Would really appreciate support with this invalid_client issue: I have a web app and have aligned the JWT Header and Payload JWT Header { "alg": "ES256", "kid": "ABC123DEFG" } JWT Payload { "iss": "DEF123GHIJ", "iat": 1234567890, "exp": 1234567890, "aud": "https://appleid.apple.com", "sub": "com.yourapp.service" The domains and callback are aligned and correct I've even created a new p8 and updated the Key_ID Sending Credentials to Apple (Token Request) Content-Type: application/x-www-form-urlencoded However, still no luck. Can anyone assist with identifying the possible error? Many thanks

Hi, Before I begin my investigation, I want to explain our code-level support process for issues related to Sign in with Apple—as the issue you’re reporting may be the result of any of the following: An error in your app or web service request. A configuration issue in your Developer Account. An internal issue in the operation system or Apple ID servers. To ensure the issue is not caused by an error within your app or web service request, please review TN3107: Resolving Sign in with Apple response errors to learn more about common error causes and potential solutions when performing requests. If the technote does not help identify the cause of the error, I need more information about your app or web services to get started. To prevent sending sensitive JSON Web Tokens (JWTs) in plain text, you should create a report in Feedback Assistant to share the details requested below. Additionally, if I determine the error is caused by an internal issue in the operating system or Apple ID servers, the appropriate engineering teams have access to the same information and can communicate with you directly for more information, if needed. Please follow the instructions below to submit your feedback. Gathering required information for troubleshooting Sign in with Apple authorization and token requests For issues occurring with your native app, perform the following steps: Install the Accounts/AuthKit profile on your iOS, macOS, tvOS, watchOS, or visionOS device. Reproduce the issue and make a note of the timestamp when the issue occurred, while optionally capturing screenshots or video. Gather a sysdiagnose on the same iOS, macOS, tvOS, watchOS, or visionOS device. Create a report in Feedback Assistant, and ensure your feedback contains the following information: the primary App ID or Bundle ID the user’s Apple ID, email address, and/or identity token the sysdiagnose gathered after reproducing the issue the timestamp of when the issue was reproduced screenshots or videos of errors and unexpected behaviors (optional) For issues occurring with your web service, ensure your feedback contains the following information: the primary App ID and Services ID the user’s Apple ID, email address, and/or identity token the failing request, including all parameter values, and error responses (if applicable) the timestamp of when the issue was reproduced (optional) screenshots or videos of errors and unexpected behaviors (optional) Important: If providing a web service request, please ensure the client secret (JWT) has an extended expiration time (exp) of at least ten (10) business days, so I have enough time to diagnose the issue. Additionally, if your request requires access token or refresh tokens, please provide refresh tokens as they do not have a time-based expiration time; most access tokens have a maximum lifetime of one (1) hour, and will expire before I have a chance to look at the issue. Submitting your feedback Before you submit to Feedback Assistant, please confirm the requested information above (for your native app or web service) is included in your feedback. Failure to provide the requested information will only delay my investigation into the reported issue within your Sign in with Apple client. After your submission to Feedback Assistant is complete, please respond in your existing Developer Forums post with the Feedback ID. Once received, I can begin my investigation and determine if this issue is caused by an error within your client, a configuration issue within your developer account, or an underlying system bug. Cheers, Paris X Pinkney |  WWDR | DTS Engineer

"Our app has absolutely no integration with DiDi login. We only integrate WeChat, QQ, carrier, and Apple ID login, and all related login entry icons are local resources. On an iPhone 16 Pro Max device with iOS system version 18.7, there was one isolated incident where the Apple ID login entry icon mysteriously changed to the DiDi app icon. What could be the possible iOS system-level causes for this?"

