Hi Apple Developer Team, I am encountering an issue with the “Sign in with Apple” feature. While implementing this functionality in my dotnet application, I noticed that the user’s first name and last name are not being returned, even though I have explicitly requested the name scope. However, the email and other requested information are returned successfully. Here are the details of my implementation: 1. Scope Requested: name, email 2. Response Received: Email and other data are present, but fullName is missing or null. 3. Expected Behavior: I expected to receive the user’s first and last name as per the fullName scope. I have verified the implementation and ensured that the correct scopes are being passed in the request. Could you please help clarify the following? 1. Are there specific conditions under which Apple may not return the user’s fullName despite the scope being requested? 2. Is there a recommended approach or fallback mechanism to handle this scenario? 3. Could this behavior be related to a limitation or change in the API, or might it be an issue on my end? I also came to know that for initial sign in the user details will be displayed in the signin-apple payload as Form data but how do I fetch those form-data from the signin-apple request, please suggest I would greatly appreciate any guidance or solutions to resolve this issue. Thank you for your support!

Hi Apple Developers, I'm having a problem with evaluatedPolicyDomainState: on the same device, its value keeps changing and then switching back to the original. My current iOS version is 26.1. I upgraded my iOS from version 18.6.2 to 26.1. What could be the potential reasons for this issue? { NSError *error; BOOL success = YES; char *eds = nil; int edslen = 0; LAContext *context = [[LAContext alloc] init]; // test if we can evaluate the policy, this test will tell us if Touch ID is available and enrolled // success = [context canEvaluatePolicy: LAPolicyDeviceOwnerAuthenticationWithBiometrics error:&error]; if (SystemVersion > 9.3) { // test if we can evaluate the policy, this test will tell us if Touch ID is available and enrolled success = [context canEvaluatePolicy: LAPolicyDeviceOwnerAuthentication error:&error]; } else{ // test if we can evaluate the policy, this test will tell us if Touch ID is available and enrolled success = [context canEvaluatePolicy: LAPolicyDeviceOwnerAuthenticationWithBiometrics error:&error]; } if (success) { if (@available(iOS 18.0, *)) { NSData *stateHash = nil; if ([context respondsToSelector:@selector(domainState)]) { stateHash = [[context performSelector:@selector(domainState)] performSelector:@selector(stateHash)]; }else{ stateHash = [context evaluatedPolicyDomainState]; } eds = (char *)stateHash.bytes; edslen = (int)stateHash.length; } else { eds = (char *)[[context evaluatedPolicyDomainState] bytes]; edslen = (int)[[context evaluatedPolicyDomainState] length]; } CC_SHA256(eds, edslen, uviOut); *poutlen = CC_SHA256_DIGEST_LENGTH; } else { *poutlen = 32; gm_memset(uviOut, 0x01, 32); } }

Hi, We are trying to open an application "xyz.app" It worked fine until 15.1.1 versions. But facing issues with 15.2 and 15.3 The application is working fine when we navigate to xyz.app/Contents/MacOS/ and run applet in this directory. But the error ""Not authorized to send Apple events to Finder"" occurs when we are trying to open the app directly. Could someone please help me understand what might be causing this issue and how to resolve it?

I am experiencing an issue with Apple Sign-In on Vision Pro. When I build and run the app from Xcode, everything works fine—after signing in, the app returns to the foreground as expected. However, when I launch the app directly on Vision Pro (not from Xcode), after completing the sign-in process, the app does not reopen from the background automatically. Instead, it closes, and I have to manually tap the app icon to reopen it. Has anyone else encountered this issue? Is there a way to ensure the app properly resumes after sign-in without requiring manual intervention?

Hi, we are having Sign in with Apple issues. For a large % of new users on our app which select this option, the first name and last name values are not being passed to us. This is the case in both scenarios - where the user shares their email address or hides it, and happens on iPhone when the user selects the default iCloud account. We're unclear why this is occurring.

