← Test Tools  ·  Apple Sign-In

idle

Configuration

← change project in the test-tools landing page · values are shared via localStorage.
Add this exact URL to Return URLs in Apple Developer → Identifiers → Services ID → Sign In with Apple → Configure. The tool sends it as redirect_origin in :start. Apple's JS SDK uses a postMessage popup, so the redirect URI is validated but the browser never actually loads it.
PKCE is intentionally not sent on this tool's :start for Apple: Apple's own web JS SDK (AppleID.auth.init) does not expose a code_challenge hook, and threading a verifier through the popup adds complexity without changing the security boundary (Apple's state + nonce already cover this flow). For native iOS use the id_token verify tab instead.

Flow

  1. 1
    Configuration ready
    API URL, project ID, public key are set.
  2. 2
    POST /oauth/apple:start
    Backend signs a state token and returns Apple's authorize URL. Tool parses out client_id / state / nonce / redirect_uri and feeds them to AppleID.auth.init.
  3. 3
    Apple consent popup
    User signs in via the Apple popup. The SDK's signIn() Promise resolves with {authorization: {code, state, id_token}}.
  4. 4
    POST /oauth/apple:callback
    Backend exchanges code → id_token at Apple, verifies issuer / audience / nonce, resolves player.
  5. 5
    Player session issued
    Returns player_id, session_token, expires_at, is_new.

Network trace

Each request/response will be logged here as the flow runs.