I'm successfully using Apple subscriptions in my app, but I'm encountering SKErrorCodeDomain error 18 when trying to apply a subscription offer. I want apply offer code first time only for subscription. Below are details of what i set in appstore and what i have tested. Subscription Offer Details Offer Type: For the first month Customer Eligibility: New, Existing, and Expired Subscribers Code Status: Active Offer Code Creation Steps: App Store Connect → App → Subscription → Select Subscription Product → Offer Codes → Add → Add Custom Codes Signature Generation for Promotional Offers I'm following Apple's documentation to generate a signature: https://developer.apple.com/documentation/storekit/generating-a-signature-for-promotional-offers I’ve constructed the payload as instructed: appBundleId + '\u2063' + keyIdentifier + '\u2063' + productIdentifier + '\u2063' + offerIdentifier + '\u2063' + appAccountToken + '\u2063' + nonce + '\u2063' + timestamp Keys and Identifiers keyIdentifier, issuerId, and .p8 file are obtained from: App Store Connect → Users and Access → Integrations → In-App Purchase Test user created under: App Store Connect → Users and Access → Sandbox → Test Accounts Logged in with this account on the iPhone What I’ve Tried Verified all values used in the payload are correct Tried both seconds and milliseconds for the timestamp (as per documentation, it should be in milliseconds) Tried setting appAccountToken to: a valid UUID an empty string not setting it at all Used Apple’s sample code to generate a signature: https://developer.apple.com/documentation/storekit/generating-a-promotional-offer-signature-on-the-server Verified the generated signature locally, and it validated successfully: https://developer.apple.com/documentation/storekit/generating-a-signature-for-promotional-offers#Validate-locally-and-encode-the-signature Apple’s sample code to generate a signature Downloaded from const express = require('express'); const router = express.Router(); const crypto = require('crypto'); const ECKey = require('ec-key'); const secp256k1 = require('secp256k1'); const uuidv4 = require('uuid/v4'); const KeyEncoder = require('key-encoder'); const keyEncoder = new KeyEncoder('secp256k1'); const fs = require('fs'); function getKeyID() { return "KEYIDXXXXX"; } router.post('/offer', function(req, res) { const appBundleID = req.body.appBundleID; const productIdentifier = req.body.productIdentifier; const subscriptionOfferID = req.body.offerID; const applicationUsername = req.body.applicationUsername; const nonce = uuidv4(); const currentDate = new Date(); const timestamp = currentDate.getTime(); const keyID = getKeyID(); const payload = appBundleID + '\u2063' + keyID + '\u2063' + productIdentifier + '\u2063' + subscriptionOfferID + '\u2063' + applicationUsername + '\u2063'+ nonce + '\u2063' + timestamp; // Get the PEM-formatted private key string associated with the Key ID. // const keyString = getKeyStringForID(keyID); // Read the .p8 file const keyString = fs.readFileSync('./SubscriptionKey_47J5826J8W.p8', 'utf8'); // Create an Elliptic Curve Digital Signature Algorithm (ECDSA) object using the private key. const key = new ECKey(keyString, 'pem'); // Set up the cryptographic format used to sign the key with the SHA-256 hashing algorithm. const cryptoSign = key.createSign('SHA256'); // Add the payload string to sign. cryptoSign.update(payload); /* The Node.js crypto library creates a DER-formatted binary value signature, and then base-64 encodes it to create the string that you will use in StoreKit. */ const signature = cryptoSign.sign('base64'); /* Check that the signature passes verification by using the ec-key library. The verification process is similar to creating the signature, except it uses 'createVerify' instead of 'createSign', and after updating it with the payload, it uses `verify` to pass in the signature and encoding, instead of `sign` to get the signature. This step is not required, but it's useful to check when implementing your signature code. This helps debug issues with signing before sending transactions to Apple. If verification succeeds, the next recommended testing step is attempting a purchase in the Sandbox environment. */ const verificationResult = key.createVerify('SHA256').update(payload).verify(signature, 'base64'); console.log("Verification result: " + verificationResult) // Send the response. res.setHeader('Content-Type', 'application/json'); res.json({ 'keyID': keyID, 'nonce': nonce, 'timestamp': timestamp, 'signature': signature }); }); module.exports = router; Postman request and response Request URL: http://192.168.1.141:3004/offer Request JSON: { "appBundleID":"com.app.bundleid", "productIdentifier":"subscription.product.id", "offerID":"OFFERCODE1", "applicationUsername":"01234b43791ea309a1c3003412bcdaaa09d39a615c379cc246f5f479760629a1" } Response JSON: { "keyID": "KEYIDXXXXX", "nonce": "f98f2cda-c7a6-492f-9f92-e24a6122c0c9", "timestamp": 1753510571664, "signature": "MEYCIQCnA8UGWhTiCF+F6S55Zl6hpjnm7SC3aAgvmTBmQDnsAgIhAP6xIeRuREyxxx69Ve/qjnONq7pF1cK8TDn82fyePcqz" } Xcode Code func buy(_ product: SKProduct) { let discountOffer = SKPaymentDiscount( identifier: "OFFERCODE1", keyIdentifier: "KEYIDXXXXX", nonce: UUID(uuidString: "f98f2cda-c7a6-492f-9f92-e24a6122c0c9")!, signature: "MEYCIQCnA8UGWhTiCF+F6S55Zl6hpjnm7SC3aAgvmTBmQDnsAgIhAP6xIeRuREyxxx69Ve/qjnONq7pF1cK8TDn82fyePcqz", timestamp: 1753510571664) let payment = SKMutablePayment(product: product) payment.applicationUsername = "01234b43791ea309a1c3003412bcdaaa09d39a615c379cc246f5f479760629a1" payment.paymentDiscount = discountOffer SKPaymentQueue.default().add(payment) } Issue Even following instructions to the documentation and attempting various combinations, the offer keeps failing with SKErrorCodeDomain error 18. Has anyone else experienced this? Any suggestions as to what may be amiss or how it can be corrected?

