We are working on a PoC iOS App to use "Sign in with Apple" on iOS. The app needs to authenticate the current user on MDM managed corporate iPads (with Shared iPad enabled) and each user having a Managed Apple ID (created in Apple Business Manager). We have started with Apple's example app: https://developer.apple.com/documentation/authenticationservices/implementing-user-authentication-with-sign-in-with-apple When we run it on a normal iPad (without MDM supervision) it works fine. When we run the same code on a managed iPad with Shared iPad enabled and Managed Apple ID's the app errors out when a user taps the "Sign in with Apple" button. A User-facing error message is displayed: “Your Apple Account cannot be used to create accounts for other apps.” And when we run the app from Xcode we see the following logs: Authorization failed: Error Domain=AKAuthenticationError Code=-7027 "(null)" UserInfo={AKClientBundleID=com.sampleapp.test2} LaunchServices: store (null) or url (null) was nil: Error Domain=NSOSStatusErrorDomain Code=-54 "process may not map database" UserInfo={NSDebugDescription=process may not map database, _LSLine=72, _LSFunction=_LSServer_GetServerStoreForConnectionWithCompletionHandler} Attempt to map database failed: permission was denied. This attempt will not be retried. Failed to initialize client context with error Error Domain=NSOSStatusErrorDomain Code=-54 "process may not map database" UserInfo={NSDebugDescription=process may not map database, _LSLine=72, _LSFunction=_LSServer_GetServerStoreForConnectionWithCompletionHandler} Failed to get application extension record: Error Domain=NSOSStatusErrorDomain Code=-54 "(null)" ASAuthorizationController credential request failed with error: Error Domain=com.apple.AuthenticationServices.AuthorizationError Code=1000 "(null)" Could not authenticate: The operation couldn’t be completed. (com.apple.AuthenticationServices.AuthorizationError error 1000.) We have confirmed that in ABM "Sign in with Apple" feature is enabled with "Allowed apps": "All apps". We have also confirmed that the Managed AppleIDs created in ABM have no field to provide the birthday of the user and therefore ruling out age restrictions for "Sign in with Apple". Is "Sign in with Apple" supported in MDM managed iPADs with Shared iPad enabled and managed AppleIDs? If it is supported, do we know what other configurations we need to get it to work? Do we know why "Sign in with Apple" would error out with Authorization failed: Error Domain=AKAuthenticationError Code=-7027 "(null)" UserInfo={AKClientBundleID=com.sampleapp.test2} LaunchServices: store (null) or url (null) was nil: Error Domain=NSOSStatusErrorDomain Code=-54 "process may not map database" UserInfo={NSDebugDescription=process may not map database, _LSLine=72, Environment: • iPadOS version: IPadOS Version 18.7 • Xcode version: Version 26.0 (17A324) • Device type: iPad Air 11-inch (M3) in Shared iPad mode • Account type: Managed Apple ID created in ABM enrolled with Intune MDM) Thank you

