Hi everyone,
I am building an SMS filtering app using the IdentityLookup framework. My main application handles the user login and receives a JWT. I need my ILMessageFilterExtension to use this JWT to authenticate its backend requests via context.deferQueryRequestToNetwork.
Since the extension is sandboxed and doesn't share a URLSession or standard Keychain with the main app, I am trying to use the Shared Web Credentials mechanism as suggested in the documentation.
My Questions:
-
Is SecAddSharedWebCredential still the recommended way to "bridge" a token from the main app to the messagefilter service in 2026?
-
If the backend returns a 401 Unauthorized with a WWW-Authenticate: Basic realm="api.mydomain.com" header, will iOS automatically retry the request with the stored token?
-
Are there any specific AASA (Apple App Site Association) requirements for the messagefilter key? Does it need to be a separate top-level object or nested?
Current Setup:
- Entitlements: Both Main App and Extension have messagefilter:api.mydomain.com and webcredentials:api.mydomain.com.
Main App Code:
Swift
SecAddSharedWebCredential("api.mydomain.com" as CFString, "UserAccount" as CFString, "my_jwt_token" as CFString) { error in
// Returns nil (success)
}
AASA File:
JSON
{
"messagefilter": {
"apps": ["TEAMID.bundle.id"]
}
}
Despite this, I see the first 401 in my server logs, but the automatic retry with the Authorization header never happens. Has anyone successfully implemented this "silent" handshake recently?