APNs token auth suddenly returns InvalidProviderToken for active team-scoped APNs key

App & System Services Notifications
BodhiB OP
Created 2w
Replies 7
Boosts 1
Views 454
Participants 2

I’m trying to diagnose an APNs provider authentication issue that began after APNs had previously been working.

Summary: My iOS app can register for remote notifications and successfully sends its device token to my server. The app has the Push Notifications capability enabled in Xcode, the Bundle ID has Push Notifications enabled in Certificates, Identifiers & Profiles, and the APNs key is active in the Apple Developer portal.

However, every server-side APNs send attempt now fails with:

HTTP 403 {"reason":"InvalidProviderToken"}

This happens against both sandbox and production APNs endpoints.

App / account details:

  • Bundle ID / apns-topic: app.terrasignal
  • Team ID: 837F2XGDX
  • Current APNs Key ID: HNW7XPK2H3
  • APNs key type: Apple Push Notifications service (APNs)
  • Key configuration: Team scoped, Sandbox & Production
  • Xcode signing team: David Buck / Team ID 837F2XGDX
  • Push Notifications capability is enabled in Xcode
  • Device token environment tested: sandbox
  • Server clock verified against Apple/date header and matches UTC

What works:

  • iOS app launches successfully
  • Push permission is granted
  • Device token is generated
  • Device registers with my server successfully
  • Server stores the token as sandbox for bundle app.terrasignal

What fails:

  • Server-to-APNs provider authentication
  • Direct HTTP/2 APNs request fails before notification delivery
  • Failure reason is always InvalidProviderToken

I tested three separate APNs keys:

  • 34T746MWFV
  • T9N75GU2AV
  • HNW7XPK2H3

Each key was downloaded from the Developer portal, uploaded to the server, verified as a valid .p8 private key, and used with its matching Key ID. All produce the same InvalidProviderToken result.

I also bypassed my APNs library and tested direct HTTP/2 + JOSE JWT signing. The direct APNs test also fails with the same response:

HTTP status: 403 Response body: {"reason":"InvalidProviderToken"}

Example direct APNs test details:

  • Host: api.sandbox.push.apple.com
  • Path: /3/device/<sandbox device token>
  • apns-topic: app.terrasignal
  • apns-push-type: alert
  • apns-priority: 10
  • JWT header: {"alg":"ES256","kid":"HNW7XPK2H3"}
  • JWT payload includes iss: 837F2XGDX and current iat
  • Key imports successfully with jose importPKCS8
  • JWT is generated successfully
  • APNs rejects it with InvalidProviderToken

I also tried production endpoint with the same result:

Host: api.push.apple.com HTTP 403 {"reason":"InvalidProviderToken"}

Things verified:

  • System clock is correct
  • Docker/server UTC time matches Apple Date header
  • Bundle ID topic is app.terrasignal
  • APNs key exists in the Apple Developer portal
  • APNs service is enabled on the key
  • Key is configured for Sandbox & Production
  • Push Notifications capability is enabled for the app
  • Xcode signing uses the same team
  • The .p8 file is not empty or malformed
  • The key imports successfully via jose/importPKCS8
  • The issue occurs before APNs evaluates the device token, because authentication fails first

Question: What Apple-side account/key/app configuration state can cause multiple active APNs auth keys for the same team to return InvalidProviderToken, even when:

  1. the key is active,
  2. APNs is enabled,
  3. the Team ID matches,
  4. the Bundle ID topic matches,
  5. the server clock is correct,
  6. and a direct HTTP/2 APNs request with manually generated ES256 JWT also fails?

Is there a way to force-refresh, repair, or re-sync APNs provider authentication for a Developer account / Bundle ID / APNs key?

Answered by Engineer in 889954022

Your Team ID you are using in the JWT is wrong. I am not going to put your correct Team ID here publicly unless you want me to.

You are missing a character.

Replies  7
Boosts  1
Views  454
Participants  2
BodhiB OP
2w

I can provide redacted screenshots of:

  • Xcode Signing & Capabilities showing Push Notifications enabled
  • Apple Developer portal Key Details
  • Bundle ID Push Notifications capability
  • APNs direct HTTP/2 smoke test output
  • Server APNs diagnostics showing InvalidProviderToken

I will not post full device tokens, .p8 private key contents, debug secrets, or private server files publicly.
BodhiB OP
2w

with those brilliant minds here. Been stuck on this now 4 days and glad only testflight and not live. Any help/direction is welcome. I spent so many hours on this project and now to have no alerts arrive on the phones is disheartening. Thank you for your time and help in advance !

Engineer OP
Apple
2w

I would first suggest to check your tokens on the https://developer.apple.com/notifications/push-notifications-console/

Once you login, you will see a Tools tab on the top where you can use the JSON Web Token Validator

That should tell you what is wrong with the token from the APNs point of view.