Problem Summary I'm experiencing a persistent invalid-credential error with Apple Sign-In on iOS despite having verified every aspect of the configuration over the past 6 months. The error occurs at the Firebase Authentication level after successfully receiving credentials from Apple. Error Message: Firebase auth error: invalid-credential - Invalid OAuth response from apple.com. Environment Platform: iOS (Flutter app) Firebase Auth: v5.7.0 Sign in with Apple: v6.1.2 Xcode: Latest version with capability enabled iOS Target: 13.0+ Bundle ID: com.harmonics.orakl What Actually Happens ✅ Apple Sign-In popup appears ✅ User can authenticate with Apple ID ✅ Apple returns credentials with identityToken ❌ Firebase rejects with invalid-credential error The error occurs at Firebase level, not Apple level. What I've Tried Created a brand new Apple Key (previous key was 6 months old) Tested with both App ID and Service ID in Firebase Completely reinstalled CocoaPods dependencies Verified nonce handling is correct (hashed to Apple, raw to Firebase) Activated Firebase Hosting and attempted to deploy .well-known file Checked Cloud Logging (no detailed error messages found) Disabled and re-enabled Apple Sign-In provider in Firebase Verified Return URL matches exactly Waited and retried multiple times over 6 months Questions Is the .well-known/apple-developer-domain-association.txt file required? If yes, how should it be generated? Firebase Hosting doesn't auto-generate it. Could there be a server-side caching/blacklist issue with my domain or Service ID after multiple failed attempts? Should the Apple Key be linked to the Service ID instead of the App ID? The key shows as linked to Z3NNDZVWMZ.com.harmonics.orakl (the App ID). Is there any way to get more detailed error logs from Firebase about why it's rejecting the Apple OAuth response? Could using a custom domain instead of .firebaseapp.com resolve the issue? Additional Context Google Sign-In works perfectly on the same app The configuration has been reviewed by multiple developers Error persists across different devices and iOS versions No errors in Xcode console except the Firebase rejection Any help would be greatly appreciated. I've exhausted all standard troubleshooting steps and documentation. Project Details: Bundle ID: com.harmonics.orakl Firebase Project: harmonics-app Team ID: Z3N....... code : // 1. Generate raw nonce final String rawNonce = _generateRandomNonce(); // 2. Hash with SHA-256 final String hashedNonce = _sha256Hash(rawNonce); // 3. Send HASHED nonce to Apple ✅ final appleCredential = await SignInWithApple.getAppleIDCredential( scopes: [AppleIDAuthorizationScopes.email, AppleIDAuthorizationScopes.fullName], nonce: hashedNonce, // Correct: hashed nonce to Apple ); // 4. Create Firebase credential with RAW nonce ✅ final oauthCredential = OAuthProvider("apple.com").credential( idToken: appleCredential.identityToken!, rawNonce: rawNonce, // Correct: raw nonce to Firebase ); // 5. Sign in with Firebase - ERROR OCCURS HERE ❌ await FirebaseAuth.instance.signInWithCredential(oauthCredential);

Hello, I currently have an app that includes the "Sign in with Apple" feature, and I need to transfer this app to another app team. I have reviewed all official documentation but have not found the answer I need. My situation has some specificities, and I hope to receive assistance. The .p8 key created by the original developer team has been lost, and the app’s backend does not use a .p8 key for verification—instead, it verifies by obtaining Apple’s public key. However, according to the official documentation I reviewed, obtaining a transfer identifier during the app transfer process requires a client_secret generated from the original team’s .p8 key. This has left us facing a challenge, and we have two potential approaches to address this issue: Q1: During the transfer, is it possible to skip obtaining the transfer identifier and proceed directly with the app transfer, without performing any backend operations? Is this approach feasible? Q2: If the above approach is not feasible, should we create a new .p8 key in the original team’s account and use this new key for the transfer? If a new key is generated, do we need to re-release a new version of the app before initiating the transfer? If neither of the above approaches is feasible, are there better solutions to resolve our issue? I hope to receive a response. Thank you. TN3159: Migrating Sign in with Apple users for an app transfer | Apple Developer Documentation/ https://developer.apple.com/documentation/signinwithapple/transferring-your-apps-and-users-to-another-team

I received Apple’s recent notice about the new requirement to provide a server-to-server notification endpoint when registering or updating a Services ID that uses Sign in with Apple. (Official notice: https://developer.apple.com/news/?id=j9zukcr6 ) We already use Sign in with Apple on our website and app, but only as a login method for pre-registered users, not as a way to create new accounts. That means users already exist in our system, and Apple login is used only for authentication convenience (similar to linking a social account). I have some questions about how to properly implement the required server-to-server notifications in this case: 1. email-enabled / email-disabled: We don’t use or store the email address provided by Apple. Are we still required to handle these events, or can we safely ignore them if the email is not used in our system? 2. consent-revoked: We don’t store Apple access or refresh tokens, we use them only during login and discard them immediately. In this case, do we still need to handle token revocation, or can we simply unlink the Apple login from the user account when receiving this notification? 3. account-delete: If a user deletes their Apple account, we can unlink the Apple login and remove related Apple data, but we cannot delete the user’s primary account in our system (since the account exists independently). Is this acceptable under Apple’s requirements as well? We want to make sure our implementation aligns with Apple’s policy and privacy requirements, while maintaining consistency with our existing account management system. If anyone from Apple or other developers who implemented similar logic could provide guidance or share examples, it would be greatly appreciated. Thank you!

