I created an identifier, but did not select "Sign In with Apple" I created a key, and enabled the WeatherKit service. I have a simple python script to retrieve from the API, but I am getting "NOT ENABLED" import datetime import time # pip install requests PyJWT cryptography import jwt import requests import json from cryptography.hazmat.primitives.serialization import load_ssh_private_key from hashlib import sha1 with open("/Users/don/.ssh/AuthKey_LBV5W26ZRJ.p8", "r") as f: myKey = f.read() # matches my service id WEATHERKIT_SERVICE_ID = "net.ag6hq.sandysclock" #This is my id, redacted here WEATHERKIT_TEAM_ID = "<redacted>" # this is my private key, redacted here WEATHERKIT_KID = "<redacted>" # key ID WEATHERKIT_KEY = myKey WEATHERKIT_FULL_ID = f"{WEATHERKIT_TEAM_ID}.{WEATHERKIT_SERVICE_ID}" thisLat = 34.03139251897727 thisLon = -117.41704704143667 def fetch_weatherkit( lang="en", lat="34.031392", lon="-117.41704", country="US", timezone="US/Los_Angeles", datasets = "currentWeather,forecastDaily,forecastHourly,forecastNextHour", ): url = f"https://weatherkit.apple.com/api/v1/weather/{lang}/{lat}/{lon}?dataSets={datasets}&countryCode={country}&timezone={timezone}" now = int(time.time()) exp = now + (3600 * 24) token_payload = { "sub": WEATHERKIT_SERVICE_ID, "iss": WEATHERKIT_TEAM_ID, "exp": exp, "iat": now } token_header = { "kid": WEATHERKIT_KID, "id": WEATHERKIT_FULL_ID, "alg": "ES256", "typ": "JWT" } token = jwt.encode(token_payload, WEATHERKIT_KEY, headers=token_header, algorithm="ES256") response = requests.get(url, headers={'Authorization': f'Bearer {token}'}) return response #### End of Def myFetch=fetch_weatherkit() myStatus=myFetch.status_code myJSON=myFetch.json() print("myJSON=" + str(myJSON)) print("myStatus=" + str(myStatus)) This outputs: python weatherkit.py myJSON={'reason': 'NOT_ENABLED'} myStatus=401 I get the same results if I use the jwt.io service to create a token and use curl What am I doing wrong?

Is there a way to verify my JWT Token? I have some python code that uses the pypi.org jwt module, and would like to verify that the token coming out of it is correct. I am getting {"reason": "NOT_ENABLED"} and I would like to make sure that my token is constructed correctly. I have seen a few others that have the "aud": entry in the header, but it's not mentioned in the documentation. Further confusion over this documentation is the statement to use the "ES256" algorithm, but that requires .pem and a .pub files, but only a .p8 is supplied. (note I can extrapolate .pem and .pub files from the .p8, but that is not even discussed. Can anyone from Apple chime in?