Hi, Please refer the info graphic . I'm an issuer Bank App, who wants to add a card to phone's Digital Wallet. When I hit add to Apple or Google wallet, my API call goes to a Token Requester server and then to Token Service provider. In this process, I do get a JWT token back, but when I try to add token to Digital Wallet, I always get the message "The pass cannot be read because it is not valid". So few question: Is there a way to debug the token that is received by the app? Is there any kind of API console that I can look to see what is happening and why the pass is not valid? I, being the Issuer Bank App, a Token Service Requester and A Token Service Provider, who should be communicating with Apple servers? Are there any documents that explicitly shows (example) the flow of adding a credit card to Digital Wallet from iOS perspective? Any other help is appreciated. On my end, I have done this: public void AddToDeviceAsync(string data) { try { var dataArray = Encoding.UTF8.GetBytes(data); if (data.Length > 0) { if (PKAddPassesViewController.CanAddPasses && PKPassLibrary.IsAvailable) { _nsData = NSData.FromArray(dataArray); ObjCRuntime.Class.ThrowOnInitFailure = false; _pkPass = new PKPass(_nsData, out NSError e); if (!string.IsNullOrWhiteSpace(e?.LocalizedDescription)) { UserDialogs.Instance.AlertAsync(e.LocalizedDescription, AppResources.Alert); return; } if (!PkLibrary.Contains(_pkPass)) { var controller = new PKAddPassesViewController(_pkPass); var rootViewController = UIApplication.SharedApplication.Delegate.GetWindow().RootViewController; if (rootViewController != null) { var topController = TopViewControllerWithRootViewController(rootViewController); topController?.PresentViewController(controller, true, null); } } else { UserDialogs.Instance.AlertAsync(AppResources.Pass_Already_Present, AppResources.Alert); } } } else { UserDialogs.Instance.AlertAsync(AppResources.Invalid_Pass_Data, AppResources.Alert); } } catch (Exception e) { UserDialogs.Instance.AlertAsync(e.Message, AppResources.Alert); } }

