Hello, I currently have an app that includes the "Sign in with Apple" feature, and I need to transfer this app to another app team. I have reviewed all official documentation but have not found the answer I need. My situation has some specificities, and I hope to receive assistance. The .p8 key created by the original developer team has been lost, and the app’s backend does not use a .p8 key for verification—instead, it verifies by obtaining Apple’s public key. However, according to the official documentation I reviewed, obtaining a transfer identifier during the app transfer process requires a client_secret generated from the original team’s .p8 key. This has left us facing a challenge, and we have two potential approaches to address this issue: Q1: During the transfer, is it possible to skip obtaining the transfer identifier and proceed directly with the app transfer, without performing any backend operations? Is this approach feasible? Q2: If the above approach is not feasible, should we create a new .p8 key in the original team’s account and use this new key for the transfer? If a new key is generated, do we need to re-release a new version of the app before initiating the transfer? If neither of the above approaches is feasible, are there better solutions to resolve our issue? I hope to receive a response. Thank you.
TN3159: Migrating Sign in with Apple users for an app transfer | Apple Developer Documentation/ https://developer.apple.com/documentation/signinwithapple/transferring-your-apps-and-users-to-another-team
Hi @LeeMd,
You wrote:
Q1: During the transfer, is it possible to skip obtaining the transfer identifier and proceed directly with the app transfer, without performing any backend operations? Is this approach feasible?
If you do not correct migration your users by generating and exchanging your transfer IDs, the user accounts created before the app transfer will be abandoned. This is a poor user experience.
Then, you wrote:
Q2: If the above approach is not feasible, should we create a new .p8 key in the original team’s account and use this new key for the transfer? If a new key is generated, do we need to re-release a new version of the app before initiating the transfer? If neither of the above approaches is feasible, are there better solutions to resolve our issue?
Yes, you should create a new private key for Sign in with Apple on Team A before the app transfer.
You can create 2 private keys, and both can be active simultaneously. First, generate the new key in the Developer portal, test your backend and validation implementations, deploy to production, and only after confirming a healthy transition, purge the old key from your systems and revoke from the Developer portal.
Once you've confident the new private key is handled correctly, you can then revoke the lost private key. You may then use the new private key ID in your client secrets to obtain auth tokens, and generate transfer IDs, and then finally transfer the app as noted in TN3159.
Note: This process should have been done as soon as the original key was compromised.
Cheers,
Paris X Pinkney | WWDR | DTS Engineer