Hello everybody, in my React Native-Expo-Firebase app, I am trying to integrate Sign in with Apple, along with the related token revocation at user deletion. I did succeed in integrating the login, and the app correctly appears in the Apple Id list (the list of apps currently logged with Apple ID). The problem is that, if I select the app and press "Interrupt Apple login usage for this app", the app simply stays there, nothing happens. If I do the same with another app, this works fine. Either if I do this via my iPhone's settings, or via https://account.apple.com/account/manage -> Sign in with Apple, I get the same result, the app cannot be removed. I hope I managed to explain my situation clearly, I'd be happy to provide more info if necessary. Thank you in advance.

I understand from the recent Apple Developer News that Korean developers are now required to register a URL to receive notifications from the Apple server when creating or modifying a Sign in With Apple Service ID. However, it is not clear whether simply registering the URL is sufficient, or if it is also mandatory to implement the real-time processing of those notifications. I am inquiring whether the processing part is also a mandatory requirement.

Hi everyone, We just completed an App Store Connect app transfer between two developer teams and ran into what seems like an inconsistency with TN3159 (Migrating Sign in with Apple users for an app transfer). According to the technote, both the source and destination teams should be able to call /auth/usermigrationinfo for 60 days after the transfer, even if the migration wasn’t run beforehand. However, right after the transfer completed, the source team (Team A) started receiving: {"error":"invalid_client"} on all /auth/usermigrationinfo requests, even though /auth/token with scope=user.migration still works fine. What we verified before transfer: Team A’s Sign in with Apple key (ES256) was linked to the app and Services ID. OAuth flow for com.org.appname.web returned valid tokens, and the decoded ID token showed aud=com.org.appname.web with a valid private relay email, confirming the key was trusted. What happens after transfer: The key now shows “Enabled Services: —” and the App/Services IDs are no longer selectable in the Developer portal. /auth/usermigrationinfo immediately returns invalid_client for Team A, even within the same day of the transfer. This effectively makes Team A unable to generate transfer_sub values, blocking the migration flow TN3159 describes. Questions: Is Team A supposed to retain authorization to call /auth/usermigrationinfo for 60 days post-transfer? If yes, is there any known workaround to re-authorize the key or temporarily re-bind it to the transferred identifiers? If not, does this mean transfer_sub must be generated before transfer acceptance, contrary to how TN3159 reads? Would really appreciate any confirmation or guidance from Apple or anyone who’s gone through this recently. Thanks,

Hi everyone, I have followed all the Apple procedures, read the forums, and looked at various experiences of other users who had my problem, but I haven’t found a solution. On my site, I have added login with all the “big” providers, and Apple is the only one missing. I’ve tried everything, but when the user logs in and is authenticated, I get an error. In order, here’s what I receive: Received Apple code: cfbf091dd6... JWT generated correctly HTTP Error (400): {"error":"invalid_client"} I’ve read all sorts of things, including that you have to wait up to 48 hours for the Key to be enabled. Any ideas? I’ve read that this is a common problem, but I haven’t found a valid solution. Thanks in advance to anyone who can help me.

I no longer have an app on the store. I do have an apple books account on the same login but there's no need for me to have the appstore connect account or whatever you call it and keep getting notifications when I don't have an app, don't want an app, will never do another app.

Recently I am trying to implement apple oauth in expo web version, I created the service id and other related info, i have issue @PostMapping("/callback") public ResponseEntity handleAppleCallback(@RequestParam Map<String, String> body) { String code = body.get("code"); String idToken = body.get("id_token"); if (code == null) { return ResponseEntity.badRequest().build(); } // Redirect to your Expo Web app with the code in query String frontendUrl = "https://mobile-dot-dev-epicportal.uc.r.appspot.com/apple-callback?code=" + code; return ResponseEntity.status(HttpStatus.FOUND) .header("Location", frontendUrl) .build(); } when i pass the code recived from apple to this route i am getting invalid_grant i am not sure what is wrong here

Hi, we are having Sign in with Apple issues. For a large % of new users on our app which select this option, the first name and last name values are not being passed to us. This is the case in both scenarios - where the user shares their email address or hides it, and happens on iPhone when the user selects the default iCloud account. We're unclear why this is occurring.

