Hello,
I am implementing "Sign in with Apple" on my backend and validating the Identity Token (JWT) received from the client.
I noticed that for some users who choose the "Hide My Email" option, the is_private_email claim is missing from the ID Token payload, even though the email address clearly belongs to the private relay domain (@privaterelay.appleid.com).
Here is an example of the decoded payload I received:
{
"iss": "https://appleid.apple.com",
"aud": "com.platform.elderberry.new.signinwithapple",
"exp": 1764402438,
"iat": 1764316038,
"sub": "000851.86193ef81ad247feb673746c19424f28.0747",
"c_hash": "3FAJNf4TILzUgo_YFe4E0Q",
"email": "x8sqp2dgvv@privaterelay.appleid.com",
"email_verified": true,
"auth_time": 1764316038,
"nonce_supported": true
// "is_private_email": true <-- This field is missing
}
My Questions:
-
Is the is_private_email claim considered optional in the ID Token?
-
Is it safe and recommended to rely solely on the email domain suffix (@privaterelay.appleid.com) to identify if a user is using a private email?
Any insights or official references would be appreciated.
Thanks.