Hello Apple Team We are integrating App Attest with our backend and seeing a 400 Bad Request response when calling the attestation endpoint. The issue is that the response does not include an X-Request-ID or JSON error payload with id and code, which makes it hard to diagnose. Instead, it only returns a receipt blob. Request Details URL: https://data-development.appattest.apple.com/v1/attestationData Request Headers: Authorization: eyJraWQiOiI0RjVLSzRGV1JaIiwidHlwIjoiSldUIiwiYWxnIjoiRVMyNTYifQ.eyJpc3MiOiJOOVNVR1pNNjdRIiwiZXhwIjoxNzU3MDUxNTYwLCJpYXQiOjE3NTcwNDc5NjB9.MEQCIF236MqPCl6Vexg7RcPUMK8XQeACXogldnpuiNnGQnzgAiBQqASdbJ64g58xfWGpbzY3iohvxBSO5U5ZE3l87JjfmQ Content-Type: application/octet-stream Request Body: (Binary data, logged as [B@59fd7d35) Response Status: 400 Bad Request Response Headers: Date: Fri, 05 Sep 2025 04:52:40 GMT x-b3-traceid: 4c42e18094022424 x-b3-spanid: 4c42e18094022424 Response Body (truncated): "receipt": h'308006092A864886F70D01070... Problem The response does not include X-Request-ID. The response does not include JSON with id or code. Only a receipt blob is returned. Questions Can the x-b3-traceid be used by Apple to trace this failed request internally? Is it expected for some failures to return only a receipt blob without X-Request-ID? How should we interpret this error so we can handle it properly in production? Thanks in advance for your guidance.

I want iOS device identifier for a framework that is used in multiple vendor's apps. I'm developing a framework to control a peripheral. The framework has to send unique information to register the device with the peripheral. My naive idea was to use IdentifierForVendor. But this API provides the device identifier for the same vendor's apps, not the framework. (The framework will be used by multiple vendors.) Is there a usable device identifier for the framework, regardless of app vendor? Please tell me any solution.

There is a sudden surge of users in our apps with invalidated biometrics. Even though the issue is being handled correctly and the user has another way to login, some of the users forgot their passwords and they can not login. Is there any known issue with Biometrics in iOS 18.3.2 or later? There is a (possible) related discussion here: https://discussions.apple.com/thread/256011565

The Passwords App is accessing websites found in the ASCredentialIdentityStore associated with a 3rd Party password management app (SamuraiSafe). This behaviour appears to be associated with looking up website favicons in order to display in Passwords. However the websites contacted are not stored in the Passwords App/iCloud KeyChain - only the 3rd Party password management app (SamuraiSafe). This is effectively leaking website information stored in the 3rd Party password management app. I first noticed this behaviour on macOS, and it appears to happen every 8 days. Today it was seen on iOS. The behaviour is revealed through the App Privacy Report on iOS (and LittleSnitch on macOS). I would not be surprised to see the Passwords App do this for websites saved in the Passwords App/iCloud KeyChain, however I believe it should not be arbitrarily testing every website found in the ASCredentialIdentityStore as reference to that website url should be entirely under the control of the end user. See attached screenshots from App Privacy Report. Filed bug with Apple: FB16682423

Hi everyone, I’m developing a multiplayer iOS game that uses Multipeer Connectivity for local peer-to-peer networking. I’d like to display user-assigned device names in the UI to help players identify each other during the connection process. In iOS 16 and later, accessing UIDevice.current.name requires the User-Assigned Device Name Entitlement. The documentation states that the entitlement is granted for functionality involving “interaction between multiple devices that the same user operates”. My game is strictly multiplayer, with devices owned by different users, not a single user managing multiple devices. I have a few questions regarding this: Does the requirement for “devices operated by the same user” definitively exclude multiplayer scenarios where devices belong to different players? Can a Multipeer Connectivity-based game qualify for the entitlement in this case? If the entitlement is not applicable, is prompting users to enter custom names the recommended approach for identifying devices in a multiplayer UI? Has anyone successfully obtained this entitlement for a similar multiplayer use case with Multipeer Connectivity? Thanks in advance.

override func prepareInterface(forPasskeyRegistration registrationRequest: any ASCredentialRequest) int this function how can i get the "challenge" from user agent, the params "challenge" need to be used in webauthn navigator.credentials.create

Hey everyone, I'm working on a password manager app for iOS and I'm trying to implement the new iOS 18 feature that lets users enable autofill directly from within the app. I know this exists because I've seen it in action in another app. They've clearly figured it out, but I'm struggling to find any documentation or info about the specific API. Has anyone else had any luck finding this? Any help would be greatly appreciated! Thanks in advance!

