I'm working on integrating Sign In with Apple into my app. The app is written in React Native using expo and I'm using this component nearly exactly for now. https://docs.expo.io/versions/latest/sdk/apple-authentication/#usage I've been able to successfully generate the Authorization Grant code with this component, however, I've been unable to validate it server side. Here is the error I'm currently getting: { "error": "invalid_grant", "error_description": "The code has expired or has been revoked." } Details I've added a Sign In with Apple key to my app and downloaded the private key. I've published the app to TestFlight so I get my own bundle identifier and not Expo's in the simulator. This is the format of the authorization grant code from the a first request (formatting not JSON as it's output from go): { realUserStatus:1 , authorizationCode:xxxx , fullName:{ middleName:null nameSuffix:null namePrefix:null givenName:null familyName:null nickname:null} state:null identityToken:xxxxxxx email:null user:xxxxx } I'm using this library to generate the verification request: https://github.com/pagnihotry/siwago I'm running a go script from my laptop (not the a domain associated with the app), as well as copying/pasting information into Postman. Both methods are using x-www-form-urlencoded. The go app is signing the client_secret, and I assume it's the correct way because I'm no longer getting a 400 invalid_client. I've decode the client_secret and confirmed that the validation request is formatted: { "alg": "ES256", "kid": "SECRET_KEY_ID" } { "iss": "TEAM_ID", "iat": 1626740200, "exp": 1629332200, "aud": "https://appleid.apple.com", "sub": "BUNDLE_ID" } I've confirmed that the client secret is signed with my private key by validating it against my private key's public complement. The form data for the authorization to https://appleid.apple.com/auth/token request is (no punctuation on values): client_id: [BUNDLE_ID] client_secret: [signed secret] code: [authorizationCode] (from the Authorization grant code) grant_type: authorization_code redirect_uri: [left empty in go, not a key in Postman] I've requested my authorization code repeatedly and thought that I might be throttled, but then I tried a brand new one the first time but still got the invalid_grant response. Looking for any help, I've spent the past two solid days on this and am exhausted.