Hi, I'm trying to implement web-browser SignIn with Apple with my new app. I'm trying to "Associate your website to your app" like described in this doc: https://developer.apple.com/help/account/capabilities/configure-sign-in-with-apple-for-the-web So I created a Service ID for this specific login. I want this login page to display my app icon and name when presented to users. My issue: When I associate my new app the the service, the link is somehow not working. The login page show the "service" login (with a generic apple logo and the Service ID's name) instead of the actual App name. I'v been able to link my new service to older apps succesfully !!! (the login page correctly shows the old apps icons and names) Why is my new app not associated with the service ? I am missing something here ? is there an additionnal step that I need to take in order to link the service to my newest app ? Thanks !

Hi, We are operating a service that uses Sign in with Apple for user registration and login. As part of our security incident response and periodic security improvements, we are planning to rotate the private key used to generate the client secret (JWT) for Sign in with Apple. I have read the Human Interface Guidelines and the AuthenticationServices documentation, but I could not find a clear description of the behavior and user impact when rotating this private key. I would like to ask the following questions: Background: We issue a Sign in with Apple private key (with a Key ID) in our Apple Developer account. Our server uses this private key to generate the client secret (JWT). This is used for Sign in with Apple login on our web / mobile app. We are planning to invalidate the existing private key and switch to a newly issued one. Questions: Impact on existing logged-in sessions Will rotating the private key force already logged-in users (who previously signed in with Apple) to be logged out from our service? Can the user identifier (such as the "sub" claim) for existing Sign in with Apple users change due to key rotation? Recommended frequency and best practices Does Apple recommend rotating this private key only when it is compromised, or on a regular basis? If there are any official documents or examples that describe how to safely perform key rotation in production, we would appreciate a pointer. Impact on marketing / analytics We are using user IDs (linked via Sign in with Apple) for analytics and marketing attribution. Is there any expected impact on such use cases caused by rotating the private key? For example, is there any possibility that user identifiers change as a result of key rotation, or anything we should be careful about from a data linkage perspective? Our goal is to rotate the private key in a secure way without causing service downtime, mass logouts, or loss of account linkage. If there is already an official document that covers this, please let me know the URL. Thank you in advance.

