We received a request directly from /apple/notifications. This subscription is not a renewal, but a first-time purchase. We associate the originalTransactionId with the user's ID to identify the subscribed user. However, since we do not have access to the user's ID on our server through this direct request, we are unable to properly process the subscription. How should we handle this type of subscription request? What is the source of this subscription, and why are some users able to bypass in-app purchases for first-time subscriptions and make the purchase directly?

Hello, On my website, I have a button to make a payment via Apple Pay. When I click on it, the Touch ID window opens correctly. However, when I place my finger on the Touch ID, I get a payment error. This issue only occurs in production mode. In sandbox mode, everything works perfectly. Here is a log file : log.txt Thank you in advance for your help.

We have a checkout page on which clients can configure the providers we've integrated with for each currency. One such provider is Stripe, with which we have already integrated ApplePay and host a merchant domain association file. Now, we're getting requests to support ApplePay with other providers. The issue is that we can't tell Apple to use a different path to domain association file for domain verification. And, replacing the existing domain association file seems like a hack, since I believe it's needed for domain re-verification. We're thinking of using subdomains for serving the domain association files for different providers. But, we have some questions on how ApplePay domain verification works to understand how we can solve our problem. Firstly, can we use subdomains for individual domain verification? If we already have example.com verified with Stripe, can we serve the domain association file for the other provider with provider.example.com and have the verification work? Secondly, let's say our domain is example.com, and we can use provider.example.com to serve the domain association file and verify the domain. Then on example.com/checkout, will using an iframe with provider.example.com/applepay to host the ApplePay button work? This thread suggests otherwise, but we want to confirm. Lastly, is the only way to make an ApplePay payment for provider.example.com to use that subdomain? So redirecting to provider.example.com/applepay would work? Thanks for your help!

We have verified our domain but if the file is removed from the deployed site after verification will this impact using ApplePaySession.applePayCapabilities in real time? We use that method from the JS api in our React app to determine whether or not to show the apple pay button. When that function is called in the browser, do the apple servers ping the https://our.domain.com/.well-known/apple-developer-merchantid-domain-association URL at that time? Or do they check for it periodically? The reason for asking is that with our many environments we wonder if we can verify each environment's domain by adding the file once. The file will be wiped out by our CICD process as it goes up the environment stack through our development workflow. Or do we need to maintain that file for each environment and add something to our build process?

We plan to set Manual PAN Entry Allowed = N and accept only issuer push provisioning (PKAddPaymentPass). Is there any Apple Pay programme rule that obliges us to keep MANUAL_ENTRY enabled? Will disabling it affect “Participating Issuer” listing?

I am trying to get a pass reader certified through the mFi / WPC certification process. The problem I have is that the Certifier app will not allow testing results to be submitted due to some missing information. I need support to discuss the missing information, but I have received no replies from the email provided for WPC Certification Representative. Does anyone here know how to get support for the WPC Certification process?

My Raiffeisen ELBA-App doesnt work anymorw since i downloaded ios 26 beta 3 i cant open the app pls fix it because its my only banking app

We are developing a native iOS financial application called Tradu: Stocks, Forex, and CFDs (Apple ID: 6473443264), which embeds a WKWebView to render all user-facing logic. All user interactions—including authentication with MFA—occur inside this WKWebView. To access native functionality, we use postMessage() to communicate between the web and native layers. This approach has worked successfully for biometric authentication, for example. We are currently integrating Apple Pay In-App Provisioning and have a few questions regarding compliance with the documentation provided by our Issuer Host (Modulr). In the document titled Getting Started with Apple Pay: In-App Provisioning, Verification, Security, and Wallet Extensions (Version 4.0, February 2023), all examples are based on a fully native application. We’ve managed to integrate most of the In-App Provisioning flow via postMessage() up to the point of passing encryptedData to the Payment View. Apple Pay button inside WKWebView In Section 7: Frontend Overview, the user initiates the provisioning by tapping a native PKPaymentButton (SwiftUI example). In our case, this button is rendered inside the WKWebView, styled according to the Apple Style Guide. While the document references this approach as a “raw mark text supplement,” is this method acceptable and compliant with Apple’s UX and technical guidelines? MFA requirement before provisioning In Section 4: Security Guidelines, it is stated that the user must have passed MFA at least once before starting the provisioning flow. In our implementation, users must complete MFA on every login (including on recognized devices) before the provisioning UI becomes available. Even though this is not tied specifically to “unrecognized devices,” is our MFA requirement sufficient to satisfy Section 4.2? Summary: Is using a web-rendered Apple Pay button inside WKWebView (instead of a native PKPaymentButton) considered compliant? Is our MFA enforcement model (required on every login) aligned with the security requirements outlined in Section 4.2 of the Apple Pay In-App Provisioning documentation?