Hi All, We operate a store with a single domain but multiple merchants, some of whom use PayPal as their payment gateway, while others use Stripe. We are looking to introduce Apple Pay for the various merchants. From what I understand, a .well-known file is required for each merchant to enable Apple Pay. How can we implement this, given that our merchants are using different payment gateways? Best regards, Joe

Hi, We’re a franchise business with over 100 franchisees, and each franchisee has their own unique Merchant ID. We're building a single app that allows customers to place orders, and based on the selected franchisee, the payment needs to be processed through that specific franchisee’s merchant account. However, when we integrate Apple Pay and publish the app, it asks us to provide a payment gateways' Merchant ID, but we don’t use just one – we have many. How can we handle this situation? Is there a way to dynamically use multiple Merchant IDs in one app, depending on which franchisee the customer is ordering from?

We have developed Apple Wallet Extension for our App. The in-app provisioning for the card is working. However when we try to add the card from Wallet extension it gives error saying "Your issuer does not yet offer support for this card". From the apple documentation we can see the issues is same as mentioned in Scenario 2 at following link https://applepaydemo.apple.com/in-app-provisioning#8.4 We are getting eligibilityStatus as 0 Below is the response from Wallet captured using SysDiagnosis https://crt-pod1-smp-device.apple.com:443/broker/v4/devices/0434320BCB1A90022306073796318273728D0A367FA927F4/cards 200 Time profile: 1.77856 seconds { x-conversation-id = ...... Content-Type = "application/json" x-pod = "crt-pod1" x-xss-protection = "1; mode=block" Server = "Apple" x-pod-region = "paymentpass.com.apple" regionbrokerurl = "https://crt-pod1-smp-device.apple.com:443/broker" Date = "Wed, 06 Aug 2025 11:39:30 GMT" Content-Length = "488" x-envoy-upstream-service-time = "1400" Strict-Transport-Security = "max-age=31536000; includeSubdomains" cross-origin-opener-policy = "same-origin" x-keystone-correlationid = ...... x-content-type-options = "nosniff" Vary = "accept-language" x-frame-options = "SAMEORIGIN" } { applicationIdentifier = ......; auxiliaryCapabilities = { }; cardType = 4; deviceProvisioningDataExpected = 1; eligibilityStatus = 0; identifier = ......; learnMoreURL = "https://www.apple.com/ae/apple-pay/banks/ae/en-ae.html"; nonce = ......; paymentApplications = ( { appletTypeIdentifier = Argon; paymentType = Credit; } ); region = "paymentpass.com.apple"; sanitizedPrimaryAccountNumber = 7008; sanitizedPrimaryAccountPrefix = ""; }

We are on a .NET ecommerce site hosted on AWS on a windows 2012R2 server. We have apple pay for the web integrated on the site and the certificates (merchant id and apple pay) were set to expire shortly. We created a new merchant id and apple pay cert, however we are now stuck as the new merchant ID certificate doesn't appear to be working although the old one did. Note there have been no code changes. Basically the apple pay process is failing on the merchant validation. Here are the steps we took: Created a CSR in Keychain Access Generated a Merchant ID cert in the Apple Developer account with that CSR. Imported the Merchant ID cert back into Keychain Access and exported as a p12 file the cert and the private key used to generate the CSR. Imported the p12 file into Windows 2012 R2. I can see in our debugging that the new certificate is being loaded but a SSL/TSL connection couldn't be made. So it seems there is an issue with the cert. Has anyone encountered this? I'm out of ideas at this point and under a lot of pressure from management to fix what was supposed to be a routine maintenance issue. If anyone has any ideas, that would be greatly appreciated.

