Team-scoped keys introduce the ability to restrict your token authentication keys to either development or production environments. Topic-specific keys in addition to environment isolation allow you to associate each key with a specific Bundle ID streamlining key management. For detailed instructions on accessing these features, read our updated documentation on establishing a token-based connection to APNs.

Apple pay on checkout in iframe is working with test cards while in Private window. However when we go into normal browsing the Apple Pay button is greyed out. Real cards will ask for fingerprint and then decline with "Payment Not Completed". What is the issue?

We have a checkout page on which clients can configure the providers we've integrated with for each currency. One such provider is Stripe, with which we have already integrated ApplePay and host a merchant domain association file. Now, we're getting requests to support ApplePay with other providers. The issue is that we can't tell Apple to use a different path to domain association file for domain verification. And, replacing the existing domain association file seems like a hack, since I believe it's needed for domain re-verification. We're thinking of using subdomains for serving the domain association files for different providers. But, we have some questions on how ApplePay domain verification works to understand how we can solve our problem. Firstly, can we use subdomains for individual domain verification? If we already have example.com verified with Stripe, can we serve the domain association file for the other provider with provider.example.com and have the verification work? Secondly, let's say our domain is example.com, and we can use provider.example.com to serve the domain association file and verify the domain. Then on example.com/checkout, will using an iframe with provider.example.com/applepay to host the ApplePay button work? This thread suggests otherwise, but we want to confirm. Lastly, is the only way to make an ApplePay payment for provider.example.com to use that subdomain? So redirecting to provider.example.com/applepay would work? Thanks for your help!

We’ve an implementation of apple pay with asia pay as gateway . We want to access that from external iframe . although we’ve been able to load the apple pay widget not able to validate merchant and tokenize in iframe. Please let us know if apple pay with asia pay is available to be used within iframe.

Can i use apple pay integration into my web iframe?In my situation, canMakePayment() returns null when i check browser support apple pay or not in Iframe

Is there a way to move user data from UserDefaults to SwiftData when the app is in production so that people don’t lose their data. Currently my audio journals in my journal app has everything in the UserDefaults. Now this is bad for obvious reasons but I was thinking if there was a way. It’s only been 1 week since published and I have already had17 people download it.

I created a self signed CA and use it to generate/sign a client cert using openssl. Then I use the self signed client cert to do TLS client authentication with my server (which also uses the self signed CA). The issue I have is when I validate the self signed CA, by calling SecTrustEvaluateAsyncWithError, it always complains this error “'DigiCert Global Root G3' certificate is not trusted". However that CA (DigiCert Global Root G3) is not my self signed CA (my CA is 'MQTTSampleCA' and I attached a dump of the my CA cert in the PR in the end of this post), so I'm confused why the API keeps complaining that CA. After some researching, I see that is a well known CA so I download its cert from https://www.digicert.com/kb/digicert-root-certificates.htm, install and trust it on my iOS device, but that doesn't help and I still get the same error. I provide all the repro steps in this PR: https://github.com/liumiaojq/EmCuTeeTee/pull/1, including how I generate the certs and the source codes of a test app that I used to do cert validation. I appreciate if anyone can share insights how to resolve this error.

I am developing a virtual Bluetooth HID keyboard device on my Win desktop that connects to my iPad over bluetooth and advertises itself as a keyboard to control the iPad. It works very well already on Android, but not on iOS. I can see in Packet Logger that it reads well as a HID device, reads the report map and HID information correctly, which data is all valid. It doesn't subscribe to the report's Client Characteristic Configuration, just silently quitting and the keyboard does not work. I can post more information if needed, but my question in short is what are the requirements for iOS to accept a HID over GATT as a keyboard peripheral. I feel like I am close.

We just updated our ATS to the latest 8.3.0 version and tried to run the iAP2 Session Test via BPA100 Bluetooth Analyzer and we are experiencing this EXC_BAD_INSTRUCTION. This same test still seems to work on ATS version 6. Please advise. Process: ATS [1782] Path: /private/var/folders/*/ATS.app/Contents/MacOS/ATS Identifier: com.apple.ATSMacApp Version: 8.3.0 (1826) Build Info: ATSMacApp-1826000000000000~2 (1A613) Code Type: X86-64 (Native) Parent Process: launchd [1] User ID: 501 Date/Time: 2025-01-27 11:05:21.1334 -0800 OS Version: macOS 15.2 (24C101) Report Version: 12 Bridge OS Version: 9.2 (22P2093) Anonymous UUID: 098E2BB5-CB98-CA1C-CEFE-188AF6EFE8CF Time Awake Since Boot: 9700 seconds System Integrity Protection: enabled Crashed Thread: 2 com.apple.ATSMacApp.FrontlineFrameworkInterface Exception Type: EXC_BAD_INSTRUCTION (SIGILL) Exception Codes: 0x0000000000000001, 0x0000000000000000 Termination Reason: Namespace SIGNAL, Code 4 Illegal instruction: 4 Terminating Process: exc handler [1782]

I confirm that the configured callback address is accurate and can be called using Postman. The server receives notification messages from IAP

In TN3179 under "macOS considerations" there are a set of instances where local network privacy does not apply: macOS automatically allows local network access by: Any daemon started by launchd Any program running as root Command-line tools run from Terminal or over SSH, including any child processes they spawn I am running some tests in my app that use the local network, attempting to run them from both the terminal app and from a VScode terminal and I am getting permissions prompts. After allowing these pop ups, some of the tests still fail as if networking was blocked.