Hello everyone, In my application, i have implemented authentication using ASWebauthenticationSession. However, when redirecting the user to a WKWebView, no cookies are shared, causing the session to be lost and requiring the user to log in again. Is there a way to share cookies between the two? If not, what would be the best approach to set up authentication that ensures SSO when switching to a WebView ? Thank you very much for your help !

Hi Community, We've implemented Sign In with Apple in our application. Our domains are properly registered in the developer console, but we're experiencing inconsistent email functionality with Apple's privacy email service. Some domains work correctly while others show delivery problems, even though all domains have identical configurations. Apple's console displays green verification status for all domains, yet testing reveals that emails to privacy-protected accounts don't arrive as expected. We're using SendGrid as our email service provider, and all domains have valid authentication records (SPF, DKIM, DMARC) in place. Has anyone encountered similar inconsistencies with Apple's privacy email service? Would appreciate any configuration tips or troubleshooting guidance. Thanks.

I’m trying to update the Domains and Redirects section for my Services ID configuration in Apple Developer (for Sign in with Apple). When I add new domains and click Save, nothing happens. In the browser console, I see a network request that fails with: PATCH not supported What I’ve tried so far: Logging out/in and refreshing the page Clearing browser cache and cookies Trying in Safari, Chrome, and incognito mode Verifying domain formatting (HTTPS, no trailing slash, domain is live) The issue persists in all browsers I’ve tested. Request: Is this a known issue with the Developer portal, or is there an alternative method to update my Services ID domains? Any guidance would be appreciated. Thanks,

We have a macOS app that has a Photos Extension, which shares documents with the app via an app group container. Historically we used to have an iOS-style group identifier (group.${TeamIdentifier}${groupName}), because we were lead by the web interface in the developer portal to believe this to be the right way to name groups. Later with the first macOS 15 betas last year there was a bug with the operating system warning users, our app would access data from different apps, but it was our own app group container directory. Therefore we added a macOS-style group identifier (${TeamIdentifier}${groupName}) and wrote a migration of documents to the new group container directory. So basically we need to have access to these two app group containers for the foreseeable future. Now with the introduction of iOS-style group identifiers for macOS, Xcode Cloud no longer archives our app for TestFlight or AppStore, because it complains: ITMS-90286: Invalid code signing entitlements - Your application bundle’s signature contains code signing entitlements that aren’t supported on macOS. Specifically, the “[group.${TeamIdentifier}${groupName}, ${TeamIdentifier}${groupName}]” value for the com.apple.security.application-groups key in isn’t supported. This value should be a string or an array of strings, where each string is the “group” value or your Team ID, followed by a dot (“.”), followed by the group name. If you're using the “group” prefix, verify that the provisioning profile used to sign the app contains the com.apple.security.application-groups entitlement and its associated value(s). We have included the iOS-style group identifier in the provisioning profile, generated automatically, but can't do the same for the macOS-style group identifier, because the web interface only accepts identifiers starting with "group". How can we get Xcode Cloud to archive our app again using both group identifiers? Thanks in advance

Hi, Our App relies on a keychain to store certificates and key-value pairs. However, when we upgraded from an older XCode 15.2 (1 year old) app version to a newer version XCode 16.2 (with identical keychain-groups entitlement), we found that the newer ipa cannot see the older keychain group anymore... We tried Testflight builds, but limited to only generating newer versions, we tried using the older App's code, cast as a newer App version, and then upgraded to the newer code (with an even newer app version!). Surprisingly we were able to see the older keychain group. So it seems that there's something different between the packaging/profile of the older (1 year) and newer (current) App versions that seems to cause the new version to not see the old keychainGroup... Any ideas?

I am currently working on Fraud System Detection that will be used by one of the financial institutions. Those tools are related to ensuring user security. Our goal is to identify features that can trigger an early warning system for attempted fraud. We have identified three uncertain variables: Whether the user is having a conversation while using our app, Whether the user has specific screen sharing apps on their phone, Whether the user has enabled VPN connection. Here my doubts appear: Can we check the presence of a telephone conversation if we are not a VOIP application? Can we check the presence of installed programs using Universal Link and canOpenUrl(_:) method? Can we read "SCOPED" key from CFNetworkCopySystemProxySettings() dictionary? I will be glad for any advice and help.

In the hopes of saving others time, the updated demo project (i.e. the new Shiny) can be found from the video 'Resources' section under 'Performing fast account creation with passkeys'. The beta documentation can also be found from there. All of the new functionality is available only on *OS 26 at this time.

