Apple School Manager API - invalid_client error with correct JWT

Business & Education General
Justin_lesie OP
Created 1d
Replies 0
Boosts 0
Views 112
Participants 1

Hello Apple Developer Community,

I'm experiencing an invalid_client error (HTTP 400) when attempting to authenticate with the Apple School Manager API using OAuth2 with JWT bearer assertion (RFC 7523). Despite verifying all configuration values and following Apple's documentation, I continue to receive this error.

Error Details

Error: invalid_client
HTTP Status: 400 Bad Request
Endpoint: https://appleid.apple.com/auth/oauth2/v2/token
Response: {"error": "invalid_client"}

My Configuration

All values have been verified to match Apple School Manager exactly:

  • Organization ID: 55155430
  • Key ID: 8136a1f6-c995-4010-b964-bc8278c107ef
  • Client ID (Service ID): SCHOOLAPI.7c0c10a0-4d8a-4ef8-a2be-eda040b65c59
  • Private Key: Loads correctly, signs JWT properly (ES256)

JWT Configuration

I'm generating a JWT with the following structure:

Header:

{
  "alg": "ES256",
  "kid": "8136a1f6-c995-4010-b964-bc8278c107ef",
  "typ": "JWT"
}

Payload:

{
  "iss": "55155430",
  "sub": "SCHOOLAPI.7c0c10a0-4d8a-4ef8-a2be-eda040b65c59",
  "aud": "https://appleid.apple.com",
  "iat": [timestamp],
  "exp": [timestamp + 30 days]
}

Token Request

Method: POST
Content-Type: application/x-www-form-urlencoded
Parameters:

  • grant_type: client_credentials
  • client_assertion_type: urn:ietf:params:oauth:client-assertion-type:jwt-bearer
  • client_assertion: [JWT token]
  • scope: https://api.apple.com/auth/schoolmanager

What I've Verified

✅ All configuration values match Apple School Manager exactly
✅ Private key file exists and loads correctly
✅ JWT is generated with correct structure (ES256, proper claims)
✅ Key ID in JWT header matches the Key ID from Apple School Manager
✅ Request format matches OAuth2 RFC 7523 specification
✅ Content-Type header is application/x-www-form-urlencoded
✅ Tried both Client ID and Organization ID as sub claim (both fail with same error)
✅ DNS resolution and API connectivity are working
✅ API account appears active in Apple School Manager interface

What I've Tried

  1. Using Client ID as sub: Tried using SCHOOLAPI.7c0c10a0-4d8a-4ef8-a2be-eda040b65c59 as the sub claim
  2. Using Organization ID as sub: Tried using 55155430 as the sub claim (fallback)
  3. With and without scope: Tried both including and excluding the scope parameter
  4. Different JWT expiration: Tried various expiration times (30 days, 180 days)
  5. Verified Service ID format: Confirmed the Client ID follows the SCHOOLAPI.xxxxx-xxxxx-xxxxx format

Both attempts (Client ID and Organization ID as sub) return the same invalid_client error.

Previous Support Interaction

I've contacted Apple Developer Support (Case #102783504559). They confirmed:

  • The technical implementation is correct
  • The issue is an account access/permission problem
  • My Apple Account email is not associated with any memberships
  • The Account Holder must add me to the Enterprise team membership

However, I'm posting here to see if anyone in the community has:

  • Experienced similar issues and found a solution
  • Additional technical insights about the invalid_client error
  • Suggestions for what else to verify or try

Questions

  1. Is there a specific format requirement for the sub claim? Should it be the Client ID (Service ID) or Organization ID? I've tried both.

  2. Are there any additional claims required in the JWT beyond iss, sub, aud, iat, exp?

  3. Could there be a backend issue with the API account even though it appears active in Apple School Manager?

  4. Has anyone successfully resolved an invalid_client error that wasn't related to account access?

  5. Is there a delay after creating an API account before it becomes fully active for authentication?

Technical Details

  • Language: Python (Flask)
  • JWT Library: PyJWT with cryptography library
  • Algorithm: ES256 (ECDSA P-256)
  • OAuth2 Flow: Client Credentials Grant with JWT Bearer Assertion (RFC 7523)

Error Log

I've generated a detailed error log showing the exact request/response. The key points:

  • HTTP 400 Bad Request
  • Response: {"error":"invalid_client"}
  • Same error occurs with both Client ID and Organization ID as sub

Any Help Appreciated

If anyone has encountered this issue or has insights into what might be causing it, I'd greatly appreciate your help. I'm happy to provide additional details or try any suggestions.

Thank you!

Case Number: 102783504559
API Account: Created in Apple School Manager
Status: API account appears active, but authentication fails

Replies  0
Boosts  0
Views  112
Participants  1
Apple School Manager API - invalid_client error with correct JWT
First post date Last post date
 
 
Q