The revoke tokens endpoint (/auth/revoke) is the only way to programmatically invalidate user tokens associated to your developer account without user interaction. This endpoint requires either a valid refresh token or access token for invalidation, as Sign in with Apple expects all apps to securely transmit and store these tokens for validation and user identity verification while managing user sessions. If you don’t have the user’s refresh token, access token, or authorization code, you must still fulfill the user’s account deletion request and meet the account deletion requirement. You'll need to follow this workaround to manually revoke the user credentials: Delete the user’s account data from your systems. Direct the user to manually revoke access for your client. Respond to the credential revoked notification to revert the client to an unauthenticated state Important: If the manual token revocation isn’t completed, the next time the user authenticates with your client using Sign in with Apple, they won’t be presented with the initial authorization flow to enter their full name, email address, or both. This is because the user credential state managed by Sign in with Apple remains unchanged and returns the.authorizedcredential state, which may also result in the system auth UI displaying the “Continue with Apple” button. Respond to the credential revoked notification Once the user’s credentials are revoked by Apple, your client will receive a notification signaling the revocation event:  For apps using the Authentication Services framework to implement Sign in with Apple, register to observe the notification named credentialRevokedNotification. For web services, if an endpoint is registered for server-to-server notifications, Apple broadcasts a notification to the specified endpoint with the consent-revokedevent type. When receiving either notification, ensure you’ve already performed the following operations to meet the requirements of account deletion: Deleted all user-related account data, including: The token used for token revocation; Any user-related data stored in your app servers; and Any user-related data store in the Keychain or securely on disk in the native app or locally on web client. Reverted the client to an unauthenticated state. Securely store user tokens for account creations For all new user account creations, follow the expected authorization flow below: Securely transmit the identity token and authorization code to your app server. Verify the identity token and validate the authorization code using the /auth/token endpoint.  Once the authorization code is validated, securely store the token response — including the identity token, refresh token, and access token. Validate the refresh token up to once per day with Apple servers (to manage the lifetime of your user session and for future token revocation requests), and obtain access tokens (for future token revocation, app transfer, or user migration requests). For information about verifying an identity token and validating tokens, visit Verifying a user and Generate and validate tokens. If you have questions about implementing these flows, including client authorization, token validation, or token revocation, please submit a Technical Support Incident.

Hi, Please see TN3159: Migrating Sign in with Apple users for an app transfer for more information on the expected end-to-end app transfer and user migration flow. Additionally, if you'd like for the iCloud and App Store engineering teams to confirm if the errors are related to a revoked authorization to previous users accounts, please submit a report via Feedback Assistant and include the following information: Gathering required information for troubleshooting Sign in with Apple user migration To prevent sending sensitive JSON Web Tokens (JWTs) in plain text, you should create a report in Feedback Assistant to share the details requested below. Additionally, if I determine the error is caused by an internal issue in the operating system or Apple ID servers, the appropriate engineering teams have access to the same information and can communicate with you directly for more information, if needed. Please follow the instructions below to submit your feedback. For issues occurring with your user migration, ensure your feedback contains the following information: the primary App ID and Services ID the client secret for the transferring team (Team A) and the recipient team (Team B) the failing request(s), including all parameter values, and error responses (if applicable) the timestamp of when the issue was reproduced (optional) screenshots or videos of errors and unexpected behaviors (optional) Important: If providing a web service request, please ensure the client secret (JWT) has an extended expiration time (exp) of at least ten (10) business days, so I have enough time to diagnose the issue. Additionally, if your request requires access token or refresh tokens, please provide refresh tokens as they do not have a time-based expiration time; most access tokens have a maximum lifetime of one (1) hour, and will expire before I have a chance to look at the issue. Submitting your feedback Before you submit via Feedback Assistant, please confirm the requested information above (for your native app or web service) is included in your feedback. Failure to provide the requested information will only delay my investigation into the reported issue within your Sign in with Apple client. After your submission to Feedback Assistant is complete, please respond in your existing Developer Forums post with the Feedback ID. Once received, I can begin my investigation and determine if this issue is caused by an error within your client, a configuration issue within your developer account, or an underlying system bug. Cheers, Paris X Pinkney |  WWDR | DTS Engineer

