Hello,
I am currently process of migrating an app from Team A to Team B and attempting to generate transfer identifiers using the migration endpoint: POST https://appleid.apple.com/auth/usermigrationinfo. Content-Type: application/x-www-form-urlencoded
However, I am consistently receiving an { "error": "access_denied" } response.
[Current Configuration]
-
Team A (Source):
- Primary App ID: com.example.primary
- Grouped App IDs:
- com.example.service (Services ID for Web)
- com.example.app (App ID for iOS - The one being transferred)
- All identifiers are under the same App Group.
-
Team B (Destination):
- New App ID and Key created.
[Steps Taken]
-
Created a Client Secret (JWT) using Team A's Key ID and Team ID.
-
The sub (subject) in the JWT is set to the Primary App ID of Team A.
-
Requesting with client_id (Primary App ID), client_secret (JWT), and user_token.
[Questions]
1. App Group Impact: Does the fact that the App being transferred is a Grouped App ID (not the Primary) affect the usermigrationinfo request? Should I use the Primary App ID or the specific Grouped App ID as the client_id?
2. Ungrouping Safety: If I need to ungroup the App ID from the Primary App ID to resolve this:
-
Will existing users still be able to sign in without issues?
-
Is there any risk of changing the sub (user identifier) that the app receives from Apple?
-
Will this cause any immediate service interruption for the live app?
Any insights on why access_denied occurs in this Primary-Grouped configuration would be greatly appreciated.