Apple

Sign in with Apple using OAuth 2.0 with OpenID Connect.

1. Create OAuth App

Apple Developer Program Required

Sign in with Apple requires an active Apple Developer Program membership ($99/year).

1. Go to Apple Developer — Certificates, Identifiers & Profiles.
2. Register an App ID if you don't have one:
   • Click + > App IDs > App.
   • Enter a description and Bundle ID.
   • Enable Sign in with Apple under Capabilities.
3. Register a Services ID (this is your OAuth client):
   • Click + > Services IDs.
   • Enter a description and identifier (e.g., com.yourapp.auth).
   • Enable Sign in with Apple.
   • Click Configure next to Sign in with Apple:
     • Select your primary App ID.
     • Add your Domains (e.g., your-edgebase-url).
     • Add your Return URLs (see below).
4. Create a Key for Sign in with Apple:
   • Go to Keys > +.
   • Name the key and enable Sign in with Apple.
   • Download the .p8 key file (save it — you can only download it once).
   • Note the Key ID.

2. Set Redirect URI

Add your EdgeBase callback URL as a Return URL in the Services ID configuration:

https://your-edgebase-url/api/auth/oauth/apple/callback

HTTPS Required

Apple requires HTTPS for redirect URIs — localhost with HTTP is not supported. For local development, use a tunneling service (e.g., ngrok) or test on a staging server.

3. Get Credentials

You need:

• Client ID — Your Services ID identifier (e.g., com.yourapp.auth)
• Client Secret — A JWT generated from your .p8 key, Team ID, and Key ID

Generating the Client Secret

Apple's client secret is a signed JWT, not a static string. You need to generate it using your Team ID, Key ID, and the .p8 private key. Many tools and libraries can help with this — search for "Apple Sign In client secret generator".

4. Configure EdgeBase

// edgebase.config.ts
export default defineConfig({
  auth: {
    allowedOAuthProviders: ['apple'],
  },
});

export default defineConfig({
  auth: {
    oauth: {
      apple: {
        clientId: 'YOUR_SERVICES_ID',
        clientSecret: 'YOUR_GENERATED_JWT',
      },
    },
  },
});

5. Usage

JavaScript

client.auth.signInWithOAuth('apple');

Dart/Flutter

await client.auth.signInWithOAuth('apple');

Swift

let url = client.auth.signInWithOAuth(provider: "apple")
// Open url in ASWebAuthenticationSession

Kotlin

client.auth.signInWithOAuth("apple")

Java

client.auth().signInWithOAuth("apple");

C#

client.Auth.SignInWithOAuth("apple");

C++

OAuth requires a browser redirect flow. For C++ (Unreal Engine), handle OAuth in a platform webview and pass the token to the SDK.

Provider Details

Property	Value
Scopes	name email
PKCE	No
Email	Yes
Email verified	Always true (Apple policy)
Avatar	No — Apple does not provide profile pictures
Refresh token	No

Notes

• Apple uses response_mode=form_post — the callback receives data via POST, not query parameters.
• User info (name, email) is extracted from the id_token JWT, not from a separate API call.
• The user's name is only provided on the first sign-in. If you miss capturing it, the user must revoke your app in their Apple ID settings and sign in again.
• Apple emails are always considered verified.
• Users can choose to hide their email, in which case Apple provides a private relay address (e.g., abc@privaterelay.appleid.com).