This post is from the WWDC26 Privacy & Security Q&A.
For a Swift package that requires app developers to set a String API key at the app level (one key per app, not per user), what is Apple’s recommended approach for allowing those keys to be securely rotated without requiring an App Store redeploy?
We recommend to not store secrets within your application. Exposing secrets to your application could lead to them leaking. Rather, keep API secrets within a server, and use App Attest to confirm the request is coming from your app: https://developer.apple.com/documentation/devicecheck/establishing-your-app-s-integrity