How do I get rid of this CLI error? Thanks dyld[35085]: symbol '__ZTINSt3__13pmr15memory_resourceE' missing from root that overrides /usr/lib/libc++.1.dylib. Use of that symbol in /System/Library/PrivateFrameworks/caulk.framework/Versions/A/caulk is being set to 0xBAD4007.

Hey! We are investigating a problem pf rules being ignored by some processes. Despite blocking all traffic, some outgoing unicast packets can be seen in tcpdump. Issue is present in MacOS 15.0.0 - 15.3.1 (Newest at the time of writing). I tested MacOS 14.7.4 and pf rules there behaved as expected. Steps to reproduce the issue: $ cat pf.conf block all $ sudo pfctl -e -F all -f ./pf.conf Password: pfctl: Use of -f option, could result in flushing of rules present in the main ruleset added by the system at startup. See /etc/pf.conf for further details. No ALTQ support in kernel ALTQ related functions disabled rules cleared nat cleared dummynet cleared 0 tables deleted. 196 states cleared source tracking entries cleared pf: statistics cleared pf: interface flags reset pfctl: pf already enabled After executing these commands MacOS 14 will block all outgoing unicast traffic, and on MacOS 15 data can be sent to arbitrary addresses: $ ifconfig en0 en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500 options=6460<TSO4,TSO6,CHANNEL_IO,PARTIAL_CSUM,ZEROINVERT_CSUM> ether b6:5e:a5:c5:1e:db inet6 fe80::1090:9c8:4325:329a%en0 prefixlen 64 secured scopeid 0xe inet 192.168.50.144 netmask 0xffffff00 broadcast 192.168.50.255 nd6 options=201<PERFORMNUD,DAD> media: autoselect status: active $ sudo tcpdump -k A -i any -n src 192.168.50.144 tcpdump: data link type PKTAP tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on any, link-type PKTAP (Apple DLT_PKTAP), snapshot length 524288 bytes 12:05:12.673472 (en0, proc com.apple.geod:1286:, svc BE, out, ch, flowid 0x0, ttag 0x0, dlt 0x1, cmpgc 0x0) IP 192.168.50.144.52012 > 17.253.15.196.443: Flags [P.], seq 1888882378:1888882402, ack 3554898220, win 2048, options [nop,nop,TS val 2752050055 ecr 1291585385], length 24 12:05:13.793937 (en0, proc com.apple.WebKit:974:, eproc Safari:804:, svc BE, out, ch, flowid 0x0, ttag 0x0, dlt 0x1, cmpgc 0x0) IP 192.168.50.144.52024 > 3.65.102.105.443: Flags [P.], seq 2011312019:2011312073, ack 673002582, win 2048, options [nop,nop,TS val 777228223 ecr 484269939], length 54 Was there any change in the way pfctl is used or is this a bug? This issue affects negatively privacy features of our product.

Hi, We have an issue (https://github.com/actions/runner-images/issues/10924) raised by a user requesting to add 'local network access' permission for macOS 15 and macOS 15-arm64 image runners. Apple introduced a new LNP policy with macOS Sequoia that is not controlled by TCC or MDM. Could you please guide us on how to add 'local network access' permission for macOS 15 and macOS 15-arm64 image runners? Thanks.

When I used the iPhone 11 to scan the wifi connection, the system reported an error,   ‘’’ let config = NEHotspotConfiguration(ssid: name, passphrase: passwd, isWEP: false) let manager = NEHotspotConfigurationManager() manager.apply(config) { error in      } ’’’ NEHotspotConfigurationErrorDomain Code=8 “internal error.” , the only thins that fixes this issue it restarting the iPhone. What is the reason for this and how to solve it? Reference link: https://developer.apple.com/forums/thread/111638 https://cloud.tencent.com/developer/ask/sof/114654981