We have an Apple Pay account and have successfully created and verified the payment processing certificate in our Apple Developer account. When initiating an Apple Pay payment, the Apple session is created successfully with the correct data return from api , but it is not accepted with the error: “Payment not completed.” The issue occurs even though the merchant validation step works without errors. Our websites where this is happening are: https://magicdeliver.com/ https://www.pulsarmodular.com/ Could you please help us identify the cause of the issue and guide us on resolving it?

The Shortcuts app offers the possibility to trigger shortcuts/intends when a wallet credit card is used and a new transaction is created. I would like to add transaction details to one of my apps and use such a shortcut for it. Other apps do the exact same thing, so this should not be a problem. Adding a shortcut to my app was not a big deal. However, how can this be tested on simulator? When trying to add a new automatization in the Shortcuts app using a wallet transaction as trigger I cannot finish the setup dialog since the Next button is disabled. I assume this is because no card is configured. When trying to add a card in Wallet I just receive that this was not successful. I have connected the simulator to a Sandbox Apple ID account using a region which supports Apple Pay (US). Using a real account does not solve the problem. Any idea how to get this working? Using real transaction within a store could obviously not be the solution for debugging.

I am attempting to verify my domain https://technoq.genesistechnologies.tech for use with Apple Pay Merchant ID. However, when I attempt verification, the process fails with the message: “Domain verification failed.” Unfortunately, no additional details are provided. I have already completed the following steps: Downloaded the verification file apple-developer-merchantid-domain-association.txt. Placed it in the .well-known directory as instructed. Confirmed that it is publicly accessible at: https://technoq.genesistechnologies.tech/.well-known/apple-developer-merchantid-domain-association.txt Verified that a valid SSL certificate is configured for the domain. Could you please advise on why the verification might be failing and what additional steps I should take to resolve this issue?

Hi Support, When the applepay express transit option is used on emv payment cards, like this iPhone - Open “Settings” → “Wallet & Apple Pay” → “Express Transit Card”. And a emv single card has been enabled under Express Transit And on transit reader Apple Enhanced contactless Polling support is provided, ( with VAS not supported, user authentciation not supported) Sometimes ATQB response also comes from the iPhone or iWatch instead of the ATQA response, and then it causes the transit reader to report as collision error in the polling. Sequence of the packets: WUPA WUPB ECP frame WUPA WUPB ATQB WUPA ATQA

I have apple pay on the web running ok on our website, using ios devices When I load the cart in a browser and try using the 'scan now qr code', my pay sheet displays on my iphone and then immediately closes. How can I debug the issue? I'm not seeing any logging or issues.

Is there a way to allow ApplePay to make deferred payments to a suite of stores, or will each store need the user to initially approve a payment manually?

We have finished integrating Apple Pay in our app and our payment processor is requiring us to send the 3dSecure version used for apple pay (2.1,2.2,2.3,etc.). I believe this only applies to mastercard but would appreciate if anyone has run into something similar and what you specified. I have not been able to find anything in Apple's documentation specifying the version that is used.

We created apps for many credit unions in Canada. Some of those apps has the feature to directly add users' debit cards to Apple Wallet (which is called by Apple as "in-app provisioning"). The feature has been working fine for at least 6 years for many credit unions. Recently, after updating one of those existing apps, we found out that the in-app provisioning is no longer working. Found it very strange, as we didn't touch the code base related to this feature for a very long time. One thing we found out is that the option to add in-app provisioning entitlement is missing during generating "provisioning profile" for the app. Is this a misconfiguration by App? Or do we need to request for additional entitlement migration as mentioned in the page: https://developer.apple.com/help/account/reference/provisioning-with-managed-capabilities ? Apple, please help, it's rather urgent.

