I've spent some time digging into how this works. Here's what I've found so far: Endpoint The endpoint for the notifications can have any path desired.  It's a POST request sending JSON.  HTTPS is required.  There is no authentication.  Events are sent as signed JWTs using the OIDC JWS keys for verification.   Body The body is a simple json structure: { "payload": "<event Token>" } Event Token Structure {  "iss": "https://appleid.apple.com",  "aud": "<app id>",  "exp": 1611852260,  "iat": 1611765860,  "jti": "<token id string>",  "events": "<Event String>" }&#9; The aud field will be the corresponding backend App ID for the source of the emission. The events field is stringified json.  So far I've only seen a single object, but based on the name an array doesn't seem impossible. General Event Structure { &#9;"type": "<event type>", &#9;"sub": "<apple user id>", &#9;"event_time": 1611765847700 } Some event types have additional fields. Event Types Here are the events I've received so far. email-enabled Sent when user enabled receiving email from service. Additional Fields: email - user's email is_private_email - is the email an apple email proxy email. email-disabled Sent when a user disables email sending through the proxy. Additional Fields: email - user's email is_private_email - is the email an apple email proxy email. consent-revoked Sent when consent for using the application is revoked. No additional fields.

I had to ensure the backend supported a form_post response mode, & specify the email scope in the request.