Hi, My MACOS app has sensitive content and dont want user to take screenshot or to record the screen. I tries window.sharingType=none. With this user can still record the screen. I know that user can record with external device. But we dont want him to record using screen capture. Can you please tell me how to detect when screen recording is active in MACOs apps? or how to prevent screen recording in MACOs apps. Thanks

Hello, I am working on a script to update an application which bundle ID changed. Only the bundle ID was modified; all other aspects remain unchanged. This application requires access to "Screen & System Audio Recording" permissions, which are currently granted to the old bundle ID. The script performs the following steps: launchctl bootout gui/$(id -u) /Library/LaunchAgents/com.my_agent_1.plist pkgutil --forget com.my_agent_1 tccutil reset All com.my_agent_1 rm /Library/LaunchAgents/com.my_agent_1.plist rm -rf </path/to/com_my_agent_1> installer -dumplog -allowUntrusted -pkg </path/to/com_my_agent_2.pkg> -target / ... When running steps #1-6 without a restart between steps #5 and #6, the old bundle ID (com.my_agent_1) remains visible in TCC.db (verified via SQL queries). Looks like this is the reason why "com.my_agent_2" is not automatically added to the permission list (requiring manual add). Moreover, "tccutil reset All com.my_agent_1" does not work anymore, the error: tccutil: No such bundle identifier "com.my_agent_1": The operation couldn’t be completed. (OSStatus error -10814.) Is there any way to completely clear the "Privacy & Security" permissions without requiring a system restart? Thank you a lot for your help in advance!

Hello, I am implementing "Sign in with Apple" on my backend and validating the Identity Token (JWT) received from the client. I noticed that for some users who choose the "Hide My Email" option, the is_private_email claim is missing from the ID Token payload, even though the email address clearly belongs to the private relay domain (@privaterelay.appleid.com). Here is an example of the decoded payload I received: { "iss": "https://appleid.apple.com", "aud": "com.platform.elderberry.new.signinwithapple", "exp": 1764402438, "iat": 1764316038, "sub": "000851.86193ef81ad247feb673746c19424f28.0747", "c_hash": "3FAJNf4TILzUgo_YFe4E0Q", "email": "x8sqp2dgvv@privaterelay.appleid.com", "email_verified": true, "auth_time": 1764316038, "nonce_supported": true // "is_private_email": true <-- This field is missing } My Questions: Is the is_private_email claim considered optional in the ID Token? Is it safe and recommended to rely solely on the email domain suffix (@privaterelay.appleid.com) to identify if a user is using a private email? Any insights or official references would be appreciated. Thanks.

Hello, I’m planning to develop a custom referral-based attribution system for my app. The goal is to log the number of installs that come from unique referral links and then track subsequent in‑app analytics (for example, when a user reaches level 5 in a game). I’d also like to capture the user’s country to further segment these analytics. I want to build this system myself—without relying on third‑party services (such as AppsFlyer or Branch) since I only need a few key data points and want to keep costs low. However, I’m aware of the privacy restrictions in iOS and want to ensure that my implementation complies with Apple’s guidelines. Specifically, I would appreciate guidance on the following: Permissible Signals: Is it acceptable to log signals like IP address (or a suitably anonymized version), device model, and timestamp to help correlate the referral click to a successful install and subsequent in‑app events? Are there any other recommended non‑PII signals that can be used to confirm a referral install without risking rejection during App Review? Best Practices: What are the best practices for handling and transmitting these signals (e.g., should IP addresses be truncated or hashed)? How can I ensure that my system remains compliant with Apple’s App Tracking Transparency and other privacy guidelines? I’d appreciate any insights or references to relevant documentation that might help me build this system without getting rejected by Apple. Thank you in advance for your assistance!

When developing and testing using my phone I got prompted for allowing app tracking. I later uploaded a build to TestFlight, deleted the old testing app and installed the TestFlight build. I am now stuck in an infinite loop of not getting prompted for allowing app tracking for the app. When entering the app settings the toggle for tracking never appears which leaves me not able to enter the app's content. My guess is that the prompt can only be shown once for the app bundle, but there has to be a way for me to get prompted again without changing the app bundle id. Help is appreciated since this app is scheduled to be published in a week.

I am using Auth0 as a login manager for our app. The way Auth0 handles login is that their SDK will create a web view where the login is actually handled. Once the login is finished the session will end and the app will gain control. We are not set up for passkeys in their system and can't set up quickly to do that. Unfortunately with the new iOS "passkey is the primary login" way iOS is set up now, users are asked to use passkey when it's not supported on the backend. I don't have direct control of the login screens. Is there any way, at the app level, to tell the app to not use passkeys so that it quits showing up as an option for the users? I can't find any documentation on doing this. How can I stop passkey in my app entirely?

this is my monitor image that shows DeviceCheck api responding very slowly.

