RESOLVED — Posting what fixed it in case it helps others After a lot of debugging, the invalid_client error was caused by using Sign in with Apple (SIWA) endpoints instead of the Apple School Manager API endpoints. These are two completely separate OAuth systems that look very similar but are not interchangeable. Here is a direct comparison of what was wrong vs. what is correct: ❌ What I had (SIWA) ✅ What ASM API requires Token endpoint appleid.apple.com/auth/token account.apple.com/auth/oauth2/token JWT aud claim https://appleid.apple.com https://account.apple.com/auth/oauth2/v2/token JWT iss claim Organisation ID (55155430) API client ID (SCHOOLAPI.xxx) JWT sub claim Client ID (SCHOOLAPI.xxx) API client ID (SCHOOLAPI.xxx) — same as iss jti claim Not included Required — unique UUID per request client_id in request body Not included Required API base URL api.apple.com/v1 api-school.apple.com/v1 The working JWT payload looks like this: { "iss": "SCHOOLAPI.7c0c10a0-4d8a-4ef8-a2be-eda040b65c59", "sub": "SCHOOLAPI.7c0c10a0-4d8a-4ef8-a2be-eda040b65c59", "aud": "https://account.apple.com/auth/oauth2/v2/token", "iat": 1747561070, "exp": 1763113070, "jti": "any-unique-uuid" } The working token request: POST https://account.apple.com/auth/oauth2/token Content-Type: application/x-www-form-urlencoded grant_type=client_credentials &client_id=SCHOOLAPI.xxx &client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer &client_assertion=<signed_jwt> &scope=school.api Almost every guide and forum post for Apple authentication describes Sign in with Apple — if you are using the Apple School Manager API specifically, those guides do not apply. The ASM API uses account.apple.com, not appleid.apple.com. Hope this saves someone else the hours of debugging!