Apple Pay ok with SandBox but ko in production

App & System Services Apple Pay
wehtam OP
Created Jul ’25
Replies 1
Boosts 0
Views 163
Participants 2

Hello,

On my website, I have a button to make a payment via Apple Pay. When I click on it, the Touch ID window opens correctly. However, when I place my finger on the Touch ID, I get a payment error. This issue only occurs in production mode. In sandbox mode, everything works perfectly.

Here is a log file :

log.txt

Thank you in advance for your help.

Answered by DTS Engineer in 893965022

Hi @wehtam,

You wrote:

[...] However, when I place my finger on the Touch ID, I get a payment error. This issue only occurs in production mode. In sandbox mode, everything works perfectly. [...] Here is a log file: [...]

Thanks for the log file. The failure happens at the Rewrap phase, confirmed by these three consecutive log lines:

Response: 500  Time profile: 0.444229 seconds  { 10 fields }  117 bytes

Web service error without a retry nonce. Failing payment

State machine change state from PKPaymentAuthorizationStateRewrap
  to PKPaymentAuthorizationStateFatalError

After the Touch ID succeeds and the Secure Element generates the payment cryptogram, Apple's SMP (Secure Element Management Protocol) server takes that cryptogram and encrypts it using your merchant's production Payment Processing Certificate (PPC) public key. This rewrapped token is what gets sent to your payment processor.

The 500 error is coming from the Apple Pay servers during this step — meaning Apple attempted to rewrap the cryptogram using your production PPC and failed server-side.

This error is not thrown in the sandbox environment because they use completely separate PPCs:

  • Sandbox uses a test Payment Processing Certificate registered in your sandbox environment.
  • Production uses your real Payment Processing Certificate registered in the Developer portal under your production Merchant ID.

The Merchant Identity Certificate (used for merchant validation, which succeeds in your logs) is a different certificate from the Payment Processing Certificate (used for token encryption in the rewrap step, which fails).

To resolve this error:

  • Check your production Payment Processing Certificate. Go to the Developer portal and verify the certificate under your production Merchant ID is:
    • not expired
    • not revoked
    • the correct certificate (not a sandbox one)
  • Confirm your PSP has the matching private key. If you use a PSP, verify their dashboard shows an active, non-expired Apple Pay certificate for your production account.
  • If the certificate was recently renewed:
    • Re-download the new .cer from the Developer portal.
    • Re-upload it to your PSP or your own decryption service.
    • Ensure the private key on your side corresponds to the new certificate's public key.
  • If the certificate appears valid, contact Apple Developer Support. Next time this occurs, provide the support team with the timestamp of this error, and the fact that the rewrap POST returns a 500 — this may indicate a server-side configuration issue for your specific Merchant ID in production.

Cheers,

Paris X Pinkney |  WWDR | DTS Engineer

Replies  1
Boosts  0
Views  163
Participants  2
DTS Engineer OP
Apple
4d
Recommended

Hi @wehtam,

You wrote:

[...] However, when I place my finger on the Touch ID, I get a payment error. This issue only occurs in production mode. In sandbox mode, everything works perfectly. [...] Here is a log file: [...]

Thanks for the log file. The failure happens at the Rewrap phase, confirmed by these three consecutive log lines:

Response: 500  Time profile: 0.444229 seconds  { 10 fields }  117 bytes

Web service error without a retry nonce. Failing payment

State machine change state from PKPaymentAuthorizationStateRewrap
  to PKPaymentAuthorizationStateFatalError

After the Touch ID succeeds and the Secure Element generates the payment cryptogram, Apple's SMP (Secure Element Management Protocol) server takes that cryptogram and encrypts it using your merchant's production Payment Processing Certificate (PPC) public key. This rewrapped token is what gets sent to your payment processor.

The 500 error is coming from the Apple Pay servers during this step — meaning Apple attempted to rewrap the cryptogram using your production PPC and failed server-side.

This error is not thrown in the sandbox environment because they use completely separate PPCs:

  • Sandbox uses a test Payment Processing Certificate registered in your sandbox environment.
  • Production uses your real Payment Processing Certificate registered in the Developer portal under your production Merchant ID.

The Merchant Identity Certificate (used for merchant validation, which succeeds in your logs) is a different certificate from the Payment Processing Certificate (used for token encryption in the rewrap step, which fails).

To resolve this error:

  • Check your production Payment Processing Certificate. Go to the Developer portal and verify the certificate under your production Merchant ID is:
    • not expired
    • not revoked
    • the correct certificate (not a sandbox one)
  • Confirm your PSP has the matching private key. If you use a PSP, verify their dashboard shows an active, non-expired Apple Pay certificate for your production account.
  • If the certificate was recently renewed:
    • Re-download the new .cer from the Developer portal.
    • Re-upload it to your PSP or your own decryption service.
    • Ensure the private key on your side corresponds to the new certificate's public key.
  • If the certificate appears valid, contact Apple Developer Support. Next time this occurs, provide the support team with the timestamp of this error, and the fact that the rewrap POST returns a 500 — this may indicate a server-side configuration issue for your specific Merchant ID in production.

Cheers,

Paris X Pinkney |  WWDR | DTS Engineer

Apple Pay ok with SandBox but ko in production
First post date Last post date
 
 
Q