Hello Apple Developer Team/Community, I am working on developing an Apple Wallet pass with NFC functionality for our electric vehicle (EV) charging stations. The goal is to enable a "tap-to-start charging" feature, providing a seamless and efficient experience for users. However, my request for an NFC certificate to enable this functionality has been rejected. Here is a summary of my use case and actions taken so far: 1. Use Case: The Wallet pass will allow users to initiate charging sessions by tapping their iPhones or Apple Watches on the EV charger. This feature aims to simplify the process by eliminating the need for additional apps, physical cards, or manual inputs. It enhances accessibility and aligns with Apple’s goals of providing users with secure and convenient solutions. 2. Steps Taken: Submitted the NFC certificate request with a detailed explanation of the functionality. Included diagrams and supporting documents demonstrating the workflow and system readiness. Received a rejection without clear guidance on how to address the issue. 3. Technical Readiness: Our backend is fully prepared to support NFC passes, including secure processing of tap events and payload encryption. The Wallet pass has been configured to include the nfc field with the required encryptionPublicKey. Request for Assistance: Could you provide guidance on improving my application to meet Apple’s criteria for NFC certificates? Are there specific requirements or examples of successful NFC-enabled Wallet pass applications that I can use as a reference? If anyone has faced a similar rejection, what steps did you take to get approval? Additional Information: Use case: EV charging stations NFC functionality: Tap-to-start charging session Current implementation: Pass is functional without NFC but requires NFC for seamless operation. Any advice or resources to help resolve this issue would be greatly appreciated. Thank you for your time and support. Best regards, DeveloperSquillion

Is there a way to make a subscription's auto-renewal fail in sandbox environment? Currently, I see no such options (screenshot)

Hi, We're experiencing an issue with verifying our domain for Apple Pay on the web. It's currently stuck in the "Pending" state despite meeting the listed requirements. The domain in question has been verified once successfully but one month later when we renewed the SSL, we were unable to verify the domain again. Please note that the new certificate's CA chain has been changed. A) The "apple-developer-merchantid-domain-association.txt" file is publicly accessible at the following location: /.well-known/apple-developer-merchantid-domain-association.txt B) We've also ensured that the following IP ranges are whitelisted: 17.32.139.128/27 17.32.139.160/27 17.140.126.0/27 17.140.126.32/27 17.179.144.128/27 17.179.144.160/27 17.179.144.192/27 17.179.144.224/27 17.253.0.0/16 17.23.4.96/27 17.132.108.64/26 17.23.24.32/27 17.23.19.0/27 17.157.40.128/27 17.157.44.128/27 17.157.32.0/27 C) Our servers support TLS 1.2 already. D) "ECDHE-RSA-AES128-GCM-SHA256" cipher suite has been used, so we believe all necessary criteria are satisfied. However, when we attempt to verify the domain, we receive the following error message: "Domain verification failed. Review your TLS Certificate configuration to confirm that the certificate is accessible and a supported TLS Cipher Suite is used." Could you please advise why the verification is failing, or let us know if there's anything we might have missed? Best regards, Mehdi

We are trying to develop a coupon/offer code module where our app users can avail a free trail offer for 2 months period after applying the code. We already had a subscription module with monthly & yearly subscriptions with 7 day free trial period. Now, we want to implement a offer/coupon module, where, a user can either select monthly or yearly subscription, and upon entering the offer/coupon code, they will get 2 months free trial (or) a discount on the chosen subscription. (this will overwrite the existing 7 day free trial). We are confused on choosing the type of “offer/coupon” from AppStore connect. In App Store connect, we have introductory offers, promotional offer & Offer codes. Based on our requirements, we have done research and found that we cannot implement the offer code & promotional codes in the develop environment as there is no possibility to test in Sandbox environment. We observed that we need to push the app to App store and upon approval, we need to implement “offer/coupon” module. Can some one please suggest or guide us on choosing the best solution for our requirement? Thanks in advance.

In the docs, I see a button type with label "Pay With [apple logo]. https://developer.apple.com/design/human-interface-guidelines/apple-pay Although I don't see this type as an option here: https://developer.apple.com/documentation/PassKit/PKPaymentButtonType Wondering if I'm looking in the right place and if this button type is still available?

When running the test app with test flight before actually opening the app, the execution region is Korea and the country code is Korea, but the currency code on the payment screen is displayed as dollars or euros instead of won. In the payment settings, the currency code is set to won for Korea and dollars for the United States, and the European region is not set at all, but in some phones it is displayed as euros, and in some phones it is not like this, and in some cases it is displayed as won normally.

We are attempting to integrate the Apple Pay service into our website and have successfully verified our domain with Apple manually. However, we consistently receive an 'ApplePay reverify failed' email a month before the expiration time. Upon checking, we updated the SSL certificate for the domain before receiving the email, and the link still works fine in the browser. We would greatly appreciate any feedback from someone who can help us with this issue.