Hi there - I maintain the react-native-apple-authentication module which allows react native developers to implement sign in with Apple When testing we noticed that code working perfectly in iOS17 Simulators now fails on iOS18/18.1 Simulators. Specifically, the credential status is always revoked when testing on an iOS18+ Simulator. The same code works perfectly on a real device running iOS18 or 18.1 so this appears to be a Simulator bug. This is problematic because App review is frequently performed on a Simulator, so there are false-negative test results for Sign In With Apple from reviewers when they use iOS18 emulators, resulting in App submission rejections. We're tracking this here, with some results posted and an example app in-repo that demonstrates the issue: https://github.com/invertase/react-native-apple-authentication/issues/356 It would be great to see the Simulator fixed so that it works correctly with Sign In With Apple again. Thanks

I am researching to apply Apple Sign In to my app. I see response data from Apple just include user name and email (phone number is not required also), but currently my app has only one login method that is by phone number. So I would like to ask:
 Can I request an phone number (by an customize popup) from the user after Signin Apple successfully? If not then which approach that can I apply? Many thanks!

Hi everyone, I'm having a recurring issue with the "Sign in with Apple" integration in my web app, and I’m hoping someone here can help or share insights. Here’s the situation: I implemented "Sign in with Apple" following the official documentation, and it worked perfectly at first. After about two weeks, I started getting the "invalid_client" error when redirecting to the authentication page. I reviewed everything and discovered I hadn’t set up the email configuration properly in the Apple Developer Console. Once I fixed that, it worked fine again. Now, the same error ("invalid_client") has returned, and I’ve triple-checked every part of my configuration: The service ID, redirect URIs, and domain settings match exactly. The client_secret is generated correctly with all required fields (iss, iat, exp, aud, and sub) and signed with ES256. My server time is synchronized. Nothing has changed in my code or configuration since it last worked. This seems to be an issue on Apple’s end because everything was functioning perfectly before, and I’ve already resolved this once by updating settings in the Developer Console. Has anyone else faced this issue? Is there something I might be missing, or could this be a problem with Apple’s service? Any advice or guidance would be greatly appreciated!

Private relay emails are ending up in the spam folder, even though SPF and DKIM are set up correctly.

Dear Apple Developer Support Team, I am writing to request assistance regarding an issue with the Apple Sign-In integration for my application, specifically in obtaining the email ID from the id_token. We are using the following Apple Sign-In authorization URL to initiate the sign-in process: https://appleid.apple.com/auth/authorize?response_type=code&response_mode=query&client_id=com.whattotrust.client&redirect_uri=https%3A%2F%2Fdev-web.whattotrust.com%2Fauth%2Fcallback After successfully authenticating the user and obtaining the authorization code, we use this endpoint to request the id_token and access_token: https://appleid.apple.com/auth/token While we are able to retrieve the tokens, we are experiencing issues when attempting to extract the user's email ID from the id_token. This issue has been consistent across multiple accounts. Despite successfully decrypting the id_token, the email field is either missing or unavailable. but with few emails we are getting email Could you please help us understand if there is an additional step or specific condition required to ensure that the email ID is included in the id_token? We would greatly appreciate any guidance on how to resolve this issue. Thank you for your support and assistance in resolving this matter.

Hello I have a problem with provisionprofile file. I have created Identifier with Sign in with Apple capability turned on, created Profile with Developer ID selected and now I try to export archive with generated Developer ID provision file but it says "Profile doesn't support Sign in with Apple" Also interesting thing that default provisions like macOS App Development Mac App Store Connect don't show such error when I try to export archive Maybe this problem is only related to Developer ID provision and Direct Distribution doesn't support Sign in with Apple, but I havent found proves about this idea

Our product uses the “Sign in with Apple” feature, and now we need to transfer it to Apple. After reading the documentation, I still have questions and would like to get answers. Q1:Transfer App: After the receiving team receives the App, is the unique identifier obtained by the client App program login the original one? Or is it newly generated? If it is newly generated, from what point in time will it be newly generated? Q2:Transfer App: Is there any validity period for the transfer identifier? About how long? What will happen after the transfer identifier is expired? Q3:When does the transfer identifier (transfer identifier) start to be generated, when the transfer request is initiated or when the transfer is completed, and when I get the transfer identifier, can I directly exchange it for the receiving team's unique identifier? Looking forward to a reply, thanks!

