“If I can't implement Sign In with Apple before the deadline, my app will get rejected”

REJECTED rejected
You don't want to receive this in your inbox 😅.

Apple require us to implement Sign in with Apple latest by 30th April 2020 for new app and June 2020 for existing app updates. And yet the documentation is severely lacking, what should we do after getting user data from Sign in with Apple on iOS side? What does the error message like invalid_client even mean? You start to worry what if you couldn’t implement Sign in with Apple before the deadline, and Apple rejected your app upcoming update, causing the delay of some fixes/updates to your app, which makes your users and your boss unhappy 😣.

“I have wasted so much time trying to solve the error, the error message isn't even helpful!”

You have followed a tutorial on how to implement Sign in with Apple step by step, but you are stuck at the dreaded “invalid_client” or "invalid_grant" error every time you try to validate the authorization code with /auth/token.

Alright, I know it tells me the client is invalid... then what should I do to fix this?!

You checked your client_id, client_secret and even the redirect_uri parameters, all of them seem correct, then you try to swap client_id with the app bundle ID, web services ID, changing the headers used to generate the client secret JWT… hours has passed and despite all the trial and error, you are still getting the same “invalid_client” error! 🤬

The error message “invalid_client” isn’t particularly helpful as it doesn’t say which part of your code is wrong, could it be your client_id? client_secret? or could it be the authorization code that you’ve gotten from the app isn’t formatted properly? You wished Apple would provide a more helpful error message on solving the issue.

“I have scoured all the documentation at length and have still not gotten anywhere.”

After spending countless hours battling the token validating issue, you have finally managed to retrieve the token! yay! But now you are stuck again, as there isn’t even a word in Apple documentation on how to handle subsequent REST API call after user has signed in successfully! As the token returned from validating authorization code is just valid for 10 minutes, and Apple only allow refreshing token once a day (more than that will result in throttling), how should we handle subsequent REST API call to the backend using token?

There’s an endpoint to get Apple public key, but how do I even use this hash to verify signature?! This certainly doesn’t look like a public key file format (eg: —–BEGIN PUBLIC KEY—– xxxxxx —–END PUBLIC KEY—– ) :

  "keys": [
      "kty": "RSA",
      "kid": "AIDOPK1",
      "use": "sig",
      "alg": "RS256",
      "n": "lxrwmuYSAsTfn-lUu4goZSXBD9ackM9OJuwUVQHmbZo6GW4Fu_auUdN5zI7Y1dEDfgt7m7QXWbHuMD01HLnD4eRtY-RNwCWdjNfEaY_esUPY3OVMrNDI15Ns13xspWS3q-13kdGv9jHI28P87RvMpjz_JCpQ5IM44oSyRnYtVJO-320SB8E2Bw92pmrenbp67KRUzTEVfGU4-obP5RZ09OxvCr1io4KJvEOjDJuuoClF66AT72WymtoMdwzUmhINjR0XSqK6H0MdWsjw7ysyd_JhmqX5CAaT9Pgi0J8lU_pcl215oANqjy7Ob-VMhug9eGyxAWVfu_1u6QJKePlE-w",
      "e": "AQAB"

Enough complain about Apple, let’s pause a moment and imagine....

What if you could implement Sign in with Apple within a day, submit the app update to App Store confidently and continue on with your feature implementations / bug fixes?

Wouldn’t it be nice if there’s a straightforward, step-by-step guide which you can follow to implement Sign in with Apple? From generating public key, validate authorization code, validating and parsing identityToken to subsequent REST API calls between your iOS app to your server?

You could implement Sign in with Apple within a day, and continue working on features or bug fixes that matters, which make your users happier (and also your boss).

Learn the workings of JWT (JSON Web Token) and JWK (JSON Web Key)

Most of the frustration arise when implementing Sign in with Apple is because we haven’t deal with JSON Web Token before, and generating a JSON Web Token (JWT) for the client_secret can be a confusing step especially Apple is using a quirky algorithm named “RS256” elliptic curve.