I'm successfully using Apple subscriptions in my app, but I'm encountering SKErrorCodeDomain error 18 when trying to apply a subscription offer. I want apply offer code first time only for subscription. Below are details of what i set in appstore and what i have tested. Subscription Offer Details Offer Type: For the first month Customer Eligibility: New, Existing, and Expired Subscribers Code Status: Active Offer Code Creation Steps: App Store Connect → App → Subscription → Select Subscription Product → Offer Codes → Add → Add Custom Codes Signature Generation for Promotional Offers I'm following Apple's documentation to generate a signature: https://developer.apple.com/documentation/storekit/generating-a-signature-for-promotional-offers I’ve constructed the payload as instructed: appBundleId + '\u2063' + keyIdentifier + '\u2063' + productIdentifier + '\u2063' + offerIdentifier + '\u2063' + appAccountToken + '\u2063' + nonce + '\u2063' + timestamp Keys and Identifiers keyIdentifier, issuerId, and .p8 file are obtained from: App Store Connect → Users and Access → Integrations → In-App Purchase Test user created under: App Store Connect → Users and Access → Sandbox → Test Accounts Logged in with this account on the iPhone What I’ve Tried Verified all values used in the payload are correct Tried both seconds and milliseconds for the timestamp (as per documentation, it should be in milliseconds) Tried setting appAccountToken to: a valid UUID an empty string not setting it at all Used Apple’s sample code to generate a signature: https://developer.apple.com/documentation/storekit/generating-a-promotional-offer-signature-on-the-server Verified the generated signature locally, and it validated successfully: https://developer.apple.com/documentation/storekit/generating-a-signature-for-promotional-offers#Validate-locally-and-encode-the-signature Apple’s sample code to generate a signature Downloaded from const express = require('express'); const router = express.Router(); const crypto = require('crypto'); const ECKey = require('ec-key'); const secp256k1 = require('secp256k1'); const uuidv4 = require('uuid/v4'); const KeyEncoder = require('key-encoder'); const keyEncoder = new KeyEncoder('secp256k1'); const fs = require('fs'); function getKeyID() { return "KEYIDXXXXX"; } router.post('/offer', function(req, res) { const appBundleID = req.body.appBundleID; const productIdentifier = req.body.productIdentifier; const subscriptionOfferID = req.body.offerID; const applicationUsername = req.body.applicationUsername; const nonce = uuidv4(); const currentDate = new Date(); const timestamp = currentDate.getTime(); const keyID = getKeyID(); const payload = appBundleID + '\u2063' + keyID + '\u2063' + productIdentifier + '\u2063' + subscriptionOfferID + '\u2063' + applicationUsername + '\u2063'+ nonce + '\u2063' + timestamp; // Get the PEM-formatted private key string associated with the Key ID. // const keyString = getKeyStringForID(keyID); // Read the .p8 file const keyString = fs.readFileSync('./SubscriptionKey_47J5826J8W.p8', 'utf8'); // Create an Elliptic Curve Digital Signature Algorithm (ECDSA) object using the private key. const key = new ECKey(keyString, 'pem'); // Set up the cryptographic format used to sign the key with the SHA-256 hashing algorithm. const cryptoSign = key.createSign('SHA256'); // Add the payload string to sign. cryptoSign.update(payload); /* The Node.js crypto library creates a DER-formatted binary value signature, and then base-64 encodes it to create the string that you will use in StoreKit. */ const signature = cryptoSign.sign('base64'); /* Check that the signature passes verification by using the ec-key library. The verification process is similar to creating the signature, except it uses 'createVerify' instead of 'createSign', and after updating it with the payload, it uses `verify` to pass in the signature and encoding, instead of `sign` to get the signature. This step is not required, but it's useful to check when implementing your signature code. This helps debug issues with signing before sending transactions to Apple. If verification succeeds, the next recommended testing step is attempting a purchase in the Sandbox environment. */ const verificationResult = key.createVerify('SHA256').update(payload).verify(signature, 'base64'); console.log("Verification result: " + verificationResult) // Send the response. res.setHeader('Content-Type', 'application/json'); res.json({ 'keyID': keyID, 'nonce': nonce, 'timestamp': timestamp, 'signature': signature }); }); module.exports = router; Postman request and response Request URL: http://192.168.1.141:3004/offer Request JSON: { "appBundleID":"com.app.bundleid", "productIdentifier":"subscription.product.id", "offerID":"OFFERCODE1", "applicationUsername":"01234b43791ea309a1c3003412bcdaaa09d39a615c379cc246f5f479760629a1" } Response JSON: { "keyID": "KEYIDXXXXX", "nonce": "f98f2cda-c7a6-492f-9f92-e24a6122c0c9", "timestamp": 1753510571664, "signature": "MEYCIQCnA8UGWhTiCF+F6S55Zl6hpjnm7SC3aAgvmTBmQDnsAgIhAP6xIeRuREyxxx69Ve/qjnONq7pF1cK8TDn82fyePcqz" } Xcode Code func buy(_ product: SKProduct) { let discountOffer = SKPaymentDiscount( identifier: "OFFERCODE1", keyIdentifier: "KEYIDXXXXX", nonce: UUID(uuidString: "f98f2cda-c7a6-492f-9f92-e24a6122c0c9")!, signature: "MEYCIQCnA8UGWhTiCF+F6S55Zl6hpjnm7SC3aAgvmTBmQDnsAgIhAP6xIeRuREyxxx69Ve/qjnONq7pF1cK8TDn82fyePcqz", timestamp: 1753510571664) let payment = SKMutablePayment(product: product) payment.applicationUsername = "01234b43791ea309a1c3003412bcdaaa09d39a615c379cc246f5f479760629a1" payment.paymentDiscount = discountOffer SKPaymentQueue.default().add(payment) } Issue Even following instructions to the documentation and attempting various combinations, the offer keeps failing with SKErrorCodeDomain error 18. Has anyone else experienced this? Any suggestions as to what may be amiss or how it can be corrected?

