Hi Apple Devs, For our app, we utilize passkeys for account creation (not MFA). This is mainly for user privacy, as there is 0 PII associated with passkey account creation, but it additionally also satisfies the 4.8: Login Services requirement for the App Store. However, we're getting blocked in Apple Review. Because the AASA does not get fetched immediately upon app install, the reviewers are not able to create an account immediately via passkeys, and then they reject the build. I'm optimistic I can mitigate the above. But even if we pass Apple Review, this is a pretty catastrophic issue for user security and experience. There are reports that 5% of users cannot create passkeys immediately (https://developer.apple.com/forums/thread/756740). That is a nontrivial amount of users, and this large of an amount distorts how app developers design onboarding and authentication flows towards less secure experiences: App developers are incentivized to not require MFA setup on account creation because requiring it causes significant churn, which is bad for user security. If they continue with it anyways, for mitigation, developers are essentially forced to add in copy into their app saying something along the lines of "We have no ability to force Apple to fetch the config required to continue sign up, so try again in a few minutes, you'll just have to wait." You can't even implement a fallback method. There's no way to check if the AASA is available before launching the ASAuthorizationController so you can't mitigate a portion of users encountering an error!! Any app that wants to use the PRF extension to encrypt core functionality (again, good for user privacy) simply cannot exist because the app simply does not work for an unspecified amount of time for a nontrivial portion of users. It feels like a. Apple should provide a syscall API that we can call to force SWCD to verify the AASA or b. implement a config based on package name for the app store such that the installation will immediately include a verified AASA from Apple's CDN. Flicking the config on would require talking with Apple. If this existed, this entire class of error would go away. It feels pretty shocking that there isn't a mitigation in place for this already given that it incentivizes app developers to pursue strictly less secure and less private authentication practices.

I have been using Universal Links since January of this year. As of January, it was working fine, but when I checked its operation in August, it was no longer working properly. After investigating, I believe that the reason it is not working is because our firewall is blocking communication from AppleCDN to check for AASA files. Our firewall blocks communication from outside Japan, and Apple's IP address (17.0.0.0/8) is whitelisted. Does anyone know the hostname or IP address that is used to check AASA files? If you know, please let me know.

Problem Description: In our App, When we launch the web login part using ASWebAuthentication + Universal Links with callback scheme as "https", we are not receiving callback. Note: We are using "SwiftUIWebAuthentication" Swift Package Manager to display page in ASWebAuth. But when we use custom url scheme instead of Universal link, app able to receive call back every time. We use ".onOpenURL" to receive universal link callback scheme.

Hi all, I'm trying to set up universal links for my app but it's not working. What I want: cogover.com → Safari (website) - NOT my app *.cogover.com (any subdomain like abc.cogover.com) → My app What I did: Added applinks:*.cogover.com in Xcode Put AASA files on all subdomains They work fine (checked with curl) Problem: All links still open in Safari, not my app. I do not put AASA on my root domain cogover.com because I don't want open my app with root domain. I have checked TN3155: Debugging universal links | Apple Developer Documentation but it only say about universal link works with both root domain and subdomains. Weird thing I found: I checked how Salesforce does it - their *.force.com subdomains work perfectly. But when I tried to check their setup, (https://force.com/.well-known/apple-app-site-association) doesn't seem to exist either! So how does theirs work? Even stranger - Apple's CDN has their file cached at (https://app-site-association.cdn-apple.com/a/v1/force.com) but the actual domain doesn't serve it. Can Apple's CDN have a file cached even if it's not on the website anymore? Thanks for any help!

(1) Context: Our project has a login feature via WEBVIEW (using SFSafariViewController) and integrates PassKey on the Web side. The app listens for a successful login by capturing the redirect URL via the delegate of SFSafariViewController. (2) Issue: On iOS < 18.4: The redirect URL is captured with full parameters returned. https://xyz.com/home?session_state=...&code=... On iOS ≥ 18.4: The redirect URL is captured successfully but missing parameters. https://xyz.com/home We currently suspect that the issue originates from the SFSafariViewController framework after the release of iOS 18.4. Has anyone experienced a similar issue? We would also appreciate support from the Apple team.

