General: Forums topic: Privacy & Security Privacy Resources Security Resources Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com"

Dear Apple Developer Support Team, We are experiencing a recurring issue with the DeviceCheck API where the following error is being returned: com.apple.devicecheck.error 0 Upon analyzing our logs, we have noticed that this error occurs significantly more often when users are connected to Wi-Fi networks, compared to mobile networks. This leads us to suspect that there might be a relationship between Wi-Fi configuration and the DeviceCheck service’s ability to generate or validate tokens. We would like to know: Is this error code (0) known to be caused by specific types of network behavior or misconfigurations on Wi-Fi networks (e.g., DNS filtering, firewall restrictions, proxy servers)? Are there any recommended best practices for ensuring reliable DeviceCheck API communication over Wi-Fi networks? Additionally, could you please clarify what general conditions could trigger this com.apple.devicecheck.error 0? The lack of specific documentation makes debugging this issue difficult from our side. Any guidance or internal documentation on this error code and its potential causes would be greatly appreciated. IDE: Xcode 16.3 Looking forward to your support. Best regards,

override func prepareInterface(forPasskeyRegistration registrationRequest: any ASCredentialRequest) int this function how can i get the "challenge" from user agent, the params "challenge" need to be used in webauthn navigator.credentials.create

I'm experiencing an issue with Sign In with Apple integration in my React Native Expo app (Bundle ID: com.anonymous.TuZjemyApp). Problem Description: When users attempt to sign in using Sign In with Apple, they successfully complete Face ID/password authentication, but then receive a "Sign-Up not completed" error message. The authentication flow appears to stop at this point and doesn't return the identity token to my app. Technical Details: Frontend Implementation: Using expo-apple-authentication. Requesting scopes: FULL_NAME and EMAIL App is properly configured in app.json with: usesAppleSignIn: true Entitlement: com.apple.developer.applesignin Backend Implementation: Endpoint: POST /api/auth/apple Using apple-signin-auth package for token verification Verifying tokens with audience: com.anonymous.TuZjemyApp Backend creates/updates user accounts based on Apple ID Question: I'm not sure why the authentication flow stops with "Sign-Up not completed" after successful Face ID verification. The identity token never reaches my app. Could you please help me understand: What might cause this specific error message? Are there any additional Apple Developer Portal configurations required? Could this be related to app capabilities or entitlements? Is there a specific setup needed for the app to properly receive identity tokens? I set up provisioning profiles, and added Sign in with Apple as a capability and still it doesn't work.

Hello, I am working on a script to update an application which bundle ID changed. Only the bundle ID was modified; all other aspects remain unchanged. This application requires access to "Screen & System Audio Recording" permissions, which are currently granted to the old bundle ID. The script performs the following steps: launchctl bootout gui/$(id -u) /Library/LaunchAgents/com.my_agent_1.plist pkgutil --forget com.my_agent_1 tccutil reset All com.my_agent_1 rm /Library/LaunchAgents/com.my_agent_1.plist rm -rf </path/to/com_my_agent_1> installer -dumplog -allowUntrusted -pkg </path/to/com_my_agent_2.pkg> -target / ... When running steps #1-6 without a restart between steps #5 and #6, the old bundle ID (com.my_agent_1) remains visible in TCC.db (verified via SQL queries). Looks like this is the reason why "com.my_agent_2" is not automatically added to the permission list (requiring manual add). Moreover, "tccutil reset All com.my_agent_1" does not work anymore, the error: tccutil: No such bundle identifier "com.my_agent_1": The operation couldn’t be completed. (OSStatus error -10814.) Is there any way to completely clear the "Privacy & Security" permissions without requiring a system restart? Thank you a lot for your help in advance!