Hi support, Since June 26th 2025 we are experiencing an issue with the ApplePay SSL server certificate installed on our servers in Production environment. We are facing an exception error during the initializing of a payment session while calling the url: https://apple-pay-gateway.apple.com/paymentservices/startSession The exception is Untrusted Server Certificate Chain: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Untrusted Server Certificate Chain       at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)       at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1915)       at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:306)       at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:300)       at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1577)       at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:213)       at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1010)       at sun.security.ssl.Handshaker.process_record(Handshaker.java:946)       at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1034)       at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1343)       at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1370)       at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1354) It seems that the issue occurs randomly: we are experiencing this exception on most of our payment transactions, but there are some cases of users that have correctly paid on our site using this method and in those cases this error did not appear. We installed the new certificate on our servers on July 3rd 2025 and renewed on Aug 7th 2025. The new certificate validity is: Not Before: Aug 6 18:43:52 2025 GMT Not After : Nov 4 18:08:57 2025 GMT I must specify that this issue is blocking the correct placement of AppleyPay orders of our customers. Can you please help us find the problem and a possible solution?

Hi everyone, I’m encountering a strange issue with Apple Pay in our React Native iOS app using the Stripe React Native SDK. Summary of the Problem: • Apple Pay shows up as an available payment method inside the Stripe Payment Sheet. • When I tap Apple Pay, the Apple Pay sheet opens normally. • After confirming payment, the Apple Pay sheet immediately closes, and nothing happens. • No payment is created and no request reaches Stripe’s servers. On Stripe Dashboard the PaymentIntent remains incomplete, with no errors, which means the failure happens before Stripe receives anything. Environment • React Native with @stripe/stripe-react-native • StripeProvider configured with: <StripeProvider publishableKey={...} merchantIdentifier="merchant.com.app.venga" stripeAccountId={...} urlScheme="venga" > Apple Pay works on our web checkout with the same merchant identifier. We have verified all of the required Apple Pay setup: • Merchant ID exists, active, and matches exactly. • Merchant ID added to the iOS app target in Xcode → Signing & Capabilities. • Apple Pay capability enabled. • Merchant domain is verified (web checkout works). • Apple Pay certificate and merchant certificate are valid. • Stripe publishable key and merchantIdentifier are correct. • Stripe SDK correctly initialized. • Device region supports Apple Pay. Extra Observations: • The PaymentIntent’s allowed_payment_methods includes "card" and Apple Pay does appear in the payment sheet. • But after tapping Pay → the Apple Pay sheet closes instantly. • There is no callback with an error, and nothing appears in Stripe logs. • We are testing in Sweden. As far as I know Apple Pay should work fine here. Questions: What could cause the Apple Pay sheet to dismiss instantly after attempting a payment? Could this be caused by a merchant ID mismatch—even if Apple Pay appears in the sheet? Is there any Apple-device-level requirement (region, wallet config, card type) that could cause this silent failure? Is there a way to get more detailed logs when Apple Pay closes before Stripe receives anything? Any help or suggestions would be greatly appreciated. Thanks!

Hi, we are trying to verify our domain and we uploaded the file to our domain {DOMAIN}/.well-known/apple-developer-merchantid-domain-association.txt and we can access it. But when we want verify the domain in your platform we can't do it and you see the message "Domain verification failed". How can we verified or if we need change something in our side to verify it? thanks!

I'm implementing Apple Pay in my Flutter web app and I'm following the guidelines for domain verification using the apple-developer-merchantid-domain-association file. When I access the file at https://mydomain.com/.well-known/apple-developer-merchantid-domain-association through my web app, the browser silently downloads the file instead of displaying its content on the webpage. My question is: Is this the expected behavior for the apple-developer-merchantid-domain-association file? Should the browser download the file silently, or is there another step required, such as displaying the content on the webpage for verification purposes? I've consulted some resources and they indicate that the file download is the correct behavior. However, I'd appreciate confirmation from the community to ensure I'm implementing the verification process correctly. Summary is how do we know if apple has verified it?

Does anyone have info about the Retention Messaging API. We've requested access to it, but there's no answer.

Why did my sandbox test fail due to not being able to obtain the product list?