Hi folks We have a Developer ID Application which we create using electron. We made our last release for our Application on Nov'24 which was correctly working. Using the same code, we tried creating a notarized application again which started showing the following error while opening our Application. Monterey- M2- When we directly run the dmg on the dev machine, it does not give us the prompt. But if we download it from somewhere and run, the prompt comes up even in dev machine. We executed some commands to verify the notarization: 1- spctl --assess -vv /Applications/Refresh\ Pro.app On both dev machine and non-dev machine, the output was "accepted" /Applications/Refresh Pro.app: accepted source=Notarized Developer ID origin=Developer ID Application: Prograde Digital Incorporated (*******) 2- xcrun stapler validate /Applications/Refresh\ Pro.app On dev machine, we executed this command and the output is as follows. Processing: /Applications/Refresh Pro.app The validate action worked! 3- codesign -vvv --deep --strict /Applications/Refresh\ Pro.app/ /Applications/Refresh Pro.app: valid on disk /Applications/Refresh Pro.app: satisfies its Designated Requirement We have created a bug attaching the dmg. Please suggest anything we can try to make the release out the door. Bug link- https://feedbackassistant.apple.com/feedback/16811025

Hello Apple Developer Support, I am experiencing an issue with Apple Sign-In and Private Relay across two separate organizations. I have a web application that supports Apple Sign-In, configured under organization ID: 62P86SVLK4. Users can log in using their Apple accounts with the Hide My Email (Private Relay) feature enabled. This web application was created a long time ago and initially only had a web component. Recently, we developed a native mobile version of this application, which also supports Apple Sign-In. However, due to business constraints, the mobile application was created under a different organization ID: T6JT35U9NW. The Issue Since the web and mobile applications are registered under different organizations, accounts created using Apple Sign-In with Private Relay are not recognized across both applications. For example: A user creates an account in the web app using Apple Sign-In with Private Relay. When they attempt to log in to the mobile app with Apple Sign-In (also using Private Relay), authentication fails because the generated Private Relay email addresses do not match between the two organizations. Question Is there any way to link Private Relay accounts across these two organizations so that users who signed up on the web application can log in to the mobile application seamlessly? I appreciate any guidance on how to resolve this issue. Best regards, Kamil Gronert

For security reasons, my application needs to prohibit external devices. If it is determined that the current phone is connected to any external devices, including non MFI authenticated devices, the app will exit. Please tell me how to do it? Thanks for your help.

I'm a bit confused about if using App Attest is possible in enterprise builds. It shows up under identifiers in the apple dev portal and I can add it to my provisioning file and entitlements file. But if I go to keys I cannot create a key for it. This page implies it can be used for enterprise builds: After distributing your app through TestFlight, the App Store, or the Apple Developer Enterprise Program, your app ignores the entitlement you set and uses the production environment.