Hello Apple Developer Community and Support, Our team is encountering a critical and persistent issue with our backend integration of Sign In with Apple, and we are hoping for some insights or assistance. Problem: We consistently receive an "invalid_client" error (HTTP 400 status) when our backend service attempts to exchange the authorization code for tokens at Apple's https://appleid.apple.com/auth/token endpoint. The error message from Apple's response is simply {"error":"invalid_client"}. Our Setup: Client Application: An iOS native application. Backend Service: A Go backend responsible for server-to-server token exchange and user management. Sign In with Apple Flow: The iOS app initiates the Sign In with Apple flow, obtains an authorization code, and then passes this code to our backend for token exchange. Extensive Troubleshooting Performed (No Success): We have meticulously followed all official Apple documentation (including TN3107: Resolving Sign In with Apple Response Errors) and industry best practices. Here's a summary of our verification steps, all of which currently show correct configurations and parameters: Backend client_secret JWT Construction: We generate a client_secret JWT as required for server-to-server communication. We've confirmed the claims in the generated JWT are correct: iss (Issuer): Our Team ID (e.g., XXXXXXXXXX). sub (Subject): Our Service ID (e.g., com.example.service.backendauth). aud (Audience): https://appleid.apple.com. kid (Key ID): The Key ID associated with our .p8 private key (e.g., YYYYYYYYYY). We have performed rigorous verification of the .p8 private key content itself, ensuring no corruption, extra characters, or formatting issues in the environment variable. Our backend logs confirm it's parsing the correct PEM content. Token Exchange Request Parameters: The client_id parameter sent in the POST request to /auth/token is correctly set to our App Bundle ID (e.g., com.example.app.ios), as this is the identifier for which the code was originally issued. The redirect_uri parameter sent in the POST request to /auth/token is precisely matched to a registered "Return URL" in our Apple Developer Portal (e.g., https://api.example.com:port/api/auth/callback?provider=apple). Apple Developer Portal Configuration (Meticulously Verified): App ID: Enabled for "Sign In with Apple". Service ID: Enabled for "Sign In with Apple". Its "Primary App ID" is correctly linked to our App Bundle ID (e.g., com.example.app.ios). Its "Return URLs" exactly match our backend's redirect_uri (e.g., https://api.example.com:port/api/auth/callback?provider=apple). Key: Our .p8 key has "Sign In with Apple" enabled. Crucially, in its configuration panel, the "Primary App ID" is correctly linked to our App Bundle ID (e.g., com.example.app.ios). We've ensured this key is specifically created for "Sign In with Apple" and not other services like APNs. We have performed multiple full revocations and meticulous re-creations of the App ID, Service ID, and Key in the Apple Developer Portal, ensuring correct linkages and using new identifiers to bypass any potential caching issues. Network & System Health Checks: Network connectivity from our backend server to https://appleid.apple.com (port 443) has been confirmed as fully functional via ping and curl -v. The incoming TLS handshake from our iOS client app to our backend server's callback URL (https://api.example.com:port/...) is successful and verified via openssl s_client -connect. There are no longer any TLS handshake errors (EOF). Our backend server's system clock is accurately synchronized via NTP. Request for Assistance: Given that all our visible configurations, environment variables, and request parameters appear to be correct and align with Apple's documentation, and network connectivity is confirmed, we are at a loss for why the invalid_client error persists. Based on TN3107, this error typically implies an issue with the client secret's signature or its validity for the given client_id. However, our logs confirm correct iss, sub, aud, and kid, and the private key content. Has anyone encountered this persistent invalid_client error when all checks pass? Are there any less common configurations or troubleshooting steps we might be missing? Could this indicate a caching or propagation delay on Apple's servers, even after waiting periods? Any insights or guidance would be greatly appreciated. We are prepared to provide detailed, anonymized logs and screenshots to Apple Developer Support privately if requested. Thank you.

Hi all, We are developing an iOS app that includes private user-to-user chats, commercial offer details with monetary value, and customer identification data. In line with OWASP MASVS-PLATFORM-3 requirements regarding unintentional sensitive data exposure, we need to protect these specific screens from screenshots and screen recording. We have carefully reviewed the relevant App Review Guidelines (2.5.1 on public APIs, 2.5.2 on self-contained bundles, 5.1.1 on privacy) and the related Human Interface Guidelines. From this analysis we have observed the following: iOS does not expose a public API to globally disable screen capture (no direct equivalent of Android's FLAG_SECURE). The SwiftUI .privacySensitive() modifier is effective for Lock Screen widgets and Always-On Display, but it does not appear to prevent screenshots or screen recording of an app's main UI while in the foreground. A number of widely distributed App Store apps (banking, authenticator, secure messaging) implement some form of screenshot protection on sensitive screens. Several established open-source libraries leverage the system behavior of UITextField with isSecureTextEntry as a wrapping container for arbitrary views, in order to achieve pixel-level protection for sensitive content. We would appreciate clarification on the following points: For privacy-driven protection of sensitive screens (private chats, customer data, monetized offers), is there an officially recommended approach we may have missed? Are there public APIs intended specifically for this use case beyond .privacySensitive()? Is the practice of leveraging UITextField with isSecureTextEntry as a wrapping container for arbitrary views considered an acceptable use of public APIs under Guideline 2.5.1, or does it carry App Review risk? Are there official recommendations or documentation for apps handling sensitive personal data that wish to align with industry standards such as OWASP MASVS-PLATFORM-3 for screenshot and screen recording leakage prevention? The intended use is strictly limited to a small number of screens marked as containing sensitive data (private messages, deal details, customer information). The protection would be selective and clearly communicated to the user via in-app messaging, not global to the app. Thanks in advance for any clarification, including pointers to existing documentation or threads we may have missed. Deployment target: iOS 15+