If that doesn't give an answer you can use to fix it, send another push that will fail and let me know the apns-id and exactly when you sent it.

@mention me when you have done so, so I can take a look before the logs roll off.
BodhiB OP
2w

Thank you so much for your time!! — I tested both tools in the Push Notifications Console.

Selected app/context:

  • App/topic: app.terrasignal
  • Console URL context appears to be: teams/837F2XGDX/app/app.terrasignal

Device Token Validator:

  • Result: Valid
  • Message shown: “Device Token is valid for sending Alert & Background push-type notifications in the Development environment.”
  • This was the current sandbox/development token generated by the app and registered with my server.

JSON Web Token Validator:

  • Result: Failed
  • Error shown: “Team Id in request does not match with Issuer (iss) in token”

The JWT was generated on my VPS using the active APNs key HNW7XPK2H3 and Team ID 837F2XGDX.

JWT header: { "alg": "ES256", "kid": "HNW7XPK2H3" }

JWT payload: { "iss": "837F2XGDX", "iat": 1780268873 }

I did not post the full JWT or private key publicly.

This seems to narrow the issue:

  • The device token validates successfully for Development.
  • The app/topic selected in Push Notifications Console is app.terrasignal.
  • The visible console team context appears to be 837F2XGDX.
  • The JWT issuer is also 837F2XGDX.
  • But Apple’s JWT Validator still reports a Team ID / issuer mismatch.

This matches my server-side APNs result: HTTP 403 {"reason":"InvalidProviderToken"}

Can you please check whether the APNs backend association between app/topic app.terrasignal, Team ID 837F2XGDX, and APNs key HNW7XPK2H3 is correct?

If you still need a failed APNs request timestamp/apns-id, I can send another direct HTTP/2 request and provide the exact UTC time and any response headers returned.
BodhiB OP
1w

Still at a loss of what to do. Claude 4.8 says Apple/Chatgbt 5.5 thinking points to this on Apple's side. I am hoping it is something simple. It could be something I did but I just don't know. I simply don't know what more I can do and so many hours I have put into this project to just be in limbo and getting nowhere. Do I delete my apple developer account and go down that road of starting over?
BodhiB OP
1w

Update with Push Notifications Console tests:

I also tested Apple’s Push Notifications Console directly for the selected app/topic app.terrasignal.

Device Token Validator:

  • Result: Valid
  • Message: “Device Token is valid for sending Alert & Background push-type notifications in the Development environment.”

Console Send test #1:

  • Environment: Development
  • apns-topic: app.terrasignal
  • apns-push-type: alert
  • apns-priority: High (10)
  • apns-id: 7498ec76-6ca6-4bde-af33-75783e19478c
  • apns-unique-id: 7e0d597a-704c-a6ad-6ad9-4401de6989c4
  • Result: no notification arrived on the device
  • Delivery Log lookup for apns-unique-id returned “No notification found”

Console Send test #2:

  • Environment: Development
  • apns-topic: app.terrasignal
  • apns-push-type: alert
  • apns-priority: High (10)
  • Payload included sound: default
  • apns-id: bc0b2541-5b5e-4071-8f0e-9e7bff83985e
  • apns-unique-id: 38070820-6e03-1a25-e6ff-5d1d35946d34
  • Sent: Jun 02, 2026, 8:03:16.279 PM CST
  • Result: no notification arrived on the device
  • Delivery Log lookup for apns-unique-id returned “No notification found”

On the iPhone, Settings → Notifications → TerraSignal shows:

  • Allow Notifications ON
  • Lock Screen ON
  • Notification Center ON
  • Banners ON
  • Sounds ON
  • Badges ON

Separate but related:

  • JSON Web Token Validator still reports: “Team Id in request does not match with Issuer (iss) in token”
  • My server direct APNs HTTP/2 request returns HTTP 403 {"reason":"InvalidProviderToken"}

At this point, Apple’s own Device Token Validator says the token is valid, but Apple’s own Send/Delivery Log path does not produce a device notification or delivery-log result, and provider JWT validation still reports a team/issuer mismatch.

Can you inspect the APNs backend for app/topic app.terrasignal under Team ID 837F2XGDX? -Yes I am using chatgbt on highest settings. I have been an Apple fan boy and supporter since 2001 and since the colorful clamshell little laptops, I own the original iphone and original ipod still and damn, I admit at this moment, I am Disheartened that I am not getting any help, just from AI. Nearly 300 thread views and nadda. Is there a way to by you a beer or something?

Engineer OP
Apple
1w
Accepted Answer

Your Team ID you are using in the JWT is wrong. I am not going to put your correct Team ID here publicly unless you want me to.

You are missing a character.

APNs token auth suddenly returns InvalidProviderToken for active team-scoped APNs key
First post date Last post date
 
 
Q