Separate test/prod keys for app id?

We have a multiplatform app and use both the web and iOS Sign in with Apple flows. Our backend service is shared. We can negotiate the id_token and validate the grant code with the apple /token endpoint as described in the "Verifying a User" article.


We have multiple environments for test and production. In order to keep the production client_secret "secret", we need a separate secret for test environments that will not work on production. How can we achieve this?


It looks like we have to create a separate Application ID, service (client_id) and associated key. This is fine for web since it can just pass an arbitrary client_id but what about iOS? iOS apps are tightly-coupled to their Applications (and therefore their client_ids). Is there no way to use an arbitrary client_id for SIWA on iOS?


Do we really need a separate version of our iOS app for the test environment? This would be really disruptive to our workflow.

It would also work to have separate Services under one Application. Each SIWA service maps to its own client_id and set of redirect urls. But how does the iOS app select which service to use when there are multiple under the same Application?

Separate test/prod keys for app id?
 
 
Q