I'm trying to use ASWebAuthenticationSession on macOS but there is a weird crash and I have no idea what to do. It looks like there is a main thread check in a framework code that I have no control over. Any help would be appreciated. Thank you in advance. The stack of crashed thread has no symbols, even for supposedly my code in OAuthClient.authenticate. macOS 15.4.1 (24E263) Xcode Version 16.3 (16E140) Thread 11: EXC_BREAKPOINT (code=1, subcode=0x10039bb04) Thread 12 Queue : com.apple.NSXPCConnection.m-user.com.apple.SafariLaunchAgent (serial) #0 0x0000000100b17b04 in _dispatch_assert_queue_fail () #1 0x0000000100b52834 in dispatch_assert_queue$V2.cold.1 () #2 0x0000000100b17a88 in dispatch_assert_queue () #3 0x000000027db5f3e8 in swift_task_isCurrentExecutorWithFlagsImpl () #4 0x00000001022c7754 in closure #1 in closure #1 in OAuthClient.authenticate() () #5 0x00000001022d0c98 in thunk for @escaping @callee_guaranteed (@in_guaranteed URL?, @guaranteed Error?) -> () () #6 0x00000001c7215a34 in __102-[ASWebAuthenticationSession initWithURL:callback:usingEphemeralSession:jitEnabled:completionHandler:]_block_invoke () #7 0x00000001c72163d0 in -[ASWebAuthenticationSession _endSessionWithCallbackURL:error:] () #8 0x00000001c7215fc0 in __43-[ASWebAuthenticationSession _startDryRun:]_block_invoke_2 () #9 0x0000000194e315f4 in __invoking___ () #10 0x0000000194e31484 in -[NSInvocation invoke] () #11 0x00000001960fd644 in __NSXPCCONNECTION_IS_CALLING_OUT_TO_REPLY_BLOCK__ () #12 0x00000001960fbe40 in -[NSXPCConnection _decodeAndInvokeReplyBlockWithEvent:sequence:replyInfo:] () #13 0x00000001960fb798 in __88-[NSXPCConnection _sendInvocation:orArguments:count:methodSignature:selector:withProxy:]_block_invoke_3 () #14 0x0000000194a6ef18 in _xpc_connection_reply_callout () #15 0x0000000194a6ee08 in _xpc_connection_call_reply_async () #16 0x0000000100b3130c in _dispatch_client_callout3_a () #17 0x0000000100b362f8 in _dispatch_mach_msg_async_reply_invoke () #18 0x0000000100b1d3a8 in _dispatch_lane_serial_drain () #19 0x0000000100b1e46c in _dispatch_lane_invoke () #20 0x0000000100b2bfbc in _dispatch_root_queue_drain_deferred_wlh () #21 0x0000000100b2b414 in _dispatch_workloop_worker_thread () #22 0x0000000100c0379c in _pthread_wqthread () My code: @MainActor func authenticate() async throws { let authURL = api.authorizationURL( scopes: scopes, state: state, redirectURI: redirectURI ) let authorizationCodeURL: URL = try await withUnsafeThrowingContinuation { c in let session = ASWebAuthenticationSession(url: authURL, callback: .customScheme(redirectScheme)) { url, error in guard let url = url else { c.resume(throwing: error ?? Error.unknownError("Failed to get authorization code")) return } c.resume(returning: url) } session.presentationContextProvider = presentationContextProvider session.start() } let authorizationCode = try codeFromAuthorizationURL(authorizationCodeURL) (storedAccessToken, storedRefreshToken) = try await getTokens(authorizationCode: authorizationCode) } Here is disassembly of the crashed function. libdispatch.dylib`_dispatch_assert_queue_fail: 0x10067fa8c <+0>: pacibsp 0x10067fa90 <+4>: sub sp, sp, #0x50 0x10067fa94 <+8>: stp x20, x19, [sp, #0x30] 0x10067fa98 <+12>: stp x29, x30, [sp, #0x40] 0x10067fa9c <+16>: add x29, sp, #0x40 0x10067faa0 <+20>: adrp x8, 71 0x10067faa4 <+24>: add x8, x8, #0x951 ; "not " 0x10067faa8 <+28>: adrp x9, 70 0x10067faac <+32>: add x9, x9, #0x16b ; "" 0x10067fab0 <+36>: stur xzr, [x29, #-0x18] 0x10067fab4 <+40>: cmp w1, #0x0 0x10067fab8 <+44>: csel x8, x9, x8, ne 0x10067fabc <+48>: ldr x10, [x0, #0x48] 0x10067fac0 <+52>: cmp x10, #0x0 0x10067fac4 <+56>: csel x9, x9, x10, eq 0x10067fac8 <+60>: stp x9, x0, [sp, #0x10] 0x10067facc <+64>: adrp x9, 71 0x10067fad0 <+68>: add x9, x9, #0x920 ; "BUG IN CLIENT OF LIBDISPATCH: Assertion failed: " 0x10067fad4 <+72>: stp x9, x8, [sp] 0x10067fad8 <+76>: adrp x1, 71 0x10067fadc <+80>: add x1, x1, #0x8eb ; "%sBlock was %sexpected to execute on queue [%s (%p)]" 0x10067fae0 <+84>: sub x0, x29, #0x18 0x10067fae4 <+88>: bl 0x1006c258c ; symbol stub for: asprintf 0x10067fae8 <+92>: ldur x19, [x29, #-0x18] 0x10067faec <+96>: str x19, [sp] 0x10067faf0 <+100>: adrp x0, 71 0x10067faf4 <+104>: add x0, x0, #0x956 ; "%s" 0x10067faf8 <+108>: bl 0x1006b7b64 ; _dispatch_log 0x10067fafc <+112>: adrp x8, 108 0x10067fb00 <+116>: str x19, [x8, #0x2a8] -> 0x10067fb04 <+120>: brk #0x1

I have a very basic binary question around passkeys. Assuming everything is on latest and greatest version with respect to iOS, when user starts creating a passkey in platform-authenticator i.e., iCloudKeyChain (Apple Password Manager) , will iCloudKeyChain create a hardware-bound passkey in secure-enclave i.e., is brand new key-pair created right inside Secure-enclave ? OR will the keypair be created in software i.e., software-bound-passkey ?? i.e., software-bound keypair and store the private-key locally in the device encrypted with a key that is of course created in secure-enclave.