We are working on a PoC iOS App to use "Sign in with Apple" on iOS. The app needs to authenticate the current user on MDM managed corporate iPads (with Shared iPad enabled) and each user having a Managed Apple ID (created in Apple Business Manager). We have started with Apple's example app: https://developer.apple.com/documentation/authenticationservices/implementing-user-authentication-with-sign-in-with-apple When we run it on a normal iPad (without MDM supervision) it works fine. When we run the same code on a managed iPad with Shared iPad enabled and Managed Apple ID's the app errors out when a user taps the "Sign in with Apple" button. A User-facing error message is displayed: “Your Apple Account cannot be used to create accounts for other apps.” And when we run the app from Xcode we see the following logs: Authorization failed: Error Domain=AKAuthenticationError Code=-7027 "(null)" UserInfo={AKClientBundleID=com.sampleapp.test2} LaunchServices: store (null) or url (null) was nil: Error Domain=NSOSStatusErrorDomain Code=-54 "process may not map database" UserInfo={NSDebugDescription=process may not map database, _LSLine=72, _LSFunction=_LSServer_GetServerStoreForConnectionWithCompletionHandler} Attempt to map database failed: permission was denied. This attempt will not be retried. Failed to initialize client context with error Error Domain=NSOSStatusErrorDomain Code=-54 "process may not map database" UserInfo={NSDebugDescription=process may not map database, _LSLine=72, _LSFunction=_LSServer_GetServerStoreForConnectionWithCompletionHandler} Failed to get application extension record: Error Domain=NSOSStatusErrorDomain Code=-54 "(null)" ASAuthorizationController credential request failed with error: Error Domain=com.apple.AuthenticationServices.AuthorizationError Code=1000 "(null)" Could not authenticate: The operation couldn’t be completed. (com.apple.AuthenticationServices.AuthorizationError error 1000.) We have confirmed that in ABM "Sign in with Apple" feature is enabled with "Allowed apps": "All apps". We have also confirmed that the Managed AppleIDs created in ABM have no field to provide the birthday of the user and therefore ruling out age restrictions for "Sign in with Apple". Is "Sign in with Apple" supported in MDM managed iPADs with Shared iPad enabled and managed AppleIDs? If it is supported, do we know what other configurations we need to get it to work? Do we know why "Sign in with Apple" would error out with Authorization failed: Error Domain=AKAuthenticationError Code=-7027 "(null)" UserInfo={AKClientBundleID=com.sampleapp.test2} LaunchServices: store (null) or url (null) was nil: Error Domain=NSOSStatusErrorDomain Code=-54 "process may not map database" UserInfo={NSDebugDescription=process may not map database, _LSLine=72, Environment: • iPadOS version: IPadOS Version 18.7 • Xcode version: Version 26.0 (17A324) • Device type: iPad Air 11-inch (M3) in Shared iPad mode • Account type: Managed Apple ID created in ABM enrolled with Intune MDM) Thank you

I am getting the following errors. The app used to work and now does not, even without any code changes. Any thoughts on resolving this issue? Authorization failed: Error Domain=AKAuthenticationError Code=-7026 "(null)" Us erInfo={AKClientBundleID=<bundleid>} LaunchServices: store (null) or url (null) was nil: Error Domain=NSOSStatusErrorDomain Code=-54 "process may not map database" Us erInfo={NSDebugDescription=process may not map database, _LSLine=72, _LSFunction=_LSServer_GetServerStoreForConnectionWithCompletionHandler} Attempt to map database failed: permission was denied. This attempt will not be retried. Failed to initialize client context with error Error Domain=NSOSStatusErrorDomain Code=-54 "process may not map database" Us erInfo={NSDebugDescription=process may not map database, _LSLine=72, _LSFunction=_LSServer_GetServerStoreForConnectionWithCompletionHandler} Failed to get application extension record: Error Domain=NSOSStatusErrorDomain Code=-54 "(null)" ASAuthorizationController credential request failed with error: Error Domain=com.apple.AuthenticationServices.AuthorizationError Code=1000 "(null)"

Hello, We are working on integrating app integrity verification into our service application, following Apple's App Attest and DeviceCheck guide. Our server issues a challenge to the client, which then sends the challenge, attestation, and keyId in CBOR format to Apple's App Attest server for verification. However, we are unable to reach both https://attest.apple.com and https://attest.development.apple.com due to network issues. These attempts have been made from both our internal corporate network and mobile hotspot environments. Despite adjusting DNS settings and other configurations, the issue persists. Are there alternative methods or solutions to address this problem? Any recommended network configurations or guidelines to successfully connect to Apple's App Attest servers would be greatly appreciated. Thank you.