Hello I'm using Auth0 for handling auth in my app When the user wants to sign in, it will show the auth system pop-up And when the user wants to log out it shows the same pop-up My issue is how to replace the Sign In text in this pop-up to show Sign Out instead of Sign In when the user wants to sign out?

Recently, we have adapted the passkey function on the Mac, but we always encounter the error message "Unable to verify the web credentials association of xxx with domain aaa. Please try again in a few seconds." We can confirm that https://aaa/.well-known/apple-app-site-association has been configured and is accessible over the public network. Additionally, the entitlements in the app have also been set with webcredentials:aaa. This feature has been experiencing inconsistent performance. When I restart my computer or reinstall the pkg, this feature may work or it may still not work. I believe this is a system issue. Here is feed back ID: FB20876945 In the feedback, I provided the relevant logs. If you have any suggestions or assistance, please contact me. I would be extremely grateful!

we develop extension "Autofill Credential Provider" function for passkey. 1.first step registe passkey 2.second step authenticate with passkey step 1 &amp; step 2 has finished and run success with provideCredentialWithoutUserInteraction. But we want to prepare our interface for use to input password and select passkey what the want. however the func prepareInterfaceToProvideCredential in ASCredentialProviderViewController does call? what i missed? how can i do it?

Problem Summary I'm experiencing a persistent invalid-credential error with Apple Sign-In on iOS despite having verified every aspect of the configuration over the past 6 months. The error occurs at the Firebase Authentication level after successfully receiving credentials from Apple. Error Message: Firebase auth error: invalid-credential - Invalid OAuth response from apple.com. Environment Platform: iOS (Flutter app) Firebase Auth: v5.7.0 Sign in with Apple: v6.1.2 Xcode: Latest version with capability enabled iOS Target: 13.0+ Bundle ID: com.harmonics.orakl What Actually Happens ✅ Apple Sign-In popup appears ✅ User can authenticate with Apple ID ✅ Apple returns credentials with identityToken ❌ Firebase rejects with invalid-credential error The error occurs at Firebase level, not Apple level. What I've Tried Created a brand new Apple Key (previous key was 6 months old) Tested with both App ID and Service ID in Firebase Completely reinstalled CocoaPods dependencies Verified nonce handling is correct (hashed to Apple, raw to Firebase) Activated Firebase Hosting and attempted to deploy .well-known file Checked Cloud Logging (no detailed error messages found) Disabled and re-enabled Apple Sign-In provider in Firebase Verified Return URL matches exactly Waited and retried multiple times over 6 months Questions Is the .well-known/apple-developer-domain-association.txt file required? If yes, how should it be generated? Firebase Hosting doesn't auto-generate it. Could there be a server-side caching/blacklist issue with my domain or Service ID after multiple failed attempts? Should the Apple Key be linked to the Service ID instead of the App ID? The key shows as linked to Z3NNDZVWMZ.com.harmonics.orakl (the App ID). Is there any way to get more detailed error logs from Firebase about why it's rejecting the Apple OAuth response? Could using a custom domain instead of .firebaseapp.com resolve the issue? Additional Context Google Sign-In works perfectly on the same app The configuration has been reviewed by multiple developers Error persists across different devices and iOS versions No errors in Xcode console except the Firebase rejection Any help would be greatly appreciated. I've exhausted all standard troubleshooting steps and documentation. Project Details: Bundle ID: com.harmonics.orakl Firebase Project: harmonics-app Team ID: Z3N....... code : // 1. Generate raw nonce final String rawNonce = _generateRandomNonce(); // 2. Hash with SHA-256 final String hashedNonce = _sha256Hash(rawNonce); // 3. Send HASHED nonce to Apple ✅ final appleCredential = await SignInWithApple.getAppleIDCredential( scopes: [AppleIDAuthorizationScopes.email, AppleIDAuthorizationScopes.fullName], nonce: hashedNonce, // Correct: hashed nonce to Apple ); // 4. Create Firebase credential with RAW nonce ✅ final oauthCredential = OAuthProvider("apple.com").credential( idToken: appleCredential.identityToken!, rawNonce: rawNonce, // Correct: raw nonce to Firebase ); // 5. Sign in with Firebase - ERROR OCCURS HERE ❌ await FirebaseAuth.instance.signInWithCredential(oauthCredential);

