I’m trying to diagnose an APNs provider authentication issue that began after APNs had previously been working. Summary: My iOS app can register for remote notifications and successfully sends its device token to my server. The app has the Push Notifications capability enabled in Xcode, the Bundle ID has Push Notifications enabled in Certificates, Identifiers & Profiles, and the APNs key is active in the Apple Developer portal. However, every server-side APNs send attempt now fails with: HTTP 403 {"reason":"InvalidProviderToken"} This happens against both sandbox and production APNs endpoints. App / account details: Bundle ID / apns-topic: app.terrasignal Team ID: 837F2XGDX Current APNs Key ID: HNW7XPK2H3 APNs key type: Apple Push Notifications service (APNs) Key configuration: Team scoped, Sandbox & Production Xcode signing team: David Buck / Team ID 837F2XGDX Push Notifications capability is enabled in Xcode Device token environment tested: sandbox Server clock verified against Apple/date header and matches UTC What works: iOS app launches successfully Push permission is granted Device token is generated Device registers with my server successfully Server stores the token as sandbox for bundle app.terrasignal What fails: Server-to-APNs provider authentication Direct HTTP/2 APNs request fails before notification delivery Failure reason is always InvalidProviderToken I tested three separate APNs keys: 34T746MWFV T9N75GU2AV HNW7XPK2H3 Each key was downloaded from the Developer portal, uploaded to the server, verified as a valid .p8 private key, and used with its matching Key ID. All produce the same InvalidProviderToken result. I also bypassed my APNs library and tested direct HTTP/2 + JOSE JWT signing. The direct APNs test also fails with the same response: HTTP status: 403 Response body: {"reason":"InvalidProviderToken"} Example direct APNs test details: Host: api.sandbox.push.apple.com Path: /3/device/ apns-topic: app.terrasignal apns-push-type: alert apns-priority: 10 JWT header: {"alg":"ES256","kid":"HNW7XPK2H3"} JWT payload includes iss: 837F2XGDX and current iat Key imports successfully with jose importPKCS8 JWT is generated successfully APNs rejects it with InvalidProviderToken I also tried production endpoint with the same result: Host: api.push.apple.com HTTP 403 {"reason":"InvalidProviderToken"} Things verified: System clock is correct Docker/server UTC time matches Apple Date header Bundle ID topic is app.terrasignal APNs key exists in the Apple Developer portal APNs service is enabled on the key Key is configured for Sandbox & Production Push Notifications capability is enabled for the app Xcode signing uses the same team The .p8 file is not empty or malformed The key imports successfully via jose/importPKCS8 The issue occurs before APNs evaluates the device token, because authentication fails first Question: What Apple-side account/key/app configuration state can cause multiple active APNs auth keys for the same team to return InvalidProviderToken, even when: the key is active, APNs is enabled, the Team ID matches, the Bundle ID topic matches, the server clock is correct, and a direct HTTP/2 APNs request with manually generated ES256 JWT also fails? Is there a way to force-refresh, repair, or re-sync APNs provider authentication for a Developer account / Bundle ID / APNs key?