Dear Apple Developer Technical Support, We are currently following the official Apple documentation “TN3159: Migrating Sign in with Apple users for an app transfer” to carry out a Sign in with Apple user migration after successfully transferring several apps to a new developer account. Here is a summary of our situation: Under the original Apple developer account, we had five apps using Sign in with Apple, grouped under a shared primary app using App Grouping. Recently, we transferred three of these apps to our new Apple developer account via App Store Connect. After the transfer, these three apps are no longer associated with the original primary App ID. We reconfigured individual Services IDs for each app in the new account and enabled Sign in with Apple for each. More than 24 hours have passed since the app transfer was completed. Now we are attempting to follow the migration process to restore user access via the user.migration flow. Specifically, we are using the following script to request an Apple access token: url = "https://appleid.apple.com/auth/token" headers = {"Content-Type": "application/x-www-form-urlencoded"} data = { "grant_type": "client_credentials", "scope": "user.migration", "client_id": "com.game.friends.ios.toptop.sea", # New Services ID in the new account "client_secret": "<JWT signed with new p8 key>" } response = requests.post(url, headers=headers, data=data) However, the API response consistently returns: { "error": "invalid_client" } We have verified that the following configurations are correct: The client_secret is generated using the p8 key from the new account, signed with ES256 and correct key_id, team_id, and client_id. The client_id corresponds to the Services ID created in the new account and properly associated with the migrated app. The scope is set to user.migration. The JWT payload contains correct iss, sub, and aud values as per Apple documentation. The app has been fully transferred and reconfigured more than 24 hours ago. Problem Summary & Request for Support: According to Apple’s official documentation: “After an app is transferred, Apple updates the Sign in with Apple configuration in the background. This can take up to 24 hours. During this time, attempts to authenticate users or validate tokens may fail.” However, we are still consistently receiving invalid_client errors after the 24-hour waiting period. We suspect one of the following issues: The transferred apps may still be partially associated with the original App Grouping or primary App ID. Some Sign in with Apple configuration in Apple’s backend may not have been fully updated after the transfer. Or the Services ID is not yet fully operational for the transferred apps in the new account. We kindly request your assistance to: Verify whether the transferred apps have been completely detached from the original App Grouping and primary App ID. Confirm whether the new Services IDs under the new account are fully functional and eligible for Sign in with Apple with user.migration scope. Help identify any remaining configuration or migration issues that may cause the invalid_client error. If necessary, assist in manually ungrouping or clearing any residual App Grouping relationships affecting the new environment. We have also generated and retained the original transfer_sub identifiers and are fully prepared to complete the sub mapping once the user.migration flow becomes functional. Thank you very much for your time and support!

I keep getting invalid_client, here is a test login: https://www.bella-booking.ch/_get_incl/test_apple_login.cfm Any help appreciated. NOTE: Everey other error, like wrong reroute or wrong client id, a different error will be sent frpm apple, after I checked all and crosschecked with jwt.io, it keep getting invalid_client. Any clue? If the response is correct, the token should be displayed on the page. Thx

Hi! I'm trying to add Sign in with Apple to my macOS app. I enabled this capability from the developer portal and created the corresponding certificate & provisioning profile (both of type Developer ID Application.) However, Xcode keeps prompting me that the profile doesn't support Sign in with Apple. If I enable Automatically manage signing from Xcode, I can build and run the app but not distribute. If I turn it off and use the profile I got, it just keeps showing the errors below and doesn't even let me build.