Hi Apple Team and Community, We encountered a sudden and widespread failure related to the App Attest service on Friday, July 25, starting at around 9:22 AM UTC. After an extended investigation, our network engineers noted that the size of the attestation objects received from the attestKey call grew in size notably starting at that time. As a result, our firewall began blocking the requests from our app made to our servers with the Base64-encoded attestation objects in the payload, as these requests began triggering our firewall's max request length rule. Could Apple engineers please confirm whether there was any change rolled out by Apple at or around that time that would cause the attestation object size to increase? Can anyone else confirm seeing this? Any insights from Apple or others would be appreciated to ensure continued stability. Thanks!

I have an Autofill Passkey Provider working for Safari and Chrome via WebAuthn protocol. Unfortunately, Chrome will not offer my extension as a logon credential provider unless I add the credential to the ASCredentialIdentityStore. I wonder what is the best way to access the ASCredentialIdentityStore from an AutoFill extension? I understand I cannot access it directly from the extension context, so what is the best way to trigger my container app to run, based on a new WebAuthn registration? The best I can think of so far is for the www site to provide an App Link to launch my container app as part of the registration ceremony. Safari will offer my extension even without adding it to the ASCredentialIdentityStore, so I guess I should file a request with Chrome to work this way too, given difficulty of syncing ASCredentialIdentityStore with WebAuthn registration.

I would like to make an app that uses Sign in with Apple to provide the users with a very convenient way of authenticating their (anonymous) identity. I'm using the identityToken that the SignInWithAppleButton provides to the onCompletion closure to build an AWS Identity Resolver that will be used to access AWS resources for that user. At the moment, everything works fine, except that the identityToken eventually stops working (I think after 24 hours) and is no longer usable for AWS identity resolvers. Is there a way to refresh the identityToken, or to generate a new one, without user interaction? I don't mind at all, if in some situations (eg logout from another device, deletion of account, etc), it cannot refresh the token, and it directs me to take further action by giving an error. Most importantly, I don't want the user to be forced to deal with the SignInWithAppleButton every time that they interact with web services. From the user's point of view, I would like the experience to be that they simply confirm that they agree to use SignInWithApple on first use (maybe once per device), and are never inconvenienced by it again. P.S. Sorry for posting this here. I tried to set the topic to "Privacy & Security" and ran into form validation errors.

เนื่องจากได้อ่านรายละเอียดเกี่ยวกับแล้วตรงและสิ่งที่เจอทั้งหมดหลังจากได้ทีการแจ้งไปเรื่องโดนแฮ็กข้อมูลและถูกโจรกรรมข้อมูลส่วนบุคคลทั้งหมด เจอสถานณ์ตรงตามส่วน คำเตือนเนื้อหาที่ละเอียดอ่อนทั้งหมด ตอนนี้สภาพจิตใจย้ำแย่เป็นอย่างมากและท้อใจอย่างที่สุดเพราะโดเดี่ยวสู้กับปัญหาและพยายามหาหลักฐานเพียงผู้เดียวซึ่งไม่เหลืแคนที่ไว้วางใจได้แม้แต่คนเดียว เพราะโดนใส่ร้ายทุกรูปแบบจนเสียงชื่อเสียงเหมือนกับผลักทุกคนออกไปจากชีวิตจนไม่เหลือแม้คนเดียวที่รับฟังทำให้พูดความจริงทั้งหมดไม่มีใครเชื่อและรับฟังแม้แต่คนเดียว เหตุที่แจ้งไปก่อนหน้านี้เป็นเวลาเกือบ 8 เดือนกว่าๆแล้วจนถึงปัจจุบันนี้ ยังไม่ได้รับกาคช่วยเหลือหรือไม่มีการช่วยเหลือใดๆทั้งสิ้น

