Hi,
We are an organisation with 40 developers working on iOS apps. Our app uses "Sign in with Apple". This requires using a private key (https://help.apple.com/developer-account/?lang=en#/dev77c875b7e).
We have a test environment which all of our developers have full access to. We would like to use "Sign in with Apple" in the test environment and therefore it would contain the private key. This private key would only have access to "Sign in with Apple". We are wondering if it would be acceptable to give all 40 of our developers read-access to this private key. What would a developer be able to do with this private key?
It would be great to get an opinion from someone with more insight, or even better an official response from Apple.
Thanks,
Alex
Post
Replies
Boosts
Views
Activity
Hi,
We are an organisation with 40 developers working on iOS apps. Our apps contain In-App Purchases. We are using server-side validation to validate purchase receipts. This requires using a shared secret (https://developer.apple.com/documentation/appstorereceipts/requestbody).
We have a test environment which all of our developers have full access to. We would like to validate receipts in the test environment and therefore it would contain the app's shared secret. We are wondering if it would be acceptable to give all 40 of our developers read-access to this shared secret. As far as I can tell, this secret is only used for: Validating receipts using the verifyReceipt API
Verifying webhook notifications
If this is the case, I personally can see no problem with all of our developers having read-access to the shared secret.
It would be great to get an opinion from someone with more insight, or even better an official response from Apple.
Thanks,
Alex