Please provide a descriptive title for your feedback: Downloading Developer ID provisioning profiles - missing new entitlements Which area are you seeing an issue with? App Store Connect What type of feedback are you reporting? Incorrect/Unexpected Behavior Please provide the App name/App ID if possible: com.onexengineering.themedeck.macos Please describe the issue and what steps we can take to reproduce it bug in App Store Connect where downloading Developer ID provisioning profiles are missing the new entitlements regenerated from scratch -- App Store Connect says entitlements are good, but actual file confirms entitlements are missing App Store provisioning profiles seem to be unaffected (ignore my incorrect naming of files)

Hello, We’ve resumed the migration process after a break. Since my colleague is no longer with us, I had to go through the steps again myself. As before, we’re trying to migrate "Sign In with Apple" users from tenant TENANT_A with client_id=CLIENT_ID_A to tenant TENANT_B with client_id=CLIENT_ID_B I followed the procedure described here: [Apple Developer Documentation](https://developer.apple.com/documentation/technotes/tn3159-migrating-sign-in-with-apple-users-for-an-app-transfer – Migrating Sign In with Apple Users, essentially repeating what my coworker previously attempted in coordination with your employee Stephanie. Here’s a summary of the steps and the issue we’re facing: STEP 1 - get authcode for TEAM A curl --location 'https://appleid.apple.com/auth/token' --header 'Content-Type: application/x-www-form-urlencoded' --data-urlencode 'grant_type=client_credentials' --data-urlencode 'scope=user.migration' --data-urlencode 'client_id=pl.CLIEND_ID_A' --data-urlencode 'client_secret=<TEAM_A_SECRET>' I receive response: { "access_token": "<ACCESS_TOKEN_TEAM_A>", "token_type": "Bearer", "expires_in": 3600 } STEP 2 - get authcode for TEAB B curl --location 'https://appleid.apple.com/auth/token' --header 'Content-Type: application/x-www-form-urlencoded' --data-urlencode 'grant_type=client_credentials' --data-urlencode 'scope=user.migration' --data-urlencode 'client_id=CLIENT_ID_B' --data-urlencode 'client_secret=<TEAB_B_SECRET>' I receive response: { "access_token":"<ACCESS_TOKEN_TEAB_B>", "token_type": "Bearer", "expires_in": 3600 } STEP 3 - get transfer_sub from TEAM A curl --location 'https://appleid.apple.com/auth/usermigrationinfo' --header 'Authorization: Bearer <ACCESS_TOKEN_TEAM_A>' --header 'Content-Type: application/x-www-form-urlencoded' --data-urlencode 'client_id=CLIENT_ID_A' --data-urlencode 'client_secret=<TEAM_A_SECRET>' --data-urlencode 'sub=USER_SUB_FROM_TEAM_A' --data-urlencode 'target=TENANT_B' I receive response: { "transfer_sub": "USER_SUB_FROM_TEAM_B" } STEP 4 - Team B exchanges transfer identifers curl --location 'https://appleid.apple.com/auth/usermigrationinfo' --header 'Authorization: Bearer <ACCESS_TOKEN_TEAM_B' --header 'Content-Type: application/x-www-form-urlencoded' --data-urlencode 'client_id=CLIENT_ID_B' --data-urlencode 'client_secret=<TEAM_B_SECRET>' I receive response: { "error": "invalid_request" } We’ve created a new client_id under tenant B and want to migrate users there. However, we skipped the step described in Step 3 of the documentation(https://developer.apple.com/documentation/technotes/tn3159-migrating-sign-in-with-apple-users-for-an-app-transfer#3-Team-A-initiates-app-transfer-to-Team-B), which involves initiating an app transfer. The reason is that this client_id is used solely for web authentication, not for a mobile app, so we don’t have an app to transfer. Based on our analysis and your documentation, it seems this flow only works if the client_id matches across both tenants, which can only be achieved through an app transfer, something we cannot proceed with. Apple previously insisted that we migrate these users, but as shown above, we’re stuck. Is there any alternative flow available, or can you assist us in completing this migration?