Hi, I am the developer of this app and I was shared this receipt which strangely does not list my name as the merchant but instead says "The flow network" as you can see below: What is going on?

Dear Apple team and developers, We integrated Apple Pay E-Commerce on our system and made successful transaction at January using following certificates. Merchant Identity Certificate (generated from our Apple developer account) Payment Processing Certificate (generated from our Apple developer account) Payment Session Server Certificate (used following command and generated from apple-pay-gateway-cert.apple.com:443 test URL) Command: openssl s_client -connect apple-pay-gateway-cert.apple.com:443 -key MIC_priv.key -cert MIC_merchant_id.pem -showcerts | openssl x509 -outform DER > apay_ident_trusted_cert_test.der Root CA G3 (Downloaded “Apple Root CA – G3 Root” from https://www.apple.com/certificateauthority/ ) But at this month, we got new certificate problem (please check following) when we try to execute Apple Pay E-Commerce transaction. Certificate 'C=US,O=Apple Inc.,OU=Apple Certification Authority,CN=Apple Application Integration CA - G3' is not valid Certificate. What is this certificate? And Where can I download or generate this certificate from? Could you please advise/give us good information for this certificate problem? Best Regards, Bilguun Enkhbaatar

Hello, We are experiencing an issue with Apple Pay integration in our application. We are using WKWebView to handle various payment methods, but we are unable to complete payments via Apple Pay. Upon debugging the WKWebView, we received the following error message: "400 No required SSL certificate was sent" when attempting to process the payment. Currently, we are using a Let's Encrypt SSL certificate. Could you please confirm whether this certificate is suitable for Apple Pay, or if we should be using a different SSL certificate?

We have developed Apple Wallet Extension for our App. The in-app provisioning for the card is working. However when we try to add the card from Wallet extension it gives error saying "Your issuer does not yet offer support for this card". From the apple documentation we can see the issues is same as mentioned in Scenario 2 at following link https://applepaydemo.apple.com/in-app-provisioning#8.4 We are getting eligibilityStatus as 0 Below is the response from Wallet captured using SysDiagnosis https://crt-pod1-smp-device.apple.com:443/broker/v4/devices/0434320BCB1A90022306073796318273728D0A367FA927F4/cards 200 Time profile: 1.77856 seconds { x-conversation-id = ...... Content-Type = "application/json" x-pod = "crt-pod1" x-xss-protection = "1; mode=block" Server = "Apple" x-pod-region = "paymentpass.com.apple" regionbrokerurl = "https://crt-pod1-smp-device.apple.com:443/broker" Date = "Wed, 06 Aug 2025 11:39:30 GMT" Content-Length = "488" x-envoy-upstream-service-time = "1400" Strict-Transport-Security = "max-age=31536000; includeSubdomains" cross-origin-opener-policy = "same-origin" x-keystone-correlationid = ...... x-content-type-options = "nosniff" Vary = "accept-language" x-frame-options = "SAMEORIGIN" } { applicationIdentifier = ......; auxiliaryCapabilities = { }; cardType = 4; deviceProvisioningDataExpected = 1; eligibilityStatus = 0; identifier = ......; learnMoreURL = "https://www.apple.com/ae/apple-pay/banks/ae/en-ae.html"; nonce = ......; paymentApplications = ( { appletTypeIdentifier = Argon; paymentType = Credit; } ); region = "paymentpass.com.apple"; sanitizedPrimaryAccountNumber = 7008; sanitizedPrimaryAccountPrefix = ""; }