I'm implementing Sign in with Apple for a web-only service (Services ID associated with a primary App ID, plus a private key for the client secret JWT). Before I finalize the setup I want to confirm one prerequisite, because two of Apple's own pages give different answers.
"Configuring your environment for Sign in with Apple" states that to authenticate users with a web service you must have an existing app in the App Store that uses Sign in with Apple: https://developer.apple.com/documentation/signinwithapple/configuring-your-environment-for-sign-in-with-apple
"Configure Sign in with Apple for the web" (Account Help) only says to associate your website with an existing primary App ID enabled for Sign in with Apple — i.e., just a registered identifier, with no mention of a published app: https://developer.apple.com/help/account/capabilities/configure-sign-in-with-apple-for-the-web/
My question: for a web-only service, is a published (or in-review) App Store app actually required, or is a registered App ID identifier with the Sign in with Apple capability enabled sufficient on its own? And if a published app isn't required, is the "existing app in the App Store" wording just meant to describe the App ID rather than a live listing?
I've contacted Developer Support and was pointed back to the general docs, which are the source of the contradiction rather than the answer, so I'm hoping an engineer or someone who has shipped a web-only setup can confirm which prerequisite governs.
Thanks in advance.