Hello, I’m trying to set up Sign In with Apple for my Firebase Authentication integration. Steps I followed: Created a Service ID in Apple Developer, e.g. com.example.myapp.signin. Tried to enable Sign In with Apple and configure the Web Authentication Configuration. Web Domain: myapp.firebaseapp.com Return URL: https://myapp.firebaseapp.com/__/auth/handler When I click Save, I get the following error in the browser console and a blank response page: Unsupported Request PATCH to http://developer.apple.com/services-account/v1/bundleIds/XXXXXXXX not supported. Reference #... What I have verified so far: My Apple Developer Program membership is active (paid). My App ID (e.g. com.example.myapp) exists in Identifiers. The App ID has Sign In with Apple capability checked. I need to link the Service ID with this App ID for Firebase web-based auth. Goal: Complete setup of Apple as a sign-in provider in Firebase Authentication. To do this, Apple requires me to add the Firebase return URL above, but the Developer Portal prevents saving with the 501 error. Has anyone else run into this, and is there a workaround (e.g. enabling via Xcode, App Store Connect, or other methods)? Is this a known bug with the Apple Developer Portal? Here is the screenshot of the error: And Response part: Thanks in advance!

Sign up not completed when I log to an app using apple id. What should i do?

Hello, our Sign in with Apple Button no longer works and throws an 7003 error. It worked a few days ago but suddenly fails. Any ideas how to fix this? Thanks in advance! plist: <dict> <key>com.apple.developer.applesignin</key> <array> <string>Default</string> </array> ... Code: var body: some View { VStack { SignInWithAppleButton(.signUp) { request in request.requestedScopes = [.fullName, .email] } onCompletion: { result in switch result { case .success(let authResults): handleSuccess(authorization: authResults) case .failure(let error): self.credentialFailure = true self.errorMessage = .appleSignInError logger.error("SIWA login failure: \(error)") } } .signInWithAppleButtonStyle(.white) .cornerRadius(GlobalValues.cornerRadius) } } Error: Authorization failed: Error Domain=AKAuthenticationError Code=-7003 "(null)" UserInfo={AKClientBundleID=com.our.app} ASAuthorizationController credential request failed with error: Error Domain=com.apple.AuthenticationServices.AuthorizationError Code=1001 "(null)" SIWA login failure: Error Domain=com.apple.AuthenticationServices.AuthorizationError Code=1001 "(null)"

Hi! We're having issues with the sign in flow, starting today. As per the documentation, the issuer of the tokens should be https://appleid.apple.com sign in docs. But in the published configuration, it is now stated as https://account.apple.com metadata endpoint. Once the token is received through the sign in flow, the issuer is however still appleid.apple.com. This is causing problems for us where we expect the issuer in the metadata endpoint to be the same as the actual token issuer. What is correct here?

We have integrated Sign in with Apple into our iOS project using the recommended implementation from your documentation,However, we are experiencing issues when testing with the following: Bundle ID: com.app.*** Using real certificates from our Apple Developer account Issue Details: On real devices, after entering the Apple ID password, we receive a message saying: "Sign-up not completed" On simulators, the flow gets stuck after entering the password no further progress occurs. We are not receiving any explicit error messages in the console or logs. We also tested with the official Apple sign-in demo code from the documentation link above, and the same issue occurred. Our team has confirmed that all necessary configurations have been set correctly, and the same implementation works on other accounts. We would appreciate your assistance in identifying the root cause and helping us resolve this issue. Thank you,

Hi https://appleid.apple.com/auth/authorize?client_id=com.adobe.services.adobeid-na1.web shows: invalid_request But https://appleid.apple.com/auth/authorize?client_id=xrqxnpjgps shows: invalid_client I've created a Primary App ID and ticked "Sign In with Apple". I've created a Service ID and ticked "Sign In with Apple" (identifier is xrqxnpjgps). When I click "Configure" for the "Sign In with Apple" of the Service ID, it is linked to the Primary App ID. Why do I get an invalid_client error? I've contacted the support by mail, and have been redirected here, does someone here have the ability/access/knowledge/will to figure out the cause and then tell me? Regards

Hello, I am at wits' end with the Apple Sign-in api. I have tested in stage and it works beautifully, but when i push to production it gives me the error "invalid_client". I'm confident the setup is correct, when I asked Apple for help over the phone, they sent me a few forums with no answers. Has anyone had the same issue? How did you resolve? Could it be because I have two app IDs and two service IDs? (prod + stage) Help!