I recently started a new app that supports universal links. I noticed an error in the apple-app-site-association (AASA) file and updated it. I used mode=developer in the applinks configuration, and it works well on Simulator, but for the life of me I can't get my device to load the new file, and the CDN hasn't updated in days. Any suggestions for how to get it to update, or get iOS to load the file directly? mode=developer is supposed to do this, but it simply won't on device. I've tried touching the file, and I can see its reported HTTP last modification date and eTag have changed. I've tried deleting and reinstalling the app; I've tried restarting the phone; I've tried clean builds; I've tried changing the applinks: to something else and reinstalling; I've tried installing via TestFlight.

Issue with Universal Links and App Extension (ShieldAction Handler) I'm currently working on a POC app using the FamilyControls framework and facing an issue when trying to open a Universal Link from an app extension, specifically from a ShieldAction handler. When I try to open a Universal Link, I encounter the following error: Failed to open URL https://sixteen-server-c008110f8759.herokuapp.com/.well-known/apple-app-site-association: Error Domain=FBSOpenApplicationServiceErrorDomain Code=1 "The request to open 'com.apple.mobilesafari' failed." UserInfo={BSErrorCodeDescription=RequestDenied, NSUnderlyingError=0x14f2d90b0 {Error Domain=FBSOpenApplicationErrorDomain Code=3 "Application com.sixteen.life is neither visible nor entitled, so may not perform un-trusted user actions." UserInfo={BSErrorCodeDescription=Security, NSLocalizedFailureReason=Application com.sixteen.life is neither visible nor entitled, so may not perform un-trusted user actions.}} Context: I’m using a ShieldAction handler as part of an App Extension to trigger the action (e.g., "Break in Shield") in my app. The app extension (ShieldAction handler) is responsible for trying to open the Universal Link. I’m encountering the error because the app is not visible or entitled to perform this action, which seems to be related to security restrictions when using App Extensions. Questions: App Extension and Universal Link Interaction: Is it possible for an App Extension (like ShieldAction handler) to open a Universal Link or trigger an external app, such as Safari, even though it is not the foreground app? Entitlements for App Extensions: Are there any specific entitlements or permissions required to allow an app extension (ShieldAction handler) to open Universal Links or perform actions like opening Safari from the background? App Visibility and State: How can I ensure that my app is in the right state (visible/active) and has the necessary entitlements to trigger these actions when running in the context of an app extension? Workaround: If this behavior is restricted due to app extension limitations, what would be the recommended workaround to handle launching external apps (like Safari) or Universal Links from within an app extension?

Hi, I’d like to confirm something regarding the hosting of the apple-app-site-association (AASA) file. We have a server that publicly hosts the AASA file and is accessible globally. However, this server sits behind an additional security layer (a security server/reverse proxy). My question is: Will this security layer affect Apple’s ability to access and validate the AASA file for Universal Links or App Clips? Are there specific requirements (e.g. headers, redirects, TLS versions, etc.) that we need to ensure the security server does not block or modify? Any guidance or best practices would be appreciated.

I’d like to confirm something regarding the hosting of the apple-app-site-association (AASA) file. We have a server that publicly hosts the AASA file and is accessible globally. However, this server sits behind an additional security layer (a security server/reverse proxy). My question is: Will this security layer affect Apple’s ability to access and validate the AASA file for Universal Links or App Clips? Are there specific requirements (e.g. headers, redirects, TLS versions, etc.) that we need to ensure the security server does not block or modify? Any guidance or best practices would be appreciated. Thanks!

I have been trying to add improved tvOS login using an Associated Domain and web credentials. In some places, I am seeing that the format is <TEAM_ID>.<BUNDLE_ID>, and in other places I am seeing <APP_ID>.<BUNDLE_ID>. I am having trouble getting both to work, but in order to properly troubleshoot, I want to make sure that I am using the correct identifier. Can someone give me a definitive answer? The documentation says app id, but I have seen Apple engineers in this forum say team id, and many other posts around the internet also saying team id.