We have a watchOS app that provides many configurable widgets. Those widgets are configured and installed with help of AppIntent: public struct RectComplAppIntent: AppIntent, WidgetConfigurationIntent, CustomIntentMigratedAppIntent { @Parameter(title: "Style") var style: String? .... } However when I print WidgetInfos with getCurrentConfigurations(), I sometimes got nil for configuration. At the same time widgets are not loaded. Exact steps: User installs the pre-cofnigured .watchface. Complications are not loaded since configuration is missing. I print getCurrentConfigurations() and get entries like this: WidgetInfo: - configuration: nil - widgetConfigurationIntent: nil - family: accessoryRectangular - kind: Rectangle Then user force-touches a face and opens editing mode. Returns to watch app, prints infos: WidgetInfo: - configuration: <INIntent: 0x780d290> { style = vol1Logo; } - widgetConfigurationIntent: nil - family: accessoryRectangular - kind: Rectangle – Suddenly intent appears with the correct style and complications start to show up. How do you think, why it happens? Why after .watchface install all the WidgetInfo has nil intent (configuration)? What helps them to load later? You can try this face yourself: https://cdn.watchfaces.co/watchfaces/glance-minimalist.watchface

iOS 16 and earlier On iOS 16 and earlier, Apple Pay on the Web required Safari—and all interactions with the Apple Pay API to come from the parent/top level page. In order to facilitate the Apple Pay button in an HTML inline frame (iframe), there will need to be cross frame communication between the child and parent pages. Cross frame communication should be secure and robust, therefore the use of postMessage for this purpose is recommended. The expectation is for all communication with Apple Pay to occur from the parent page, so the iframe must relay all Apple Pay related events to the parent to handle. Some examples: Apple Pay availability: The parent calls applePayCapabilities, then sends the message of the response to the iframe, which then uses the value to toggle the visibility of the Apple Pay button. Apple Pay session: The iframe receives an onclick() event when the Apple Pay button is clicked and sends the message to the parent (providing details about the transaction). The parent create the payment request to obtain the session validation URL, and eventually receive session credentials and invokes completeMerchantValidation() to prevent the payment sheet. After the payment is authorized by the Payment Service Provider (PSP), the parent either: Redirects the parent page to a payment success page; or Sends a message to the iframe to complete the transaction flow itself. iOS 17 and later On IOS 17 and later, the iframe HTML element should include the allow="payment" attribute, which should facilitate the cross frame communications instead of needing a dedicated JavaScript library. This means all of the Apple Pay code/calls can reside in the iframe page—which is typically a hosted page from a Payment Service Provider (PSP), all the parent page—typically a merchant—has to do is add the attribute mentioned above to the iframe element. Important: Regardless of the iOS version, the PSP/merchant always needs to make sure the parent page domain is the one registered in the Developer portal, and used in the request to generate a merchant session via ApplePaySession. Cheers, Paris X Pinkney |  WWDR | DTS Engineer

Hi, I'm wondering if an in-app purchase is already made, but my app has not yet call finishTransaction(_:). Would that transaction be settled to me? Or do I only receive payment after the transaction is marked as 'finish' via storekit?

I’m trying to develop a widget with a button that triggers an app intent. I integrated the app intent into my app within a separate app framework. I tested it with Shortcuts and Siri, and it works well—it opens the app on the required screen. However, when I added a button Button(intent: MyIntent()) to my widget, it doesn’t work at all. The only clue I found is the following message in the Xcode debug console: “No ConnectionContext found for (some big integer)” when I tap on the widget's button. However, I see the same message when running it through the Shortcuts app, and in that case, it works fine. Does anyone know what might be causing this issue? My Intent: public struct OpenTextInputIntent: AppIntent { public static var title: LocalizedStringResource = "Open text input" public static var openAppWhenRun: Bool = true @Parameter(title: "Predefined text") public var predefinedText: String @Dependency private var appCoordinator: AppCoordinatorProtocol public init() { } public func perform() async throws -> some IntentResult { appCoordinator.openAddMessage(predefinedText: predefinedText) return .result() } } My widget's view: struct SimpleWidgetView : View { var entry: SimpleWidgetTimelineProvider.Entry var body: some View { ZStack(alignment: .leadingTop) { button } } private var button: some View { Button(intent: OpenTextInputIntent()) { Image(systemName: "mic.fill") .resizable() .aspectRatio(contentMode: .fit) .iconFrame() } .buttonStyle(PlainButtonStyle()) .foregroundStyle(Color.white) .padding(10) .background(Circle().fill(Color.accent)) } } Intents Registration in the app target: struct MyAppPackage: AppIntentsPackage { static var includedPackages: [any AppIntentsPackage.Type] { [FrameworkIntentsPackage.self] } } struct MyAppShortcutsProvider: AppShortcutsProvider { static var appShortcuts: [AppShortcut] { AppShortcut( intent: OpenTextInputIntent(), phrases: ["Add message in \(.applicationName)"], shortTitle: "Message input", systemImageName: "pencil.circle.fill" ) } } What I'm missing?

We are looking to setup domain-bound codes for our app and need to add the associated domain file to our website. We currently do not use Universal Links or Password AutoFill. We have looked at the documentation but are not sure of what the contents of the association file should be to enable domain-bound codes if you are not using Universal Links or Password AutoFill. Can any assistance be provided?

I implemented the cloudkit function, where users can connect with each other. The problem is, that if User A is doing a friend request and User B is accepting the request. The friend entry is correct visible for User B but not for User A. I can see in cloud kit that after the accepted request, the friend connection is set up correctly, also with the correct userID, but it not showing up for User A (the one that send the request)