Hey, There are two apps, App A and App B. Both apps do not have Sign in with Apple configured currently, so there are no Sign in with Apple users to transfer. I want to configure this for both apps. App A is on developer team A. App B is on developer team B. They are not on the same developer accounts. It is my understanding that both accounts need to be on the same developer team/account to get the same unique identifiers (e.g. sub id and private relay email address) for privacy reasons. Desired Behavior: When a single user logs into either app A or app B with the newly exposed Sign in with Apple functionality, I need apple to return me the same unique identifiers (e.g. sub and email), so that I can uniquely identify the same user across app A and app B. How can I do this without ANY customer impact.

We recently transferred our app from one developer account to a new one, internally. We're trying to transfer our sign in with apple users, but have hit a snag on the first step. I'm following the instructions here to "Obtain the user access token": https://developer.apple.com/documentation/sign_in_with_apple/transferring_your_apps_and_users_to_another_team This is my request as created in postman: curl --location 'https://appleid.apple.com/auth/token/' --form 'grant_type="client_credentials"' --form 'scope="user.migration"' --form 'client_id="com.XXXXX"' --form 'client_secret="XXXXX"' No matter what I try, I always receive invalid_client. I've uploaded example JWTs in FB15648650.

Hi everyone, I'm working on a hybrid web application that will serve as a unified login page for two of my existing apps. Both apps currently utilize Apple Sign In with separate app IDs. To provide a seamless user experience, I plan to create a unified login page that displays two distinct Apple Sign In buttons: "Log in with A Service" and "Log in with B Service". Each button will link to the respective Apple Sign In flow for that specific service and app ID. I'm seeking guidance on the following: Apple's Guidelines: Are there any specific Apple guidelines or restrictions that prohibit or discourage the display of multiple Apple Sign In buttons on a single page within a hybrid web app context? I appreciate any insights or suggestions you can provide. Thank you

Hi, I've been working to build Apple sign in into my application using a low code tool called GeneXus. The instructions seem pretty straight forward however it's not working when I try signing in from the app. See GeneXus instructions here: https://wiki.genexus.com/commwiki/wiki?44478,GAM+-+Apple+Authentication+type The only section that I didn't do was to verify the domain which according to the instructions is required for apple sign in to work. This was backed up by the GeneXus support team. I can't find how to verify the domain though? The support team seem to think Apple will send me the domain association file detailed in the link below and I simply add that to the server: https://developer.apple.com/documentation/xcode/supporting-associated-domains#Add-the-associated-domains-entitlement-to-your-app However I can't find where this file would be generated? I also can't see the button to register the domain in the first place!

Hello everyone, We recently transferred an iOS app but didn’t generate the transfer identifier before initiating the transfer. Is it still possible to generate the transfer identifier after the transfer has been completed? If not, are there any alternative solutions or steps we can take to resolve this issue? Thank you for any guidance!

I once changed my Apple ID. Before changing it, I had set up a passkey for the Apple ID website. After changing my Apple ID, whenever I log in to Apple ID, it still shows my previous Apple ID. Additionally, the passkey for the Apple ID website is not present in my 'Passwords' app, so I am unable to delete it.

Hello, One of the apps my team is developing is using Keycloak for allowing users to authenticate inside the application. We are using Keycloak primarily to act as the backend identity provider and not forcing users to authenticate via social logins (Facebook, Google, etc.). Under point 4.8 (at the time of posting) in the AppReview guidelines, would the app need to also offer another login service?