I'm implementing Apple Sign-In in my Next.js application with a NestJS backend. After the user authenticates with Apple, instead of redirecting to my configured callback URL, the browser makes a POST request to a mysterious endpoint /appleauth/auth/federate that doesn't exist in my codebase, resulting in a 404 error. Tech Stack Frontend: Next.js 16.0.10, React 19.2.0 Backend: NestJS with Passport (using @arendajaelu/nestjs-passport-apple) Frontend URL: https://myapp.example.com Backend URL: https://api.example.com Apple Developer Configuration Service ID: (configured correctly in Apple Developer Console) Return URL (only one configured): https://api.example.com/api/v1/auth/apple/callback Domains verified in Apple Developer Console: myapp.example.com api.example.com example.com Backend Configuration NestJS Controller (auth.controller.ts): typescript @Public() @Get('apple') @UseGuards(AuthGuard('apple')) async appleAuth() { // Initiates Apple OAuth flow } @Public() @Post('apple/callback') // Changed from @Get to @Post for form_post @UseGuards(AuthGuard('apple')) async appleAuthCallback(@Req() req: any, @Res() res: any) { const result = await this.authService.socialLogin(req.user, ipAddress, userAgent); // Returns HTML with tokens that uses postMessage to send to opener window } Environment Variables: typescript APPLE_CLIENT_ID=<service_id> APPLE_TEAM_ID=<team_id> APPLE_KEY_ID=<key_id> APPLE_PRIVATE_KEY_PATH=./certs/AuthKey_XXX.p8 APPLE_CALLBACK_URL=https://api.example.com/api/v1/auth/apple/callback FRONTEND_URL=https://myapp.example.com The passport-apple strategy uses response_mode: 'form_post', so Apple POSTs the authorization response to the callback URL. Frontend Implementation Next.js API Route (/src/app/api/auth/apple/route.js): javascript export async function GET(request) { const backendUrl = new URL(`${API_URL}/auth/apple`); const response = await fetch(backendUrl.toString(), { method: "GET", headers: { "Content-Type": "application/json", }, }); const responseText = await response.text(); return new NextResponse(responseText, { status: response.status, headers: { "Content-Type": contentType || "text/html" }, }); } Frontend Auth Handler: javascript export const handleAppleLogin = (router, setApiError) => { const frontendUrl = window?.location?.origin; // Opens popup to /api/auth/apple window.open( `${frontendUrl}/api/auth/apple`, "appleLogin", "width=500,height=600" ); }; The Problem Expected Flow: User clicks "Login with Apple" Frontend opens popup → https://myapp.example.com/api/auth/apple Frontend proxies to → https://api.example.com/api/v1/auth/apple Backend redirects to Apple's authentication page User authenticates with Apple ID Apple POSTs back to → https://api.example.com/api/v1/auth/apple/callback Backend processes and returns success HTML Actual Behavior: After step 5 (user authentication with Apple), instead of Apple redirecting to my callback URL, the browser makes this unexpected request: POST https://myapp.example.com/appleauth/auth/federate?isRememberMeEnabled=false Status: 404 Not Found Request Payload: json { "accountName": "user@example.com", "rememberMe": false } Network Tab Analysis From Chrome DevTools, the call stack shows: send @ app.js:234 ajax @ app.js:234 (anonymous) @ app.js:10 Ee.isFederated @ app.js:666 _callAuthFederate @ app.js:666 The Ee.isFederated and _callAuthFederate functions appear to be minified library code, but I cannot identify which library. What I've Verified ✅ The /appleauth/auth/federate endpoint does not exist anywhere in my codebase: bash grep -r "appleauth" src/ # No results grep -r "federate" src/ # No results ✅ Apple Developer Console shows only ONE Return URL configured (verified multiple times) ✅ Changed callback route from @Get to @Post to handle form_post response mode ✅ Rebuilt frontend completely multiple times: bash rm -rf .next npm run build ✅ Tested in: Incognito/Private browsing mode Different browsers (Chrome, Firefox, Safari) Different devices After clearing all cache and cookies ✅ No service workers registered in the application ✅ No external <script> tags or CDN libraries loaded ✅ package.json contains no AWS Amplify, Auth0, Cognito, or similar federated auth libraries ✅ Checked layout.js and all root-level files - no external scripts Additional Context Google Sign-In works perfectly fine using the same approach The mysterious endpoint uses a different path structure (/appleauth/ vs /api/auth/) The call appears to originate from client-side JavaScript (based on the call stack) The app.js file with the mysterious functions is the built Next.js bundle Questions Where could this /appleauth/auth/federate endpoint be coming from? Why is the browser making this POST request instead of following Apple's redirect to my configured callback URL? Could this be related to the response_mode: 'form_post' in the Apple Passport strategy? Is there something in the Apple Developer Primary App ID configuration that could trigger this behavior? Could this be a Next.js build artifact or some hidden dependency? The mysterious call stack references (Ee.isFederated, _callAuthFederate) suggest some library is intercepting the Apple authentication flow, but I cannot identify what library or where it's being loaded from. The minified function names suggest federated authentication, but I have no such libraries in my dependencies. Has anyone encountered similar issues with Apple Sign-In where an unexpected endpoint is being called?

I received a notification stating that we need to register a server-to-server notification endpoint to handle the following three events: Changes in email forwarding preferences. Account deletions in your app. Permanent Apple Account deletions. However, even though we have registered the API endpoint under our Identifier configuration, it appears that we are not receiving any API calls when these events trigger. I honestly have no idea what’s going wrong. I’ve checked our WAF logs and there’s no trace of any incoming traffic at all. Is it possible that Apple hasn't started sending these notifications yet, or is there something I might be missing? I’m stuck and don’t know how to resolve this. I would really appreciate any help or insights you could share. Thank you.

I received a notification stating that we need to register a server-to-server notification endpoint to handle the following three events: Changes in email forwarding preferences. Account deletions in your app. Permanent Apple Account deletions. However, even though we have registered the API endpoint under our Identifier configuration, it appears that we are not receiving any API calls when these events trigger. I honestly have no idea what’s going wrong. I’ve checked our WAF logs and there’s no trace of any incoming traffic at all. Is it possible that Apple hasn't started sending these notifications yet, or is there something I might be missing? I’m stuck and don’t know how to resolve this. I would really appreciate any help or insights you could share. Thank you.

