Configure Apple ID provider for sign in with Apple ID
This guide walks you through creating an Apple Developer account and configuring Sign in with Apple so users can sign in to your website using their Apple ID.
Prerequisites
An Apple ID (personal account)
Enrolled in Apple Developer Program (annual subscription fee)
Access to your website's domain
Step 1: Create/Access Apple Developer Account
1. Go to https://developer.apple.com
2. Click Account in the top navigation
3. Sign in with your Apple ID (you may have to complete multi factor authentication)
4. If first time:
Click Enroll today or Join the Apple Developer Program
Complete the enrollment process (you will need to fill in personal details and purchase)
Step 2: Register an App ID
1. In your Apple Developer account, navigate to Certificates, Identifiers & Profiles
2. Click Identifiers
3. Click the + button to create a new identifier
4. Select App IDs and click Continue
5. Select App as the type and click Continue
6. Configure your App ID:
Description: Enter a descriptive name (e.g., "My Website Authentication")
Bundle ID: Choose Explicit and enter a reverse-domain identifier
Example:
com.yourdomain.webapp
Capabilities: Scroll down the alphabetical list of options and check Sign in with Apple
7. Click Continue then Register
Step 3: Create a Services ID
This is what you'll use for web-based Sign in with Apple.
1. Still in Certificates, Identifiers & Profiles, within the Identifiers subsection where you created your appID
2. Click the + button again
3. Select Services IDs and click Continue
4. Fill in the details:
Description: Enter a user-facing name (e.g., "My Website Sign In")
Identifier: Enter a unique identifier (e.g., com.yourdomain.webapp.signin)
This will be your Client ID
click Register and you will be taken back to the services IDs homescreen, click on your new services ID.
5. Check the Sign in with Apple checkbox within your Services ID screen.
6. Click Configure next to Sign in with Apple
Configure Sign in with Apple for Services ID
1. In the configuration dialog:
Primary App ID: Select the App ID you created in Step 2
Domains and Subdomains: Add your website domain
Example: yourdomain.com (no
https://)Do not include protocol or paths
Return URLs: Add your callback URL(s)
Example:
https://yourdomain.com/auth/apple/callbackYou can add multiple URLs for staging and production
Must use HTTPS (except localhost for testing)
If you are trying to test with you dev app from console without a custom domain, you will grab the callback url from that Next Identity domain.
2. Click Done to exit the Sign in with Apple configuration modal.
3. Click Save
Step 4: Create a Private Key
1. In Certificates, Identifiers & Profiles, click Keys in the sidebar
2. Click the + button
3. Configure the key:
Key Name: Enter a descriptive name (e.g., "Sign in with Apple Key")
Optionally add a Key Usage Description
Check Sign in with Apple
Click Configure next to Sign in with Apple
4. Select your Primary App ID from the dropdown
5. Click Save
6. Click Continue then Register
7. IMPORTANT: Click Download to download your private key .p8 file)
You can only download this once - store it securely
The file will be named something like
AuthKey_XXXXXXXXXX.p8
8. Note the Key ID displayed on the confirmation page
Step 5: Gather Your Credentials
You'll need the following information to configure Sign in with Apple in Next Identity:
From Services ID (Step 3):
Service ID (Client ID): The identifier you created (e.g.,
com.yourdomain.webapp.signin)
From Key Creation (Step 4):
Key ID: The 10-character identifier shown after creating the key
Private Key (.p8 file): The downloaded file contents
From Your Apple Developer Account:
Team ID: Found in the top-right corner of your developer account
Click your name, then view your membership details
The Team ID is a 10-character string
Step 6: Verify Domain Ownership (If Required)
For some configurations, Apple may require you to verify domain ownership:
1. Apple will provide an apple-developer-domain-association.txt file
2. Upload this file to: https://yourdomain.com/.well-known/apple-developer-domain-association.txt
3. Ensure the file is publicly accessible
4. Return to Apple Developer console to verify
Step 7: Connect to Next Identity
Now that your Apple Sign in is configured, you'll connect it to Next Identity so your users can sign in with Apple.
Required Information
You'll need:
Service ID (Client ID): Your Services ID from Step 3 (this is the value under Identifier when you look at your services ID configuration, it may be in the format of
com.yourdomain.webapp.signinif you followed the suggested naming conventions above)Team ID: Your Apple Developer Team ID (this can be found under the Membership Details of your Apple Developer account page here )
Key ID: From your private key creation
Private Key: The contents of your
.p8file
Next Identity Console Apple Social Provider Configuration
1. Log in to Next Identity as an administrator
2. Navigate to your application's social login settings by going to the side navigation bar and choosing Integrations, then scroll down to the Social Providers section
3. Select Add Social Authentication Provider
4. Select Apple as a social identity provider
5. Enter a Name and Description for this social connection (for your reference only, this does not have to match any Apple names or Identifiers)
6. Enter your Apple credentials:
Service ID (Client ID): Paste your Services ID
Team ID: Paste your Team ID
Key ID: Paste your Key ID
Private Key: Paste the contents of your .p8 file (or upload the file)
5. Click Save to save and close the configuration modal
6. Once you are back at the landing screen, in order to use this Apple integration for you environments choose the three dots next to that Apple integration, and choose Set as Default and then select the environments it should be the default Apple integration for, then select Apply.
