We are currently following the official Apple documentation “TN3159: Migrating Sign in with Apple users for an app transfer” to carry out a Sign in with Apple user migration after successfully transferring several apps to a new developer account.
Here is a summary of our situation:
-
Under the original Apple developer account, we had five apps using Sign in with Apple, grouped under a shared primary app using App Grouping.
-
Recently, we transferred three of these apps to our new Apple developer account via App Store Connect.
-
After the transfer, these three apps are no longer associated with the original primary App ID. We reconfigured individual Services IDs for each app in the new account and enabled Sign in with Apple for each.
-
More than 24 hours have passed since the app transfer was completed.
Now we are attempting to follow the migration process to restore user access via the user.migration flow. Specifically, we are using the following script to request an Apple access token:
url = "https://appleid.apple.com/auth/token"
headers = {"Content-Type": "application/x-www-form-urlencoded"}
data = {
"grant_type": "client_credentials",
"scope": "user.migration",
"client_id": "com.game.friends.ios.xxxx", # New Primary ID in the new account
"client_secret": "<JWT signed with new p8 key>"
}
response = requests.post(url, headers=headers, data=data)
However, the API response consistently returns:
{
"error": "invalid_client"
}
We have verified that the following configurations are correct:
-
The client_secret is generated using the p8 key from the new account, signed with ES256 and correct key_id, team_id, and client_id.
-
The client_id corresponds to the Services ID created in the new account and properly associated with the migrated app.
-
The scope is set to user.migration.
-
The JWT payload contains correct iss, sub, and aud values as per Apple documentation.
-
The app has been fully transferred and reconfigured more than 24 hours ago.
Problem Summary & Request for Support:
According to Apple’s official documentation:
“After an app is transferred, Apple updates the Sign in with Apple configuration in the background. This can take up to 24 hours. During this time, attempts to authenticate users or validate tokens may fail.”
However, we are still consistently receiving invalid_client errors after the 24-hour waiting period. We suspect one of the following issues:
-
The transferred apps may still be partially associated with the original App Grouping or primary App ID.
-
Some Sign in with Apple configuration in Apple’s backend may not have been fully updated after the transfer.
-
Or the Services ID is not yet fully operational for the transferred apps in the new account.
We kindly request your assistance to:
-
Verify whether the transferred apps have been completely detached from the original App Grouping and primary App ID.
-
Confirm whether the new Services IDs under the new account are fully functional and eligible for Sign in with Apple with user.migration scope.
-
Help identify any remaining configuration or migration issues that may cause the invalid_client error.
-
If necessary, assist in manually ungrouping or clearing any residual App Grouping relationships affecting the new environment.
We have also generated and retained the original transfer_sub identifiers and are fully prepared to complete the sub mapping once the user.migration flow becomes functional.
Thank you very much for your time and support!