Rotating String API Key

Privacy & Security General
caleb_ras OP
Created 6h
Replies 1
Boosts 0
Views 47
Participants 2
This post is from the WWDC26 Privacy & Security Q&A.

For a Swift package that requires app developers to set a String API key at the app level (one key per app, not per user), what is Apple’s recommended approach for allowing those keys to be securely rotated without requiring an App Store redeploy?

Replies  1
Boosts  0
Views  47
Participants  2
DTS Engineer OP
Apple
5h

We recommend to not store secrets within your application. Exposing secrets to your application could lead to them leaking. Rather, keep API secrets within a server, and use App Attest to confirm the request is coming from your app: https://developer.apple.com/documentation/devicecheck/establishing-your-app-s-integrity .

Rotating String API Key
First post date Last post date
 
 
Q