Our app includes showing external web service with WebView or Safari and returning to the app with custom URL scheme or universal link. When we set "Hide and Require Face ID" feature which was available on iOS 18, neither custom URL scheme nor universal link activated the app. If we only set "Require Face ID", the deep link worked properly. Here is what we've tried: Define custom URL scheme or universal link in the app https://developer.apple.com/documentation/xcode/defining-a-custom-url-scheme-for-your-app https://developer.apple.com/documentation/xcode/supporting-universal-links-in-your-app Implement external web service with one of the following frameworks ASWebAuthenticationSession https://developer.apple.com/documentation/authenticationservices/aswebauthenticationsession/ SFSafariViewController https://developer.apple.com/documentation/safariservices/sfsafariviewcontroller Safari WKWebView https://developer.apple.com/documentation/webkit/wkwebview On iOS 18 device, install the app and set "Hide and Require Face ID" Access external web page and tap the link which activates custom URL scheme or universal link We expected the deep link to work, but the results were: Custom URL scheme & ASWebAuthenticationSession/SFSafariViewController/Safari The system shows "Cannot open the page because the address is invalid" Custom URL scheme & WKWebView Nothing happens when tapping the link Universal link Directed to the server with associated domain file, but the system doesn't call the app which is defined in the associated domain file We tested the feature with the app built with Xcode16 beta 6, and the device with iOS 18 Seed 8(22A5350a). Does hide app feature support custom URL scheme and universal link?

I have hosted my AASA file in https://powerbrowser.app/.well-known/apple-app-site-association in signed format as per documentation. I still can not see open in app button when open a link by long press. By the way i have activated 'Associated Domains' and put proper entitlements as per documantation.

We have implemented Universal Links for iOS. We have deployed the following file as per the documentation: /.well-known/apple-app-site-association Everything works fine until my organization applied domain-level block on traffic out side my country. We need to whitelist Apple servers but we cannot find their IPs or domains used to access this file.

I need to know the https address of a certain page within my app. This is going to be used as a redirect URL. I don't think it is a good idea to use deep links because it has to be an https address. I don't think Universal Links will work because it is not my website that I will be communicating with.

I am trying to setup a unversal linking for my new developing app. but it look like not function well. did any one have some examples or demo domains suggest to use? In fact finally my app is just internal using, user will not suppose connect to internet , how can I using the universal linking without a website ? Thanks

Without developer mode, I was able to get Password AutoFill to work in my SwiftUI app with my local Vapor server using ngrok and adding the Associated Domains capability with the value webcredentials:....ngrok-free.app and the respective apple-app-site-association file on my local server in /.well-known/. (works on device, but not in the simulator). However, if I use the developer mode (webcredentials:....ngrok-free.app?mode=developer) it only works halfway when running from Xcode: I get asked to save the password, but the saved passwords are not picked up, when I try to login again. Neither on device, nor in the simulator. If I remove the ?mode=developer it seems to work as expected. Is this by design, or am I missing something? var body: some View { ... Section(header: Text("Email")) { TextField("Email", text: $viewModel.credentials.username) .textContentType(.username) .autocapitalization(.none) .keyboardType(.emailAddress) } Section(header: Text("Passwort")) { SecureField("Passwort", text: $viewModel.credentials.password) .textContentType(.password) } ... }

In a project having both an app and a website, the following two website urls are to be handed over to the corresponding app: https://www.example.com/search?plus https://www.example.com/search?query=something In AASA file, this becomes: "components": [ { "/": "/search", "?": { "plus": "", "query": "?*" } } However, finally it does not work for both urls. Only the one with "query" works by hand over to app. For investigation, I have tried this for the problematic link: "components": [ { "/": "/search", "?": "plus" } and this works. How can I get both to work? (note that for the sake of brevity, only a portion of the AASA files are shown)