I am trying to send email from our internal server. We are using gmail as smtp client. Gmail is bound to a domain hosted on squarespace. I have all the required DNS records - DKIM, DMARC, SPF configured in squarespace. In the Apple Developer Portal, I have also added allowed domains and email addresses in the Sign In with Apple settings. SPF verification passed. The problem is that emails sent to @privaterelay.appleid.com are not reaching the final recipient. On our end, the emails are sent and there are no errors. In the email signature the DKIM domain and the domain in the From: address match completely. Domain on tools like mxtoolbox passes all checks. Also, there is no response from the gmail server that the email was not delivered. To all other emails the emails are being sent with no problems. Please help me figure this out, maybe I am missing something.

Hello there, we have implemented the Apple sign in our site, everything is working good except from two edge cases when the JWT returned by Apple sign in does not contain the user email, these cases are: When users choose Hide My Email when creating their account and later manually change their settings and turning off the email forwarding (Tested). For Apple at Work & School users. i.e. younger students may not have an email address. According to Apple docs, email could be empty for Sign in with Apple at Work & School users (Not tested). The problem is that we use the email to confirm the user authentication, but when the email is not present in the JWT, our system won't be able to find the registered user. We're currently working on a workaround for this, but we would like to confirm that these edge cases are known by apple and also ask some questions: Is it correct to say that: Turning off the email forwarding will cause that Apple's identity token (JWT) does not include the user's email address? Apple at Work & School users: is there a way to identify that someone is using this type of account? Is there any other known edge case when the email could be empty in the JWT? Thanks in advance!

Hello, I started looking to implement SSO with Apple on my website using this tutorial : https://developers.appcharge.com/docs/apple-sso-login However, when going to https://developer.apple.com/account/resources/identifiers/list to generate a new Key, i'm getting the error : "Unable to find a team with the given Team ID 'XXXXXXXX' to which you belong. Please contact Apple Developer Program Support". It was a breeze to implement Google SSO, but not for Apple. I can't find much help online, could you guide me ? Regards

I have implemented Sign in with Apple on website one weeks ago, and it work perfectly. However, recently we start to receive invalid_grant with no error description while token validation, however the same client secret works on IOS app without issue.... in ios app site , we used bundle id for client_id. in web site , we used service id for client_id; I try to create a new privateKey for web site and add redirect_uri params to /auth/token, but still error.... I tested it like this, i got authorization code using Service ID i tried authorization code with Service ID using browser : successfully got the code and requested access_token immately 2 and then, i tried validate the authorization grant code to obtain tokens curl like this curl -X POST https://appleid.apple.com/auth/token \ -H "Content-Type: application/x-www-form-urlencoded" \ -d "client_id=my_service_id" \ -d "client_secret=my_client_secret" \ -d "code=sent_from_frontend" \ -d "grant_type=authorization_code" \ -d "redirect_uri=my_redirect_uri" then get fail and no error_description error_code is 400 invalid_grant is not invalid_client error, and client secret is not expired too My decoded token looks like the following : { "alg": "ES256", "typ": "JWT", "kid": "my_kid" } { "aud": "https://appleid.apple.com", "sub": "my_service_id", "iss": "team_id", "exp": 1744012650, "iat": 1728460650 }

When we develop 'Sign in with Apple' function on our app, we visited https://appleid.apple.com to verify the account. However, appleid.apple.com is mapped to an American IP, and it is not suitable for our app which is operated in China. I wonder whether there is a China Mainland IP available for the verification? Thanks very much.

Hi, I have implemented Sign in with Apple on Android four months ago, and it work perfectly. We are using React Native with expo, using expo-auth-session and firebase function to get code back to start the token validation process. However, recently we start to receive invalid_grant with no error description while token validation, however the same client secret works on firestore without issue, which confuses us. According to https://developer.apple.com/documentation/technotes/tn3107-resolving-sign-in-with-apple-response-errors, the common reasons that I receive invalid_grant are: The client_id does not match the client for which the code was issued. The code has expired or has been previously consumed by the validation server. Is there any way I could differentiate whether is client_secret wrong or the code was used or any other reasons?