TN3194: Handling account deletions and revoking tokens for Sign in with Apple

Learn the best techniques for managing Sign in with Apple user sessions and responding to account deletion requests.

Overview

Apps submitted to the App Store that support account creation must also let users initiate deletion of their account within the app, as of June 30, 2022. To learn more, see Offering account deletion in your app.

To properly support both account creation, verification, and deletion in your app, securely store user credentials—for example, identity tokens and refresh tokens— and consider using a server infrastructure to handle token generation, validation, and revocation.

Invalidate a user session

The Token revocation endpoint (/auth/revoke) is the only way to programmatically invalidate user tokens associated to your developer account without user interaction. Apps using Sign in with Apple are expected to securely transmit and store tokens when integrated with a server infrastructure. This allows you to validate all user tokens received from Apple, as well as verify the user’s identity and Apple’s public key before granting access to your app or its data. Because this endpoint manages your user sessions, either a valid refresh token or access token for invalidation is required.

If you don’t have the user’s refresh token, access token, or authorization code, you must still fulfill the user’s account deletion request and meet the account deletion requirement. To manually revoke the user credentials, follow the steps below:

Delete the user’s account data from your systems.
Direct the user to manually revoke access for your client.
Respond to the credential revoked notification to revert the client to an unauthenticated state

Respond to credential revoked notifications

Once the user’s credentials are revoked by Apple, your client will receive a notification signaling the revocation event:

For apps using the Authentication Services framework to implement Sign in with Apple, observe the credentialRevokedNotification and use getCredentialState(forUserID:completion:) on the ASAuthorizationAppleIDProvider object to respond to credential revocation and account deletion events.
For web services, if an endpoint is registered for Processing changes for Sign in with Apple accounts, Apple broadcasts a notification to the specified endpoint with the consent-revoked event type.

When receiving either notification, ensure you’ve completed the following operations to meet the requirements of account deletion:

Delete all user-related account data, including:
- The token used for token revocation;
- Any user-related data stored in your app servers; and
- Any user-related data store in the Keychain or securely on disk in the native app or locally on a web client.
Revert the client to an unauthenticated state.

Securely store user tokens for account creations

For all new user account creations, properly store and handle the user credentials by following the authorization flow below:

Securely transmit the identity token and authorization code to your app server.
Verify the identity token and validate the authorization code using the /auth/token endpoint.
Once the authorization code is validated, securely store the token response — including the identity token, refresh token, and access token.
Validate the refresh token up to once per day with Apple servers (to manage the lifetime of your user session and for future token revocation requests), and obtain access tokens (for future token revocation, app transfer, or user migration requests).

If you have questions about implementing these flows, including client authorization, token validation, or token revocation, please see the following resources:

Revision History

2025-10-03 First published.