we have the same problem when we Validate the Authorization Grant Code. New authorization  code is requested for each attempt. Here is our code byte[] encoded = Base64.getDecoder().decode(SECRET_KEY); 						PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(encoded); 					 						 						 KeyFactory factory = KeyFactory.getInstance("EC"); PrivateKey privKey = factory.generatePrivate(keySpec); JwtClaims claims = new JwtClaims(); claims.setIssuer(ISS); claims.setIssuedAtToNow(); claims.setExpirationTimeMinutesInTheFuture(10); claims.setAudience(AUD); claims.setSubject(SUB); claims.setNotBeforeMinutesInThePast(2); JsonWebSignature jws = new JsonWebSignature(); jws.setPayload(claims.toJson()); jws.setHeader("kid", KID); jws.setKey(privKey); jws.setAlgorithmHeaderValue(AlgorithmIdentifiers.ECDSA_USING_P256_CURVE_AND_SHA256); String clientSecret = jws.getCompactSerialization(); String requestString = "client_id="+IOS_BUNDLE_ID+"&client_secret="+clientSecret+"&code="+code+"&grant_type=authorization_code"; byte[] postData = requestString.getBytes( StandardCharsets.UTF_8 ); int postDataLength = postData.length; String sUrl = "https://appleid.apple.com/auth/token"; URL url; url = new URL(sUrl); HttpsURLConnection http; http = (HttpsURLConnection) url.openConnection(); http.setRequestProperty("Host", "appleid.apple.com"); http.setRequestProperty("Accept", "application/json"); http.setRequestProperty("User-Agent", "mot"); http.setDoOutput(true); http.setDoInput(true); http.setRequestMethod("POST"); http.setRequestProperty("content-type", "application/x-www-form-urlencoded"); http.setRequestProperty("charset", "utf-8"); http.setRequestProperty("Content-Length", Integer.toString(postDataLength )); http.setUseCaches(false); try(DataOutputStream wr = new DataOutputStream(http.getOutputStream())) { 	 wr.write( postData ); wr.flush(); } int responseCode = http.getResponseCode();