customers uninstall/reinstall the app this often, but not always, resolves the issue. We also know this issue can resolve itself overtime without any intervention. We have ruled out network (e.g VPN) issues and have reproduced the issue across a number of different network configurations. We have ruled out the Keychain provider and have reproduced it across a variety of different providers and combinations of. We observed this across multiple versions of the iOS operating system and iPhone hardware including the latest hardware and iOS version.

Hello, we are experiencing an issue that is not systematic regarding universal links on our application. In some cases, after the application is installed, the universal links do not open the application but instead open in Safari. We have conducted tests on several devices and with the same link. In some cases, the links open the application after installation, and in other cases, they open in Safari. I should mention that in all test cases, we did not force the opening via the menu accessible through a long press on the link. We performed sysdiagnose in the different cases and we observed the same configuration for the universal links in the swcutil_show.txt file: User Approval: unspecified Site/Fmwk Approval: approved At this stage, I do not think the problem comes from our application or the configuration of the apple-app-site-association file. Is this a known issue? Is there anything we can do on our side to work around it ?

Foreword: I filed a feedback a week ago and so far no one replied or at least acknowledged my feedback. That's why I'm writing here now to get some more attention (hopefully, thanks). I recorded a video to show you what exactly is happening. I am not sure where the issue belongs to exactly but it is related to associated domains, the camera (QR codes), the NFC module, App Intents and Control Center controls. https://youtu.be/sT2bZLs_6rA FB20418059 (I added some tags that are somehow related to the associated domain issue)

I have published the app on the App Store along with its corresponding app clip, my app clip is configured with some advanced experiences for each one of my clients, but whenever some users try to scan an NFC or QR Code they see the card rendering correctly with their configured banner image, but with the message "App Clip Unavailable". The weird thing is that both iMessage and the website to which the associated domain is set and the apple-app-site-association is stored, renders the banner or card correctly, and when the users tap the banner or card they open the advanced app clip experience correctly without any issue. I have attempted to troubleshoot the issue by checking the following: if the app clip is below 15MB if we are using a second level domain in my associated domain both for my app clip and app (excluding the www subdomain). checking if the AASA is correctly stored inside .well-known directory checking the configuration for the advanced experience I opened a case: 102233443873, and added a bunch of videos and screenshot showcasing the issue, but I have not yet received a reply

Dear Apple Support, We are encountering an issue with deep linking on iOS 26 when using Safari and App Store redirection. Below are the detailed steps to reproduce the problem: The app is not installed on the device. User clicks on a Branch link: For example:- https://qewed.app.link/99u88ef9f?uuid=88dbwh5ubd4b Safari opens and displays the fallback page. User taps on “Get the App”, which navigates to the App Store. User installs and opens the app. Expected Behavior:
The app should receive the Branch link parameters (in this case, uuid=88dbwh5ubd4b) upon first open. Actual Behavior:
The app opens successfully, but the uuid parameter is not passed to the app. This issue seems specific to the Safari → App Store → App flow on iOS 26, as other flows behave correctly. Could you please advise whether this is a known issue or if there are recommended adjustments on our side to ensure parameters are consistently delivered after App Store redirection? Note: We are using Branch SDK version 3.11.0 (Cocoapods dependency) Thank you for your assistance.