Hello, We're facing an issue with app links failing and falling back to browser website journeys. Our apple-app-site-association file is hosted publicly and the app to app journeys have been working correctly up to very recently - we are trying to identify any potential network infra changes that could have impacted the Apple CDN being able to retrieve the apple-app-site-association file. We can see in the iPhone OS logs that the links cannot be verified by the swcd process, and using the app-site-association.cdn-apple.com/a/v1 api via curl can also see the CDN has no record of the AASA file. Due to the traffic being SSL and to a high volume enterprise site it is difficult for use to trace activity through anything other that the source IPs - we cannot filter on user-agent for "AASA-Bot/1.0.0" as breaking the SSL would be impactful due to the load. Is it possible to get a network range used by the Apple CDN to retrieve the AASA file as this would help us identify potential blocking behaviour? Thank you.

I've a strange problem which is only occurring on 2 client devices. We have enabled Universal links, and have it fully tested and working. On one client device, the link never opens our app; but here's the strange thing: If I long-press on our link (in Messages), it gives a preview (as expected), and the context menu offers "Open in ", as well as "Open in Safari". Tapping on "Open in " does nothing. I've tried the following: Checked I could access the site-association file over https with no redirects Enabled developer mode and used universal link debug feature: pasted the same link - Developer mode says it will open the app. I've carried out the sysdiagnose; And there are entries in there for our app in swcutil_show.txt. Snipped below: Service: applinks App ID: <my fully qualified app bundle id> App Version: 760.0 App PI: <LSPersistentIdentifier 0x6b8008930> { v = 0, t = 0x8, u = 0x45c, db = DC8D18A2-430D-4AD4-A5BE-B7A003CF9A6F, {length = 8, bytes = 0x5c04000000000000} } Domain: www.<mydomain>.com Patterns: {"/":"/cc/*"}, {"?":{"t":"*"},"/":"/md/"} User Approval: unspecified Site/Fmwk Approval: approved Flags: Last Checked: 2025-04-29 09:10:21 +0000 Next Check: 2025-05-04 08:42:50 +0000 -------------------------------------------------------------------------------- Service: applinks App ID: <my fully qualified app bundle id> App Version: 760.0 App PI: <LSPersistentIdentifier 0x6b8008930> { v = 0, t = 0x8, u = 0x45c, db = DC8D18A2-430D-4AD4-A5BE-B7A003CF9A6F, {length = 8, bytes = 0x5c04000000000000} } Domain: <mydomain>.com Patterns: {"/":"/cc/*"}, {"?":{"t":"*"},"/":"/md/"} User Approval: unspecified Site/Fmwk Approval: approved Flags: Last Checked: 2025-04-29 09:10:21 +0000 Next Check: 2025-05-04 08:42:50 +0000 -------------------------------------------------------------------------------- Service: applinks App ID: <my fully qualified app bundle id> App Version: 760.0 App PI: <LSPersistentIdentifier 0x6b8008930> { v = 0, t = 0x8, u = 0x45c, db = DC8D18A2-430D-4AD4-A5BE-B7A003CF9A6F, {length = 8, bytes = 0x5c04000000000000} } Domain: *.<mydomain>.com Patterns: {"/":"/cc/*"}, {"?":{"t":"*"},"/":"/md/"} User Approval: unspecified Site/Fmwk Approval: approved Flags: Last Checked: 2025-04-29 09:10:21 +0000 Next Check: 2025-05-04 08:42:50 +0000 -------------------------------------------------------------------------------- The version numbers match the installed version of my app I've tried running logging and just capturing logs before and after I press the "open in ", but there's nothing suspicious in there. And the kicker - it's only happening on a single device. No other devices are experiencing this.

Question: I'm aware of the AASA file hosting procedure to make app clips work and link them to your website, but IIRC you can trigger app clips via the simple appclip.apple.com URL too, right? As a result no need to host the AASA file. Like my app store connect gave me the URL https://appclip.apple.com/id?p=myname.myappsname.Clip but when I click it it says "This app clip is not currently available in your country or region". However I'm also getting Bad JSON content on the View Status under the domain. I'm so confused.