Hi everyone, We just completed an App Store Connect app transfer between two developer teams and ran into what seems like an inconsistency with TN3159 (Migrating Sign in with Apple users for an app transfer). According to the technote, both the source and destination teams should be able to call /auth/usermigrationinfo for 60 days after the transfer, even if the migration wasn’t run beforehand. However, right after the transfer completed, the source team (Team A) started receiving: {"error":"invalid_client"} on all /auth/usermigrationinfo requests, even though /auth/token with scope=user.migration still works fine. What we verified before transfer: Team A’s Sign in with Apple key (ES256) was linked to the app and Services ID. OAuth flow for com.org.appname.web returned valid tokens, and the decoded ID token showed aud=com.org.appname.web with a valid private relay email, confirming the key was trusted. What happens after transfer: The key now shows “Enabled Services: —” and the App/Services IDs are no longer selectable in the Developer portal. /auth/usermigrationinfo immediately returns invalid_client for Team A, even within the same day of the transfer. This effectively makes Team A unable to generate transfer_sub values, blocking the migration flow TN3159 describes. Questions: Is Team A supposed to retain authorization to call /auth/usermigrationinfo for 60 days post-transfer? If yes, is there any known workaround to re-authorize the key or temporarily re-bind it to the transferred identifiers? If not, does this mean transfer_sub must be generated before transfer acceptance, contrary to how TN3159 reads? Would really appreciate any confirmation or guidance from Apple or anyone who’s gone through this recently. Thanks,

I received Apple’s recent notice about the new requirement to provide a server-to-server notification endpoint when registering or updating a Services ID that uses Sign in with Apple. (Official notice: https://developer.apple.com/news/?id=j9zukcr6 ) We already use Sign in with Apple on our website and app, but only as a login method for pre-registered users, not as a way to create new accounts. That means users already exist in our system, and Apple login is used only for authentication convenience (similar to linking a social account). I have some questions about how to properly implement the required server-to-server notifications in this case: 1. email-enabled / email-disabled: We don’t use or store the email address provided by Apple. Are we still required to handle these events, or can we safely ignore them if the email is not used in our system? 2. consent-revoked: We don’t store Apple access or refresh tokens, we use them only during login and discard them immediately. In this case, do we still need to handle token revocation, or can we simply unlink the Apple login from the user account when receiving this notification? 3. account-delete: If a user deletes their Apple account, we can unlink the Apple login and remove related Apple data, but we cannot delete the user’s primary account in our system (since the account exists independently). Is this acceptable under Apple’s requirements as well? We want to make sure our implementation aligns with Apple’s policy and privacy requirements, while maintaining consistency with our existing account management system. If anyone from Apple or other developers who implemented similar logic could provide guidance or share examples, it would be greatly appreciated. Thank you!

Issue with passport-apple: req.user Returning Undefined Data & Callback URL Issue I am facing an issue with passport-apple where, after successful authentication, the callback function does not receive the expected user data. Instead, req.user contains undefined values, and there seems to be an issue with the callback URL handling. Steps to Reproduce I have configured passport-apple with the following strategy: passport.use( new AppleStrategy( { clientID: process.env.APPLE_CLIENT_ID, teamID: process.env.APPLE_TEAM_ID, keyID: process.env.APPLE_KEY_ID, privateKeyLocation: path.join(__dirname, 'Auth.p8'), callbackURL: process.env.APPLE_CALLBACK_URL, scope: ['name', 'email'], passReqToCallback: true }, async (req, accessToken, refreshToken, idToken, profile, done) => { try { const decoded = jwt.decode(idToken); const user = { id: decoded?.sub || null, email: decoded?.email || null, name: profile?.name?.firstName || 'Unknown' }; const userApp = await authController.handleAppleAuth(user.email, accessToken, refreshToken); done(null, userApp); } catch (error) { return done(error); } } ) ); Observed Behavior Apple login succeeds, and an existing user is found in the database. However, req.user contains undefined values after authentication. The callback URL does not seem to function correctly, leading to potential misrouting or incomplete authentication flow. Expected Behavior req.user should contain the authenticated user's ID, email, and name. The callback URL should properly handle the authentication response. Actual Behavior req.user contains undefined values instead of valid user data, and the callback URL handling seems to be incorrect. Log Output: { id: '001412.13cccc5062074c35833683f6f0bcf5f6.1212', email: 'xyz@somemail.com', name: 'Unknown' } user checking redirectionn [Function: next] 📍 Processing Apple callback 📍 Authentication successful for user: { id: undefined, email: undefined } { id: undefined, email: undefined, firstName: undefined, lastName: undefined, subscriptionStatus: undefined }

