Handling account deletions and revoking tokens for Sign in with Apple

The revoke tokens endpoint (/auth/revoke) is the only way to programmatically invalidate user tokens associated to your developer account without user interaction. This endpoint requires either a valid refresh token or access token for invalidation, as Sign in with Apple expects all apps to securely transmit and store these tokens for validation and user identity verification while managing user sessions.

If you don’t have the user’s refresh token, access token, or authorization code, you must still fulfill the user’s account deletion request and meet the account deletion requirement. You'll need to follow this workaround to manually revoke the user credentials:

1. Delete the user’s account data from your systems.
2. Direct the user to manually revoke access for your client.
3. Respond to the credential revoked notification to revert the client to an unauthenticated state

Important: If the manual token revocation isn’t completed, the next time the user authenticates with your client using Sign in with Apple, they won’t be presented with the initial authorization flow to enter their full name, email address, or both. This is because the user credential state managed by Sign in with Apple remains unchanged and returns the.authorizedcredential state, which may also result in the system auth UI displaying the “Continue with Apple” button.

Respond to the credential revoked notification

Once the user’s credentials are revoked by Apple, your client will receive a notification signaling the revocation event: 

• For apps using the Authentication Services framework to implement Sign in with Apple, register to observe the notification named credentialRevokedNotification.
• For web services, if an endpoint is registered for server-to-server notifications, Apple broadcasts a notification to the specified endpoint with the consent-revokedevent type.

When receiving either notification, ensure you’ve already performed the following operations to meet the requirements of account deletion:

1. Deleted all user-related account data, including:
   • The token used for token revocation;
   • Any user-related data stored in your app servers; and
   • Any user-related data store in the Keychain or securely on disk in the native app or locally on web client.
2. Reverted the client to an unauthenticated state.

Securely store user tokens for account creations

For all new user account creations, follow the expected authorization flow below:

1. Securely transmit the identity token and authorization code to your app server.
2. Verify the identity token and validate the authorization code using the /auth/token endpoint. 
3. Once the authorization code is validated, securely store the token response — including the identity token, refresh token, and access token.
4. Validate the refresh token up to once per day with Apple servers (to manage the lifetime of your user session and for future token revocation requests), and obtain access tokens (for future token revocation, app transfer, or user migration requests).

For information about verifying an identity token and validating tokens, visit Verifying a user and Generate and validate tokens.

If you have questions about implementing these flows, including client authorization, token validation, or token revocation, please submit a Technical Support Incident.