7. On that configuration modal to set the Apple configuration as your default for your environments, you will also see the recommended callback url to configure within the Apple ServicesID configuration. You may need to log back into Apple developer dashboard and add that.
Next Identity Console Add Sign in with Apple to a Journey
1. Log in to Next Identity as an administrator
2. Navigate to your desired journey by going to the side navigation bar and choosing Journeys.
3. From the Journeys landing page, select the specific journey you want to add social authentication for, and select the three dots to display the menu, and select Edit to take you to the Journeys builder.
3. On the journeys builder screen, select edit icon for the login card.
4. On the configure login modal that pops up, you should be able to scroll and see social authentication options, if Apple has been correctly configured you should see a toggle to turn it on.
5. Toggle Apple on
5. Click Save Changes on that modal screen, you will be taken back to the journeys builder screen.
6. Click Save in Development on the Journeys Builder screen.
7. Review the changes in the pop up modal and select Save Journey if everything looks good and you can see that the Apple social sign in has been turned on.
Important Note on Redirect URIs
Next Identity handles the OAuth redirect flow for you. When configuring your Services ID's Return URLs (Step 3), you must use the callback URL provided by Next Identity, which might look something like:
https://xxxxxx-dev.id.eu.nextreason.com/social/callback
Your Next Identity administrator console will display the exact redirect URI you need to add to Apple Developer console.
Step 8: Testing Your Integration
During Development
1. Apple's Sign in with Apple works immediately in Testing mode
2. Test the complete login flow:
Navigate to your application's login page
Click "Sign in with Apple"
Authorize with your Apple ID
Verify successful authentication and redirect
3. Test with different Apple IDs to ensure proper user creation/matching
4. Verify user profile data is correctly synced to Next Identity
Email Privacy Options
Apple offers users two email options:
Share My Email: User's actual email address
Hide My Email: Apple provides a relay email like
xyz123@privaterelay.appleid.com
Ensure your application handles both scenarios appropriately.
Step 9: Production Considerations
Email Relay Handling
Apple's private relay emails are real and functional
Emails sent to relay addresses are forwarded to the user
Users can disable relay at any time
Have a process for handling bounced relay emails
User Experience
The Apple Sign in button should follow Apple's Human Interface Guidelines
Use Apple-provided button assets for consistency
Don't modify button text or appearance significantly
Security Best Practices
Store your private key (.p8 file) securely
Rotate keys periodically if possible
Troubleshooting Common Issues
"invalid_client" Error
Verify your Service ID matches exactly
Check that your Team ID and Key ID are correct
Ensure your private key file is properly formatted
"redirect_uri_mismatch" Error
Verify the Return URL in your Services ID configuration matches Next Identity's callback URL exactly
Ensure you're using HTTPS (not HTTP) in production
Check for trailing slashes or typos
Domain Not Verified
Ensure your domain is correctly entered (no https://, no www if not used)
Verify the apple-developer-domain-association.txt file is accessible
Wait a few minutes after configuration changes
Private Key Issues
Ensure you're using the entire contents of the .p8 file including headers
Verify there are no extra spaces or line breaks
The key should start with
-----BEGIN PRIVATE KEY-----
Users Not Receiving Email
Check if they selected "Hide My Email" and the relay is working
Verify your email sending domain isn't blocked by Apple
Test with a fresh Apple ID to isolate the issue
Understanding Apple's Scopes
Apple provides limited scope options compared to other providers:
Default Scopes (Always Available)
`openid: Required for OpenID Connect
email: User's email (may be relay email)
name: User's first and last name (only on first sign-in)
Important Notes
User name is only provided on the first sign-in
After first sign-in, you must store the name - Apple won't provide it again
Users can revoke access at any time from their Apple ID settings
Additional Considerations
Token Validation
Apple provides JWT tokens that should be validated
Token validation includes checking signature, expiration, and audience
Next Identity handles this validation for you
Team Account Management
If you have multiple developers, manage key access carefully
Consider using a shared keychain or secrets manager for .p8 files
Document which keys are used for which environments
Next Steps
Test Apple Sign in with your application through Next Identity
Customize the Apple Sign in button appearance per guidelines
Plan for handling email privacy scenarios
Consider adding other social login providers through Next Identity
Monitor usage and authentication success rates