CKQuerySubscription on public database failing with BAD_REQUEST in Production — distinct from iOS 26.4 silent-push regression

Question

Created 2d

Replies 3

Boosts 0

Participants 2

Hello,

I'm hitting a persistent CKQuerySubscription save failure on the public database in my Production CloudKit container. I want to flag this is NOT the iOS 26.4 silent-push regression resolved in 26.4.1 (I've confirmed it manifests differently and on devices that predate that bug).

App: Win 10 Min (com.luiz.PandaApp) Container: iCloud.com.luiz.PandaApp Current shipping version: 3.2.1 build 420 (approved 2026-05-19) Public database

THE ERROR (captured from CKError.userInfo)

CKErrorCode 12 (badRequest) CKInternalErrorDomain code 2006 ("BadSyntax") ServerErrorDescription: "attempting to create a subscription in a production container"

Execution time per failed attempt: 45-90ms (gateway-level rejection, not data validation).

CODE

let subscription = CKQuerySubscription( recordType: "GuardianRequest", predicate: NSPredicate(format: "guardianRecordName == %@", me), subscriptionID: "guardian-incoming-(me)", options: [.firesOnRecordCreation] ) let info = CKSubscription.NotificationInfo() info.shouldSendContentAvailable = true subscription.notificationInfo = info try await container.publicCloudDatabase.save(subscription)

The .save() throws every time.

REPRODUCES ACROSS

iPhone on iOS 26.4.2 (i.e., has the 26.4.1 CloudKit regression fix)
iPhone on iOS 18.6.x (predates the 26.4 regression entirely)
Multiple distinct Apple IDs / userId hashes
Fresh installs via TestFlight
Updated installs from production

CONSISTENTLY: USER_ERROR / BAD_REQUEST. Same error every time.

WHY THIS ISN'T THE iOS 26.4 REGRESSION (Thread 820562)

That regression caused silent notifications to be DROPPED client-side AFTER successful subscription creation. Our failure is SubscriptionCreate itself being rejected by the CloudKit server before any subscription exists. Different layer, different symptom. iOS 18.6.x devices also fail (they never had the 26.4 token-validation regression code).

CLOUDKIT CONSOLE LOGS (sample request UUIDs Apple engineers can lookup)

EB30E9D0-8C97-4685-BD16-3E79B3328D6F (2026-05-17 8:08 UTC) EEAA0606-5B50-4640-A950-EEA33B790B8E (2026-05-17, captured in-app) EB4C90CE-9172-4942-B00F-DE4A28388FBA (2026-05-19 7:18 UTC, iOS 18.6.x) F2DF69D9-2339-437A-B59B-7FBD4D57442F (2026-05-19 7:51 UTC, iOS 26.4.x)

CloudKit Console → Production → Subscriptions: 0 entries despite 70+ attempts since 2026-05-11.

WHAT I'VE VERIFIED / TRIED

Schema: GuardianRequest.guardianRecordName and GuardianResponse.requesterRecordName both have QUERYABLE indexes in the Production schema (confirmed in Console).
Field types: all STRING.
aps-environment entitlement: "production" (changed from "development" in build 420; no change in error pattern).
Push Notifications capability: enabled on App ID in Developer Portal AND in Xcode Signing & Capabilities for the main app target.
UIBackgroundModes: includes "remote-notification".
Re-deployed Production schema from Development on 2026-05-19 (Console reported "no changes"; failure pattern unchanged).
Tried with and without info.desiredKeys = [].
RecordQuery operations on the same fields and record types in the same container succeed consistently.

QUESTIONS

Is there a known infrastructure issue affecting public database CKQuerySubscription creation that is distinct from the iOS 26.4 regression (thread 820562)?
Is there a per-container configuration that may be in an unexpected state, and if so what should I check?
Are there workarounds beyond schema redeployment that have helped other developers in similar situations?

Thanks for any guidance.