Hello Having trouble getting associated domain to work in our project. It was working when we used Branch, but our company wants to host the domain ourselves. This is a multi-scheme project, using .xcconfig files to define the correct entitlement per Build. The relevant entitlement file has: com.apple.developer.associated-domains applinks:bm.ddcas.ai in the ....{other irrelevant test associated domains....} The project Team and App ID are taken from the Identifiers screen where the Identifier capabilities has 'associated domains' ticked on. I've also checked elsewhere on AppleDeveloper/Connect to be sure. When we used Branch with domain key app links: bmstores.app.link this worked fine. With https://bm.ddcas.ai (our own host) which is publicly available and has an aasa file in both the main directory and /.well-known, typing this in safari or anything just doesn't attempt to link to the App. The iPhone is in developer mode, and using the developer menu associated domains diagnostic tool, typing https://bm.ddcas.ai results in the diagnostic saying 'The url is a Universal Link for the app with identifier **********.***etc (the app is installed on real iPhone 12, iOS 18.6.2 and my Xcode is 16.4) However, it just doesn't work if we type in https://bm.ddcas.ai and results in a Safari message of '400 not found' and the 'nginx' shows. We have read innumerable Apple Dev posts and StackOverflow posts, as well as several step by step 'how to's' online but this just isn't working. The aasa file is at https://bm.ddcas.ai/apple-app-site-association and is setup as follows: { "applinks": { "apps": [], "details": [ { "appID": "{my Team ID}.{my App ID}", "paths": [ "*" ], "components": [ { "/": "/verification", "?": { "verification_code": "[A-Za-z0-9]{6}" }, "comment": "Matches verification code path" } ] } ] } } Our Server guys say the website (bm.ddcas.ai) is public and hosted, it just doesn't have a /verification path as they say it should redirect before reaching that. Also, our Android redirect works using this site, so this appears to be something specific Apple code is looking for. What, please, are we likely to be missing as it does not seem obvious from the Apple documentation or any of the resources I have checked online. Normally we can figure anything out, but getting nowhere here so the help is appreciated.

Hi all, Pretty new here, so please remember when you were trying hard. I am creating an IOS app that will generate a link where you have a room-id and a unique id. This will be sent (normal sms. email, copy/paste values etc) to another user. If the person receiving the link does not have the app installed, I would like it to go to the app store for download, however the app is currently not finished and therefore I can't provide a proper link. How do you deal with that? Thanks in advance

Hello, I'm developing a feature for my app, that allows users to challenge their friends. The friend request functionality is built using Universal Links, but I've run into a significant issue. The Universal Links are correctly deep-linking into the app. However, once the app opens, nothing happens—the friend request acceptance or rejection flow does not occur. This prevents users from completing friend requests and building their friend list. Here are examples of the Universal Links I'm generating: https://www.strike-force.app/invite?type=invite&userID=... https://www.strike-force.app/invite?type=invite&friendRequestID=... https://www.strike-force.app/profile?userID=... I've recently updated my cloudflare-worker.js to serve a paths array of ["*"] in the AASA file, so I believe the links themselves should be valid. Technical Details & Error Logs In the console, I am consistently seeing the following error message: Cannot issue sandbox extension for URL:https://www.strike-force.app/invite?token=7EF1E439-090B-4DF2-BE64-9904F50A3F8B Received port for identifier response: <(null)> with error:Error Domain=RBSServiceErrorDomain Code=1 "Client not entitled" UserInfo={RBSEntitlement=com.apple.runningboard.process-state, NSLocalizedFailureReason=Client not entitled, RBSPermanent=false} elapsedCPUTimeForFrontBoard couldn't generate a task port This error appears to be related to entitlements and process state, but I am not sure if it's the root cause of the Universal Link issue or a separate problem. The 'Client not entitled' error on line 3 has had me chasing down entitlements issues. But, I've added the Associated Domains entitlement with the proper applink URLs and verified this in my Developer Portal. I've regenerated my provisioning profile, manually installed it, and selected/de-selected Automatically Manage Signing. As well I've verified my AASA file and it's correctly being served via HTTPS and returning a 200. curl -i https://strike-force.app/.well-known/apple-app-site-association curl -i https://www.strike-force.app/.well-known/apple-app-site-association I am looking for guidance on why the friend request flow is not being triggered after a successful deep-link and how I can fix the related error. Any insights or suggestions would be greatly appreciated.