IdentityToken retrieved from Apple’s API is also in JWT format, which contains an unique identifier for the user in the sub key :

  "iss": "https://appleid.apple.com",
  "aud": "es.fluffy.AppleLogin",
  "exp": 1578850937,
  "iat": 1578850337,
  "sub": "001802.ba20d2adb5954ff0ace4972268a21303.1014",
  "c_hash": "JXNEyqNeiUwJ5_tNjYZkLg",
  "email": "uikyccaycc@privaterelay.appleid.com",
  "email_verified": "true",
  "is_private_email": "true",
  "auth_time": 1578850337

The value of sub, 001802.ba20d2adb5954ff0ace4972268a21303.1014 is the unique user ID (which correspond to an Apple ID) for your app.

Follow a step by step guide with code sample on each step to implement Sign in with Apple, with Practical SIWA guide book

book cover

The book will show the overall flow of Sign in with Apple, and explain each of steps from retrieving authorizationCode from iOS app, to generating client secret, to overview of your own access token generation strategies. All of the backend steps involved with Sign in with Apple comes with sample code in Ruby, PHP, Python and NodeJS.

This book is focused on practical steps (using libraries for handling cryptography and decoding, instead of explaining theory and rolling your own), concisely written to help you finish implement the whole Sign in with Apple flow as quickly as possible, so you can move on to implement those really important features / fixes.

What's in the book?

Annotation: 📝 = this chapter comes with sample code in Ruby, PHP, Python and NodeJS.

Here's the table of contents of the book :

  1. Big picture of the Sign in with Apple flow
  2. What is JSON Web Token (JWT), how to decode and debug them, and libraries recommendation (📝)
  3. Sign in with Apple implementation on iOS side, how to retrieve user data and check if user has logged in / out
  4. How to retrieve Apple's public keys, and use it to verify the identityToken and decode it (📝)
  5. How to validate the authorizationCode retrieved from iOS app (📝)
  6. How to use private key to generate client secret, and use this client secret to exchange access token by calling Apple's endpoint (📝)
  7. How to refresh access token using Apple's endpoint (📝)
  8. Overview of strategies you can use to generate your own access token for authentication between your app to your server API
  9. How to implement Sign in with Apple on your web app frontend
  10. How to implement Sign in with Apple on other platforms
  11. How to send email to private relay email (user who choose to hide their real email address will get a randomly generated email address from Apple)

Sign in with Apple should be the new default in your apps. Here’s a decent book with sample codes on how to implement it on your server and the app ✌️ https://t.co/McAe11gRzi

— Bobby Bobak @ Filtru ☕️ (@bobek_balinek) April 22, 2020

I got Practical Sign in with Apple from @soulchildpls on @Gumroad: https://t.co/8qoTyEtJtL

— Genes (@onurgenes) April 10, 2020

The Book + Demo App and Backend code

buy book with demo app

Get the book + demo for $39

Just the Book

buy book only

Get the book for $19

Just the Demo App and Backend code

buy demo only

Get the demo code for $29

Can I try a free sample?

Absolutely! I understand that it's hard to know whether a book you found online will actually help. You can download the 2 free sample chapters plus table of contents, and see if it's right for you

Download sample chapter


If using this book does not help you learn and implement Sign in with Apple, let me know, within 30 Days of the date of your purchase, and I'll give you a complete refund. No argument. No risk. 100% guaranteed. You can contact me at axel@fluffy.es

Have any questions? Contact me at axel@fluffy.es, I'll be happy to answer.

About the Author

Hi, I'm Axel Kee. I’ve been developing iOS apps for companies, clients and myself — from small indie app (they cover my daily coffee money ☕️) to social app that get hundreds of thousands of downloads — since 2016.

I have been writing about iOS development stuff at my blog since 2018 as well.