Hello, I am implementing "Sign in with Apple" on my backend and validating the Identity Token (JWT) received from the client. I noticed that for some users who choose the "Hide My Email" option, the is_private_email claim is missing from the ID Token payload, even though the email address clearly belongs to the private relay domain (@privaterelay.appleid.com). Here is an example of the decoded payload I received: { "iss": "https://appleid.apple.com", "aud": "xxx", "exp": 1764402438, "iat": 1764316038, "sub": "xxxxxxxx", "c_hash": "3FAJNf4TILzUgo_YFe4E0Q", "email": "xxx@privaterelay.appleid.com", "email_verified": true, "auth_time": 1764316038, "nonce_supported": true // "is_private_email": true <-- This field is missing } My Questions: Is the is_private_email claim considered optional in the ID Token? Is it safe and recommended to rely solely on the email domain suffix (@privaterelay.appleid.com) to identify if a user is using a private email? Any insights or official references would be appreciated. Thanks.

After the App transfer is initiated, will the replacement of the old and new certificates affect user authorization? (Based on some replies from DTS on the forum [Apple login authorization data is generated in combination with the team ID to which the App currently belongs], it is speculated that after the App transfer, during the period when the certificate configuration of the new team ID is not completed, authorization or authentication may not be performed normally, resulting in users being unable to use the Apple login function normally) During the 60-day migration period, if the user authorizes or cancels authorization and then authorizes again in the old app, will the authorized data be different? If so, will transfer_sub be included in the authorization operation?

Hi, I have an application that uses SecureEnclave keys to protect secrets. By passing an LAContext object to the Secure Enclave operations, authentication state can be preserved across decrypt operations, and you do not need to re-authenticate for doing different operations. However, for security reasons, I would like to avoid that it is possible to do operations in batch with certain keys generated by the Secure Enclave, by any application. This would avoid malicious binaries to batch-extract all the secrets that are protected by a key from my Secure Enclave, and force to re-authenticate on every operation. Is there a way to prevent batch operations without re-authenticating for Secure Enclave keys? thanks, Remko

Hi, My app keeps getting rejected during App Review with the reason that the Sign in with Apple button is unresponsive. However, I have tested it extensively on: • A real iPad Pro (iPadOS 18.3.2) • Multiple Xcode simulators • Including an iPad Air 5th simulator (18.3.1) In all of these cases, the button works correctly. The reviewer mentioned they are using an iPad Air 5th running iPadOS 18.3.2, which I cannot find as a simulator in Xcode, nor do I have access to this exact device around me. I’m using standard SignInWithAppleButton code with no custom wrappers or UI layers on top. Here is the relevant snippet: GeometryReader { geometry in ZStack { Color.black.opacity(0.3) .ignoresSafeArea() .onTapGesture { prompt = "" showChat = false } VStack(alignment: .leading, spacing: 0){ switch purchaseManager.hasAISubscription { case 1: HStack{ } case 2: HStack{ } case 3: HStack{ } default: HStack{ } } Divider() ScrollView { VStack(alignment: .leading, spacing: 8) { ForEach(filteredChatHistory, id: \.id) { chat in } } Spacer() } .frame(maxHeight: geometry.size.height * 0.7) .defaultScrollAnchor(.bottom) .padding() Divider() HStack(){ if httpManager.isLoggedIn && purchaseManager.hasAISubscription > 0 { } } else if purchaseManager.hasAISubscription == 0{ } else{ Spacer() SignInWithAppleButton(.continue){ request in request.requestedScopes = [.email] } onCompletion: { result in switch result { case .success(let auth): switch auth.credential { case let appleCredential as ASAuthorizationAppleIDCredential: let userID = appleCredential.user saveToKeychain(userID, for: "com.xing-fu.aireader.apple.userid") if let identityTokenData = appleCredential.identityToken, let identityToken = String(data: identityTokenData, encoding: .utf8) { Task { //后端认证过,才算登录成功 await httpManager.loginWithApple(identityToken) } } break default: break } case .failure(let error): print("error") } } .frame(maxWidth: 350, maxHeight: 40) .padding() .cornerRadius(10) Spacer() } } } .overlay( // 边框 RoundedRectangle(cornerRadius: 10) .stroke(Color.g2, lineWidth: 4) ) .background(Color(UIColor.systemBackground)) .cornerRadius(10) // 圆角 .shadow(color: Color.black.opacity(0.1), radius: 5, x: 0, y: 5) .frame(width: geometry.size.width * 0.8) .onDisappear{ httpManager.alertMessage = nil } } }

