Will Apple change the public key in the future?

The reason I'm asking the questions is that as we need to validate the id token signature returned by Apple when a user Sign In with Apple, I'm not sure whether it is necessary to fetch Apple's public key every time from this endpoint (GET https://appleid.apple.com/auth/keys). Is there rate limit to the endpoints (GET public key and POST validate authcode/token)?


Will Apple ever change the public key in the future? If so, will the developers be notified when Apple changes it? Also, how often do we expect Apple will change it?


Thank you!

Hi!

Did you get response from this yet?


Regards,

Jonas

The reason this endpoint exists is because it's possible that the public key could be revoked. You should not rely on the public key remaining constant forever, instead, use the endpoint as the authoritative source for the Sign in with Apple public key.

Yes it can and has changed before. Few months ago Apple public key was

AIDOPK1, then this month they have changed to other Key ID.
My guess would be like Apple change the public key once every month? You can set up a cron job to call the public key endpoint once every 24 hours, then save the latest public keys JSON into your database (and replace the old one), then your backend can use the saved public keys to verify the identityToken.

hi angela, how do you use the public keys to decode?? I'm trying but always return: Could not deserialize key data

I am interested in this too, because I think it is a waste of bandwidth and computing power to retrieve these public keys online whenever we need them. But if it really changes periodally as 'souldchild' said, then it can't be helped. [We have to access it online every time.] I am adding this comment because his idea of using cron job is a bad idea. Even if, let's say, this cron job is reduced to once every an hour. What if our user tries to "apple sign in" during the time that apple changes the public keys, just several minutes after our last cron job runs?

Will Apple change the public key in the future?
 
 
Q