This is on iOS. We are using CryptoTokenKit Extension as a mechanism to perform XPC communication between 2 iOS apps. Mainly, we want only 1 app on the iPhone to have access to a key in secure enclave and all other apps communicate with it to get signed data/decrypted data from it. This popup is kind of acting as a blocker for us from adopting it because of the uncertainty of where the preference selected by user is stored. This is how it looks: Is there any way to not show the pop-up if for example both apps share same publisher/app group? How can user recover if they had chosen "Don't Allow" but now want to change their preference to allow? Would re-creating new keychain entry help? How can we detect that user chose Don't allow? The keychain query result for 'com.apple.token' access group if user had chosen 'Don't Allow' only returns 0 elements instead of an error even when identity added by cryptotokenkit exists on the device.

To add, this user consent popup appears only for the 1st time an app is trying to access an identity via CTK appex. Re-installing either the calling app or CTK appex containing app doesn't seem to re-trigger the app. Maybe it is tied to bundleid?

Thanks for looking into it! Per your suggestion I have filed 3 feedback items: Feedback for consent prompt not reappearing after app re-install : https://feedbackassistant.apple.com/feedback/16052660 Feedback asking user consent preference be mutable in Settings app: https://feedbackassistant.apple.com/feedback/16058654 Feedback asking for API that tells if user had consented access to Token : https://feedbackassistant.apple.com/feedback/16058772 In addition, I came across another unexpected behavior. If there is a crash in the CTK extension, the calling app is blocked for 30 seconds before getting a response. I assume there is some logic that keeps retrying for 30 seconds to see if XPC connection returned a response. As a developer it would be nice to at least have the timeout configurable. Feedback: https://feedbackassistant.apple.com/feedback/16060769

I see these issues still happening in iOS 26. With iOS 26, I noticed some new APIs being added in ExtensionFoundation/ExtensionKit. Although the documentation says that scopes of extensions can be configured in a way that any app can call them, that does not seem to be the case in iOS. Are there plans to expose underlying ExtensionKit APIs used by CryptoTokenKit?