Questions about user impact and best practices for rotating the private key used for Sign in with Apple

Privacy & Security Sign in with Apple
TakuyaOkamoto OP
Created 1w
Replies 0
Boosts 0
Views 61
Participants 1

Hi,

We are operating a service that uses Sign in with Apple for user registration and login. As part of our security incident response and periodic security improvements, we are planning to rotate the private key used to generate the client secret (JWT) for Sign in with Apple.

I have read the Human Interface Guidelines and the AuthenticationServices documentation, but I could not find a clear description of the behavior and user impact when rotating this private key. I would like to ask the following questions:

Background:

  • We issue a Sign in with Apple private key (with a Key ID) in our Apple Developer account.
  • Our server uses this private key to generate the client secret (JWT).
  • This is used for Sign in with Apple login on our web / mobile app.
  • We are planning to invalidate the existing private key and switch to a newly issued one.

Questions:

  1. Impact on existing logged-in sessions

    • Will rotating the private key force already logged-in users (who previously signed in with Apple) to be logged out from our service?
    • Can the user identifier (such as the "sub" claim) for existing Sign in with Apple users change due to key rotation?

  2. Recommended frequency and best practices

    • Does Apple recommend rotating this private key only when it is compromised, or on a regular basis?
    • If there are any official documents or examples that describe how to safely perform key rotation in production, we would appreciate a pointer.

  3. Impact on marketing / analytics

    • We are using user IDs (linked via Sign in with Apple) for analytics and marketing attribution. Is there any expected impact on such use cases caused by rotating the private key?
    • For example, is there any possibility that user identifiers change as a result of key rotation, or anything we should be careful about from a data linkage perspective?

Our goal is to rotate the private key in a secure way without causing service downtime, mass logouts, or loss of account linkage.

If there is already an official document that covers this, please let me know the URL.

Thank you in advance.

Replies  0
Boosts  0
Views  61
Participants  1
Questions about user impact and best practices for rotating the private key used for Sign in with Apple
First post date Last post date
 
 
Q