Hello, I have a question regarding the lifecycle of user consent and tokens in "Sign in with Apple." Specifically, I would like to understand the behavior of the auth/revoke API in relation to App Store Connect status changes. Impact of App Status Changes If an app is "Removed from Sale" or "Deleted" from App Store Connect, does Apple automatically revoke all associated user tokens and consent? Or is it still the developer's responsibility to programmatically revoke each user's token via the REST API to ensure the app is removed from the user’s "Apps Using Apple ID" list? API Availability after Removal Once an app is no longer available on the App Store (or its record is deleted in App Store Connect), is the auth/revoke REST API still accessible? I want to ensure that a developer can still perform necessary privacy clean-up tasks (revoking consent) even if the app is not currently distributed. Specific User Impacts of Non-Revocation If we do not call the revocation API, besides the app remaining in the "Sign in with Apple" list, what are the specific consequences for the user? Thank you for your guidance.

I'm testing app transferring, before, I have migrate user from teamA to teamB, including subA->transferSub->subB process, now I'm transfer the app from teamB to teamC, after the transfer requested, I can't get transfer_id by /usermigrationinfo api, which response 400 invalid request. the question is I can still get transfer sub by the auth/token api(grant_type: authorization_code) with teamB parameters(teamIdB/clientIdB/appSecretB/redirectUrlB/subB)，but the value is same as first time transfer_id which get during teamA to teamB. when use parameters above with target(teamIdC) to request /usermigrationinfo, invalid request was responsed. im sure that all parameters is correct, dose it cause by teamB still in 60-days first transferring(sure already accepted)?

a I am submitting this appeal because we believe our app was misunderstood and the review outcome and follow-up communication have been unfair and mechanically handled. 1) What happened / Outcome we disagree with Our submission was rejected under Guideline 4.8 – Design – Login Services, with the reviewer stating that our app uses a third-party login service but does not provide an equivalent login option that meets Apple’s requirements (limited data collection, private email option, no advertising tracking without consent). However, our game does not require or force any third-party login. The feature being treated as “login” is not a login service at all—it is Mainland China real-name / anti-addiction compliance verification. 2) Why we believe we comply with the App Review Guidelines A. The feature in question is compliance verification, not login Players do not need to create or log into any in-game account to play. The flow exists solely to satisfy Mainland China real-name/anti-addiction compliance requirements. Verification can be completed by either: Using TapTap only as a real-name verification authorization option, or Manually entering a Chinese ID number + legal name to pass verification and play. Because this is verification, not an account login, Guideline 4.8 “Login Services” should not apply in the way the rejection message assumes. B. There is no “playable account” to provide After we clarified the above, we continued to receive repeated, template-like requests to provide a “playable account.” This request does not match our product design: there is no account system required for gameplay, so there is no “review account” to provide. We have already provided the information needed to complete the verification path (ID + name for the compliance flow), yet the responses remained repetitive and did not reflect that the reviewer checked our explanation. 3) Why we believe the handling was unfair Even after clearly explaining that this is not a login system, the review communication continued with mechanical responses that did not address the clarification. This caused significant delays to our release timeline and appears to be unfair treatment compared with many existing App Store apps that use similar compliance verification flows. 4) What we are requesting from the Appeals Team Please investigate and correct the misclassification of our real-name compliance verification as a “login service” under Guideline 4.8. If the team still believes Guideline 4.8 applies, please provide: The specific guideline rationale, and The exact screen/step in our app that is being interpreted as “login.” Please advise what specific materials you need to proceed efficiently (e.g., screen recording of the verification flow, step-by-step review instructions, configuration notes). We are ready to provide them immediately.

Could you tell me about account security and passkeys? Our service is considering implementing passkeys, and these questions are to understand how Apple protects accounts from third parties. ① Apple website states that two-factor authentication is mandatory for newly created Apple Accounts. When did this requirement come into effect? What are the conditions for users who do not have two-factor authentication enabled? ② Apple website mentions that a verification code may be required when signing into an Apple Account from a new device or browser. Is my understanding of the situations where a verification code is requested accurate, as listed below? Are there any other situations? Completely signing out of the Apple Account on that device. Erasing the device. Needing to change the password for security reasons. ③ If a user is already using a passkey on an Apple device, and then upgrades to a new device, will additional authentication, such as entering a PIN code, be required to use the passkey on the new device?