From some moment of time, Universal Links stopped working for our app. As per my understanding, application reinstall or update caused system to fetch AASA file from CDN, which started to reply with 404 for our domain (https://app-site-association.cdn-apple.com/a/v1/app.link.digidentity.eu). In the meantime, nothing has changed inside our app or on our BE (https://app.link.digidentity.eu/.well-known/apple-app-site-association). Executing "curl -v https://app-site-association.cdn-apple.com/a/v1/app.link.digidentity.eu" returns following result * IPv6: (none) * IPv4: 17.253.15.197, 17.253.29.202, 17.253.37.203, 17.253.37.208, 17.253.57.197, 17.253.57.208, 17.253.29.196 * Trying 17.253.15.197:443... * Connected to app-site-association.cdn-apple.com (17.253.15.197) port 443 * ALPN: curl offers h2,http/1.1 * (304) (OUT), TLS handshake, Client hello (1): * CAfile: /etc/ssl/cert.pem * CApath: none * (304) (IN), TLS handshake, Server hello (2): * (304) (IN), TLS handshake, Unknown (8): * (304) (IN), TLS handshake, Certificate (11): * (304) (IN), TLS handshake, CERT verify (15): * (304) (IN), TLS handshake, Finished (20): * (304) (OUT), TLS handshake, Finished (20): * SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256 / [blank] / UNDEF * ALPN: server accepted http/1.1 * Server certificate: * subject: C=US; ST=California; O=Apple Inc.; CN=app-site-association.cdn-apple.com * start date: Jul 7 00:05:26 2025 GMT * expire date: Sep 30 19:08:48 2025 GMT * subjectAltName: host "app-site-association.cdn-apple.com" matched cert's "app-site-association.cdn-apple.com" * issuer: CN=Apple Public Server ECC CA 11 - G1; O=Apple Inc.; ST=California; C=US * SSL certificate verify ok. * using HTTP/1.x > GET /a/v1/app.link.digidentity.eu HTTP/1.1 > Host: app-site-association.cdn-apple.com > User-Agent: curl/8.7.1 > Accept: */* > * Request completely sent off < HTTP/1.1 404 Not Found < Apple-Failure-Details: {"cause":"dial tcp: lookup app.link.digidentity.eu on 10.100.53.53:53: dial tcp 10.100.53.53:53: connect: connection refused"} < Apple-Failure-Reason: SWCERR00302 Network error (temporary) < Apple-From: https://app.link.digidentity.eu/.well-known/apple-app-site-association < Apple-Try-Direct: true < Cache-Control: max-age=3600,public < Content-Length: 10 < Content-Type: text/plain; charset=utf-8 < Date: Thu, 21 Aug 2025 10:36:47 GMT < Vary: Accept-Encoding < Expires: Thu, 21 Aug 2025 10:36:57 GMT < Age: 2952 < Via: http/1.1 uklon5-vp-vst-011.ts.apple.com (acdn/1.16221), https/1.1 uklon5-vp-vfe-007.ts.apple.com (acdn/4.16219), http/1.1 defra1-edge-lx-005.ts.apple.com (acdn/260.16276), http/1.1 defra1-edge-bx-006.ts.apple.com (acdn/260.16276) < X-Cache: hit-fresh, hit-stale, hit-fresh, hit-fresh < CDNUUID: e06b4b03-f97d-48f8-97bb-774359a39fa2-4464142837 < Connection: keep-alive < Not Found * Connection #0 to host app-site-association.cdn-apple.com left intact On our end, we did not find any reason why it can be not available for Apple to fetch. Is SWCERR00302 an indication of problem on our end? Any help is appreciated

I have a public and accessible .well-known/apple-app-site-association file for both my domain.com and subdomain.domain.com with "paths": ["*"] . Both example.com and blog.example.com are added in Associated domains and any link that contains domain.com and domain.com/path normally deep links into my app. I used to have an *.example.com that successfully deep linked all my subdomains into my app but now I had to remove it as some subdomains will need to link to other apps, but some should still link to the same app. I removed * but left blog.example.com as that specific subdomain still needs to deep link into my app. But now blog.example.com is not even being recognized by my app and any link starting with blog.example.com just opens in safari. What am I missing? Why is this happening ?