Handling account deletions and revoking tokens for Sign in with Apple

This thread has been locked by a moderator.

The revoke tokens endpoint (/auth/revoke) is the only way to programmatically invalidate user tokens associated to your developer account without user interaction. This endpoint requires either a valid refresh token or access token for invalidation, as Sign in with Apple expects all apps to securely transmit and store these tokens for validation and user identity verification while managing user sessions.

If you don’t have the user’s refresh token, access token, or authorization code, you must still fulfill the user’s account deletion request and meet the account deletion requirement. You'll need to follow this workaround to manually revoke the user credentials:

  1. Delete the user’s account data from your systems.
  2. Direct the user to manually revoke access for your client.
  3. Respond to the credential revoked notification to revert the client to an unauthenticated state

Important: If the manual token revocation isn’t completed, the next time the user authenticates with your client using Sign in with Apple, they won’t be presented with the initial authorization flow to enter their full name, email address, or both. This is because the user credential state managed by Sign in with Apple remains unchanged and returns the.authorizedcredential state, which may also result in the system auth UI displaying the “Continue with Apple” button.

Respond to the credential revoked notification

Once the user’s credentials are revoked by Apple, your client will receive a notification signaling the revocation event: 

When receiving either notification, ensure you’ve already performed the following operations to meet the requirements of account deletion:

  1. Deleted all user-related account data, including:
    • The token used for token revocation;
    • Any user-related data stored in your app servers; and
    • Any user-related data store in the Keychain or securely on disk in the native app or locally on web client.
  2. Reverted the client to an unauthenticated state.

Securely store user tokens for account creations

For all new user account creations, follow the expected authorization flow below:

  1. Securely transmit the identity token and authorization code to your app server.
  2. Verify the identity token and validate the authorization code using the /auth/token endpoint. 
  3. Once the authorization code is validated, securely store the token response — including the identity token, refresh token, and access token.
  4. Validate the refresh token up to once per day with Apple servers (to manage the lifetime of your user session and for future token revocation requests), and obtain access tokens (for future token revocation, app transfer, or user migration requests).

For information about verifying an identity token and validating tokens, visit Verifying a user and Generate and validate tokens.

If you have questions about implementing these flows, including client authorization, token validation, or token revocation, please submit a Technical Support Incident.

Up vote post of ppinkney
8.8k views