Missing "is_private_email" claim in ID Token for Hide My Email users

Question

Harry-Jang OP

Created Nov ’25

Replies 1

Boosts 0

Participants 2

Hello,

I am implementing "Sign in with Apple" on my backend and validating the Identity Token (JWT) received from the client.

I noticed that for some users who choose the "Hide My Email" option, the is_private_email claim is missing from the ID Token payload, even though the email address clearly belongs to the private relay domain (@privaterelay.appleid.com).

Here is an example of the decoded payload I received: { "iss": "https://appleid.apple.com", "aud": "xxx", "exp": 1764402438, "iat": 1764316038, "sub": "xxxxxxxx", "c_hash": "3FAJNf4TILzUgo_YFe4E0Q", "email": "xxx@privaterelay.appleid.com", "email_verified": true, "auth_time": 1764316038, "nonce_supported": true // "is_private_email": true <-- This field is missing }

My Questions:

Is the is_private_email claim considered optional in the ID Token?

Is it safe and recommended to rely solely on the email domain suffix (@privaterelay.appleid.com) to identify if a user is using a private email?

Any insights or official references would be appreciated.

Thanks.

Boost

Answer 1

DTS Engineer OP

Apple

3d

Hi @Harry-Jang,

If the user's real email address is provided to your app, the is_private_email claim may not be present in the ID token; if it is present, it will be either false or "false".

However, if you could reproduce the issue with a more recent ID token, I can work with the iCloud engineering team to investigate the missing claim.

Please follow the steps in the post below and reply here with the Feedback ID, once created:

Gathering required information for troubleshooting Sign in with Apple authorization and token requests

https://developer.apple.com/forums/thread/801173

Cheers,

Paris X Pinkney |  WWDR | DTS Engineer

0