Hello, I am currently process of migrating an app from Team A to Team B and attempting to generate transfer identifiers using the migration endpoint: POST https://appleid.apple.com/auth/usermigrationinfo. Content-Type: application/x-www-form-urlencoded However, I am consistently receiving an { "error": "access_denied" } response. [Current Configuration] Team A (Source): Primary App ID: com.example.primary Grouped App IDs: com.example.service (Services ID for Web) com.example.app (App ID for iOS - The one being transferred) All identifiers are under the same App Group. Team B (Destination): New App ID and Key created. [Steps Taken] Created a Client Secret (JWT) using Team A's Key ID and Team ID. The sub (subject) in the JWT is set to the Primary App ID of Team A. Requesting with client_id (Primary App ID), client_secret (JWT), and user_token. [Questions] 1. App Group Impact: Does the fact that the App being transferred is a Grouped App ID (not the Primary) affect the usermigrationinfo request? Should I use the Primary App ID or the specific Grouped App ID as the client_id? 2. Ungrouping Safety: If I need to ungroup the App ID from the Primary App ID to resolve this: Will existing users still be able to sign in without issues? Is there any risk of changing the sub (user identifier) that the app receives from Apple? Will this cause any immediate service interruption for the live app? Any insights on why access_denied occurs in this Primary-Grouped configuration would be greatly appreciated.

On Thursday, June 12, 2025, Sign in with Apple was impacted by an incorrect subdomain defined in its /.well-known/openid-configuration file. The JSON returned incorrectly provided https://account.apple.com instead of the expected https://appleid.apple.com. For Sign in with Apple, the value for the issuer (iss) claim in the user's identity token is https://appleid.apple.com. Additionally, if your clients use the Sign in with Apple REST API, the following endpoints should be used for each request: https://appleid.apple.com/auth/authorize https://appleid.apple.com/auth/token https://appleid.apple.com/auth/revoke https://appleid.apple.com/auth/keys This issue with the /.well-known/openid-configuration file was resolved the same day. Use the URL below to confirm the expected subdomain is provided, as needed: https://appleid.apple.com/.well-known/openid-configuration Cheers, Paris X Pinkney |  WWDR | DTS Engineer

Hello, When using ASWebAuthenticationSession with an HTTPS callback URL (Universal Link), I receive the following error: Authorization error: The operation couldn't be completed. Application with identifier jp.xxxx.yyyy.dev is not associated with domain xxxx-example.go.link. Using HTTPS callbacks requires Associated Domains using the webcredentials service type for xxxx-example.go.link. I checked Apple’s official documentation but couldn’t find any clear statement that webcredentials is required when using HTTPS callbacks in ASWebAuthenticationSession. What I’d like to confirm: Is webcredentials officially required when using HTTPS as a callback URL with ASWebAuthenticationSession? If so, is there any official documentation or technical note that states this requirement? Environment iOS 18.6.2 Xcode 16.4 Any clarification or official references would be greatly appreciated. Thank you.

Would really appreciate support with this invalid_client issue: I have a web app and have aligned the JWT Header and Payload JWT Header { "alg": "ES256", "kid": "ABC123DEFG" } JWT Payload { "iss": "DEF123GHIJ", "iat": 1234567890, "exp": 1234567890, "aud": "https://appleid.apple.com", "sub": "com.yourapp.service" The domains and callback are aligned and correct I've even created a new p8 and updated the Key_ID Sending Credentials to Apple (Token Request) Content-Type: application/x-www-form-urlencoded However, still no luck. Can anyone assist with identifying the possible error? Many thanks

I need to launch ASWebAuthenticationSession from single sign on extension, but its not launching it might issue with anchoring window, I have create custom windo and passing it in presentanchor(for session) function, custom window is launching but ASWebAuthenticationSession browser is not launching Note - flow is like this Apple PSSO register window lauched OIDC login will happen via ASWebAuthenticationSession to get accesstoken which will use in device registration but ASWebAuthenticationSession is not launching, I am using custom scheme as redirect URI iskeywindow for custom window is always false what is right approach to achieve the goal

I've just implemented Sign-In-With-Apple and everything is working perfectly, but my app seems to be in some strange state where users are unable to remove it from the Sign-In-With-Apple section of their settings. Things I've tried: -- Deleting from Mac. (It just stays in the list) -- Deleting from the iPhone (It stays in the list) -- Deleting from account.apple.com (same issue) -- I've noticed in the browser inspector tools I receive a 200 on the DELETE request, but the app remains. -- Multiple users Also have tried: -- Revoking the token through the REST API -- I get an email saying the token has been revoked, but it's still working -- Same code, different app id (works fine!) It seems like maybe my app is in some sort of weird state? Has anyone come across this before?