My main goal was to use Authentication Services but it requires the device to be managed via mobile device management. For non-managed devices, I was looking to create an extension that all apps on the device can talk to silently using CTK for tokens in the CTK host app's possession. In iOS, with the sandbox restrictions, as you pointed out, only apps hosting their extensions can talk to it via XPC. iOS26 introduced some APIs in extensionKit to add an interactive view for users. I was hoping, as a developer I can control the messaging in the consent prompt that shows up when an app tries to access tokens using CTK the first time. The best path would be to open up XPC communication across apps using extensionKit in iOS but that is Apple's decision to make :) Or remove the device management prequisite to use Single-sign on extension in Authentication Services.

I see these issues still happening in iOS 26. With iOS 26, I noticed some new APIs being added in ExtensionFoundation/ExtensionKit. Although the documentation says that scopes of extensions can be configured in a way that any app can call them, that does not seem to be the case in iOS. Are there plans to expose underlying ExtensionKit APIs used by CryptoTokenKit?

Thanks for looking into it! Per your suggestion I have filed 3 feedback items: Feedback for consent prompt not reappearing after app re-install : https://feedbackassistant.apple.com/feedback/16052660 Feedback asking user consent preference be mutable in Settings app: https://feedbackassistant.apple.com/feedback/16058654 Feedback asking for API that tells if user had consented access to Token : https://feedbackassistant.apple.com/feedback/16058772 In addition, I came across another unexpected behavior. If there is a crash in the CTK extension, the calling app is blocked for 30 seconds before getting a response. I assume there is some logic that keeps retrying for 30 seconds to see if XPC connection returned a response. As a developer it would be nice to at least have the timeout configurable. Feedback: https://feedbackassistant.apple.com/feedback/16060769

To add, this user consent popup appears only for the 1st time an app is trying to access an identity via CTK appex. Re-installing either the calling app or CTK appex containing app doesn't seem to re-trigger the app. Maybe it is tied to bundleid?

This is on iOS. We are using CryptoTokenKit Extension as a mechanism to perform XPC communication between 2 iOS apps. Mainly, we want only 1 app on the iPhone to have access to a key in secure enclave and all other apps communicate with it to get signed data/decrypted data from it. This popup is kind of acting as a blocker for us from adopting it because of the uncertainty of where the preference selected by user is stored. This is how it looks: Is there any way to not show the pop-up if for example both apps share same publisher/app group? How can user recover if they had chosen "Don't Allow" but now want to change their preference to allow? Would re-creating new keychain entry help? How can we detect that user chose Don't allow? The keychain query result for 'com.apple.token' access group if user had chosen 'Don't Allow' only returns 0 elements instead of an error even when identity added by cryptotokenkit exists on the device.