Rotating String API Key

Question

Created 21h

Replies 2

Boosts 0

Participants 3

This post is from the WWDC26 Privacy & Security Q&A.

For a Swift package that requires app developers to set a String API key at the app level (one key per app, not per user), what is Apple’s recommended approach for allowing those keys to be securely rotated without requiring an App Store redeploy?

Answered by Security Engineer in 893086022

We recommend to not store secrets within your application. Exposing secrets to your application could lead to them leaking. Rather, keep API secrets within a server, and use App Attest to confirm the request is coming from your app: https://developer.apple.com/documentation/devicecheck/establishing-your-app-s-integrity

Answer 1

Security Engineer OP

Apple

21h

Accepted Answer

We recommend to not store secrets within your application. Exposing secrets to your application could lead to them leaking. Rather, keep API secrets within a server, and use App Attest to confirm the request is coming from your app: https://developer.apple.com/documentation/devicecheck/establishing-your-app-s-integrity

Answer 2

nfurness OP

3h

Is there a particular reason that Apple would not want to integrate App Attest directly into CloudKit access, in particular for the public database?

As far as I can tell, this would be a great way to safely distribute secrets like this to an entire app userbase, but there is definitely much I don't know.

It has always surprised me that the public CloudKit database is as accessible as it is (using just the container name and record ID). With App Attest integration, it seems that Apple could make it very easy for a developer to opt in to limiting these requests to only legitimate installs of their app.