Boost

Answer 1

DTS Engineer OP

Apple

1d

I don't have an immediate answer just yet, but would like to check the following:

Are you testing with a device that is logged in with an iCloud account? Without a valid iCloud account, your app can't write to the CloudKit database.
Do you have any special configuration on the security roles (CloudKit Console > Schema > Security Roles), which prevents the your account to write to the database?
For debugging purpose, would you mind to try with visible notifications, as shown in the following code example?

extension CKDatabase {
    public func addQuerySubscription(_ recordType: String, subscriptionID: String, predicate: NSPredicate? = nil,
                                     options: CKQuerySubscription.Options, operationQueue: OperationQueue? = nil,
                                     completionHandler: @escaping (CKSubscription?, Error?) -> Void) {
        let predicate = predicate ?? NSPredicate(value: true)
        let subscription = CKQuerySubscription(recordType: recordType, predicate: predicate,
                                               subscriptionID: subscriptionID, options: options)
        let notificationInfo = CKSubscription.NotificationInfo()
        notificationInfo.shouldBadge = true
        notificationInfo.alertBody = "Changed \(recordType) satisfying \(predicate.predicateFormat)"
        // notificationInfo.shouldSendContentAvailable = false
        
        subscription.notificationInfo = notificationInfo
        
        let operation = CKModifySubscriptionsOperation(subscriptionsToSave: [subscription], subscriptionIDsToDelete: nil)
        operation.modifySubscriptionsCompletionBlock = { savedSubscriptions, _, error in
            completionHandler(savedSubscriptions?.first, error)
        }
        add(operation, to: operationQueue)
    }
}

Best,
——
Ziqiao Chen
 Worldwide Developer Relations.

1

Answer 2

lfsdalmeida OP

13h

Hi Ziqiao, thank you, both suggestions were worth testing. Unfortunately neither resolves it. Reporting back with results and fresh request IDs you can correlate server-side.

Setup: container iCloud.com.luiz.PandaApp, PUBLIC database. Two CKQuerySubscriptions, options: [.firesOnRecordCreation], simple equality predicates (guardianRecordName == %@, requesterRecordName == %@).

Visible NotificationInfo (your point #3). Set alertBody, shouldBadge = true, and category; did not set shouldSendContentAvailable. Subscription save still fails:

CKError code 12; CKInternalErrorDomain 2006 "BadSyntax"; ServerErrorDescription: "attempting to create a subscription in a production container." Server log: RequestUUID 9BD2E50A-60DF-4DDA-86EF-B91E27192F33 (Op 46EA29B4FF3AFC28), SubscriptionCreate / PUBLIC / USER_ERROR / BAD_REQUEST, ~65–82 ms (20 May 2026 ~15:07 UTC). 2) CKModifySubscriptionsOperation instead of CKDatabase.save(_:). Same failure:

Server logs (21 May 2026 ~04:12 UTC): RequestUUID 3276D248-EBCA-4D33-8C47-9E491AD249F3 (Op FCC08756EB6CA504) and RequestUUID 33D892A3-480B-48BE-8935-F7149FB2F622 (Op 92294938173AE34D), both SubscriptionCreate / PUBLIC / USER_ERROR / BAD_REQUEST. (Note: the per-subscription error surfaces via perSubscriptionSaveBlock; the overall modifySubscriptionsResultBlock reported success, so the client looked successful while the server rejected the save.) Additional facts:

An earlier test with NSPredicate(value: true) failed with the identical error — so it isn't the predicate. CKRecord saves to this same PUBLIC database succeed routinely (we create GuardianRequest/GuardianResponse records); only SubscriptionCreate fails — so this isn't iCloud sign-in or record-level write permission. Reproduced on iOS 26.4.x and on a second Apple ID on iOS 18.6.x, so it's distinct from the iOS 26.4 silent-push regression (Thread 820562). Re point #2: I reviewed Schema → Security Roles — [FILL IN what you found]. Predicate, NotificationInfo (silent and visible), and the save API have all been varied with no change; the rejection is identical at the gateway.

Questions: (1) Is this the known CKError 12 / "production container" server-side issue? (2) Is there a server-side remediation or a CloudKit Console action on our side (re-deploy schema, Security Roles change) that would unblock SubscriptionCreate for this container's PUBLIC database? (3) If a server-side fix is required, should I file a TSI/Feedback referencing these RequestUUIDs?

Thank you!

0

Answer 3

lfsdalmeida OP

2h

Quick follow-up on point #2 (Security Roles): checked Schema → Security Roles. GuardianRequest and GuardianResponse grant Read via _world, Create via _icloud, Write via _creator — a standard public-DB config. The Read permission query subscriptions need is present, so Security Roles don't appear to be the cause.

0