Hello Apple Developer Community and Support, Our team is encountering a critical and persistent issue with our backend integration of Sign In with Apple, and we are hoping for some insights or assistance. Problem: We consistently receive an "invalid_client" error (HTTP 400 status) when our backend service attempts to exchange the authorization code for tokens at Apple's https://appleid.apple.com/auth/token endpoint. The error message from Apple's response is simply {"error":"invalid_client"}. Our Setup: Client Application: An iOS native application. Backend Service: A Go backend responsible for server-to-server token exchange and user management. Sign In with Apple Flow: The iOS app initiates the Sign In with Apple flow, obtains an authorization code, and then passes this code to our backend for token exchange. Extensive Troubleshooting Performed (No Success): We have meticulously followed all official Apple documentation (including TN3107: Resolving Sign In with Apple Response Errors) and industry best practices. Here's a summary of our verification steps, all of which currently show correct configurations and parameters: Backend client_secret JWT Construction: We generate a client_secret JWT as required for server-to-server communication. We've confirmed the claims in the generated JWT are correct: iss (Issuer): Our Team ID (e.g., XXXXXXXXXX). sub (Subject): Our Service ID (e.g., com.example.service.backendauth). aud (Audience): https://appleid.apple.com. kid (Key ID): The Key ID associated with our .p8 private key (e.g., YYYYYYYYYY). We have performed rigorous verification of the .p8 private key content itself, ensuring no corruption, extra characters, or formatting issues in the environment variable. Our backend logs confirm it's parsing the correct PEM content. Token Exchange Request Parameters: The client_id parameter sent in the POST request to /auth/token is correctly set to our App Bundle ID (e.g., com.example.app.ios), as this is the identifier for which the code was originally issued. The redirect_uri parameter sent in the POST request to /auth/token is precisely matched to a registered "Return URL" in our Apple Developer Portal (e.g., https://api.example.com:port/api/auth/callback?provider=apple). Apple Developer Portal Configuration (Meticulously Verified): App ID: Enabled for "Sign In with Apple". Service ID: Enabled for "Sign In with Apple". Its "Primary App ID" is correctly linked to our App Bundle ID (e.g., com.example.app.ios). Its "Return URLs" exactly match our backend's redirect_uri (e.g., https://api.example.com:port/api/auth/callback?provider=apple). Key: Our .p8 key has "Sign In with Apple" enabled. Crucially, in its configuration panel, the "Primary App ID" is correctly linked to our App Bundle ID (e.g., com.example.app.ios). We've ensured this key is specifically created for "Sign In with Apple" and not other services like APNs. We have performed multiple full revocations and meticulous re-creations of the App ID, Service ID, and Key in the Apple Developer Portal, ensuring correct linkages and using new identifiers to bypass any potential caching issues. Network & System Health Checks: Network connectivity from our backend server to https://appleid.apple.com (port 443) has been confirmed as fully functional via ping and curl -v. The incoming TLS handshake from our iOS client app to our backend server's callback URL (https://api.example.com:port/...) is successful and verified via openssl s_client -connect. There are no longer any TLS handshake errors (EOF). Our backend server's system clock is accurately synchronized via NTP. Request for Assistance: Given that all our visible configurations, environment variables, and request parameters appear to be correct and align with Apple's documentation, and network connectivity is confirmed, we are at a loss for why the invalid_client error persists. Based on TN3107, this error typically implies an issue with the client secret's signature or its validity for the given client_id. However, our logs confirm correct iss, sub, aud, and kid, and the private key content. Has anyone encountered this persistent invalid_client error when all checks pass? Are there any less common configurations or troubleshooting steps we might be missing? Could this indicate a caching or propagation delay on Apple's servers, even after waiting periods? Any insights or guidance would be greatly appreciated. We are prepared to provide detailed, anonymized logs and screenshots to Apple Developer Support privately if requested. Thank you.