Sign in With Apple Error with 'invalid_grant' and description 'the code has already been used'.

Code Block 
{"error":"invalid_grant","error_description":"The code has already been used."}

I'm having the exact same issue, none of my team is able to reproduce this error while the review keeps failing with this. Maybe there's something different about the review account compared to the normal Apple IDs? Please investigate asap thank you.

Was this resolved? Please let us know the update thanks!

Our app was built with Flutter and implements Sign in with apple with this package: https://pub.dev/packages/sign_in_with_apple

I wonder if there's any similarity between other cases. This error happens specifically when the authorization code has been sent to our server and our server sends it to 'https://appleid.apple.com/auth/token' to request id_token.

I saw this exact error when trying to use an Authorization Code that was expired. They only last 5 minutes. You can use the refresh token instead. Here is further details: https://developer.apple.com/documentation/sign_in_with_apple/generate_and_validate_tokens

OP mentions it didn't work on  Apple's reviewing devices. I'm guessing they are testing flows that you have not setup correctly.

Just a helpful tip for testing you can always revoke access here: https://appleid.apple.com and then generate new auth/refresh codes. But your code should be storing the codes and handle both cases. Hope that helps

i am also getting the same error. any help will be helpfull

Was this resolved? Please let us know the update thanks!

We just ran into the same issue pushing out our iOS15 update release. After 2 failed reviews (both using the same Apple ID for review) we responded referencing the error messages above as well as the fact that real user App Store logins were all operating normally atm as were any Apple IDs our development team had access to.

Before raising we a TSI we asked if it would be possible for the reviewer to attempt to login with a different Apple ID to isolate the account as the issue as the cause rather than our app and to our surprise (!) they did and subsequently approved the update.

So if you are confident in your Apple ID implementation (as we were) perhaps try this approach before have to waste a TSI on this issue.

You may need 'nonce' when authenticating the user. Implementation of some packages omit nonce or make nonce optional when authenticating, it may not be optional using apple reviewers account. Easiest way to achieve this is using firebase auth

Hello, the reason for this problem is that the code has been verified by Apple should be verified only once, and after verification passes, you should cache the token and code

Getting the same error too. Tried a lot of test cases such as changing region, using different apple id, changing apple id's information and try login again but still cannot reproduce the error. The question is, if the access token is being used, there should be a success call from apple's server but my server did not log that request.

Hi all, we've faced the same issue – our app was rejected because "Sign In with Apple does not sign in".

We use Auth0 webauth, so the authorization happens inside the in-app browser window on a page hosted by Auth0. We couldn't reproduce this error with any of our team member's AppleIDs. We tried on several iOS versions on real devices and on a Simulator, we tried on a fresh Apple ID (never used to sign in to our app), on existing accounts (used previously to sign in to our app), and we tried to revoke our app authorization before sign in again. Everything works as it should.

Also, we have error monitoring (Sentry) set up, and the only error we see in logs is for the Apple reviewer. It is "invalid_grant (The code has already been used.)"

In the Auth0 logs there is only one such error as well.

I guess we will try to submit an appeal to the Apple Review team with all this information, as Sanvean kindly suggested in this thread.

this is insane and I cant believe coming from Apple...

I discovered one flow where this issue could be present. It's a bit odd but I think this could happen for the developer only in the case that the application gets a timeout on your callback request and tries again. since the backend thinks it has given a good callback to the application already and the client uses the same auth code it will fail. That makes it look like it fails. Do apple reviewers have that of a shitty connection?