Apple Sign In - "Sign up not completed" Error in Development Build (React Native / Expo) Problem Summary I'm implementing Apple Sign In in a React Native app using expo-apple-authentication. The Apple sign-in dialog appears as expected, but after tapping "Continue," it displays the message: "Sign up not completed". No credential is returned, and the promise eventually rejects with ERR_REQUEST_CANCELED. App Configuration Platform: React Native (Expo SDK 52) Library: expo-apple-authentication v7.1.3 Target: iOS development build (not Expo Go) Bundle ID: com.example.appname.nativetest (new App ID created for testing) Apple Developer Console Setup (Reviewed Carefully) App ID Explicit App ID (not a wildcard) "Sign In with Apple" capability enabled No associated Services IDs or Sign In with Apple Keys Provisioning Profile Development profile created for the test App ID Profile includes the test device and development certificate Installed successfully and used to sign the app Certificates and Signing Valid Apple Developer Program membership Development certificate installed and selected during build App installs and launches properly on the test device Implementation Attempts Attempt 1: Supabase OAuth Method Initially tried using Supabase’s built-in Apple OAuth provider: Configured with team ID, key ID, and JWT credentials Proper redirect URLs and scheme were in place Resulted in OAuth URL pointing to Supabase instead of Apple, with incomplete client ID Ultimately moved to native implementation for improved control and reliability Attempt 2: Native Apple Sign In (Current Approach) Using expo-apple-authentication with the following code: const credential = await AppleAuthentication.signInAsync({ requestedScopes: [ AppleAuthentication.AppleAuthenticationScope.FULL_NAME, AppleAuthentication.AppleAuthenticationScope.EMAIL, ], }); Relevant app.config.js Section: ios: { bundleIdentifier: 'com.example.appname.nativetest', usesAppleSignIn: true, infoPlist: { NSAppTransportSecurity: { NSAllowsArbitraryLoads: true, NSAllowsLocalNetworking: true, }, }, }, plugins: ['expo-apple-authentication'] Observed Behavior AppleAuthentication.isAvailableAsync() → true Credential state → NOT_FOUND (expected for new user) Apple Sign In dialog appears and allows interaction User taps "Continue" → dialog reports "Sign up not completed" Eventually returns: [Error: The user canceled the authorization attempt], code ERR_REQUEST_CANCELED Confirmed Working Aspects AppleAuthentication API is available and initialized App is signed correctly and launches on the physical test device Apple Sign In dialog appears with correct styling and options Same result observed across both Wi-Fi and cellular networks Clean Setup and Debugging Performed Removed all previous build artifacts Created a new App ID and new provisioning profile Rebuilt the app using expo run:ios --device Validated entitlements and provisioning assignments Removed any Services IDs and Apple Sign In keys used in previous attempts Verified ATS (App Transport Security) policies allow dev-time communication Environment Information Device: iPhone (not simulator) iOS Version: 18.5 Xcode: Latest version Apple ID: Developer account with 2FA enabled Build Method: EAS CLI using expo run:ios --device Open Questions Has anyone experienced the "Sign up not completed" issue with a clean native implementation in Expo? Are there known limitations when testing Apple Sign In in local development builds? Could prior Apple ID authorization attempts impact sign-in behavior during testing? Are there any additional configuration steps, Info.plist changes, or entitlements required beyond those listed above? Thank you in advance for any suggestions or guidance. We’re hoping this is simply a configuration detail that needs to be adjusted.

Hello, I'm developing an iOS app that includes a Sign In with Apple feature. I’ve completed the following setup steps: Enabled Sign In with Apple for the app’s Bundle ID in the Apple Developer Console. Added Sign In with Apple capability in Xcode under Signing & Capabilities. Tested the feature on a real device, not a simulator. Registered the real device ID in the Developer Console just in case any hidden permission issues exist. Despite following all the necessary steps (and even using the official Apple sample code) the Sign In bottom sheet displays a "Sign Up Not Completed" message. Unfortunately, I don’t receive any further error details to help diagnose the issue. After searching through StackOverflow and this forum, I came across posts suggesting that the feature might take up to 48 hours to become active after setup. Is this still the case in 2025? Or is there something I might be missing? For additional context: other features such as APNs (Push Notifications) are working as expected. Thank you in advance for any help or insight!