Apple Authentication
This guide walks you through setting up Apple Sign In as a custom authentication provider for your UTXOS application.
Custom authentication providers are available on Pro and Scale plans. The Base plan uses UTXOS-managed Apple credentials.
Prerequisites
- An Apple Developer Program membership ($99/year)
- Access to the Apple Developer Portal
- A UTXOS project on the Pro or Scale plan
Apple Developer Program membership is required. The free Apple Developer account does not support Sign In with Apple for web applications.
Create an App ID
-
Navigate to the Apple Developer Portal.
-
Go to Certificates, Identifiers & Profiles > Identifiers.
-
Click the + button to create a new identifier.
-
Select App IDs and click Continue.
-
Select App as the type and click Continue.
-
Configure your App ID:
| Field | Value |
|---|---|
| Description | Your app name (e.g., “My UTXOS App”) |
| Bundle ID | Explicit ID (e.g., com.yourcompany.yourapp) |
-
In the Capabilities section, enable Sign In with Apple.
-
Click Continue, then Register.
Create a Services ID
-
Return to Identifiers and click the + button.
-
Select Services IDs and click Continue.
-
Configure your Services ID:
| Field | Value |
|---|---|
| Description | Your service name (e.g., “My UTXOS App Web”) |
| Identifier | A unique identifier (e.g., com.yourcompany.yourapp.web) |
-
Click Continue, then Register.
-
Click on your newly created Services ID to edit it.
-
Enable Sign In with Apple and click Configure.
-
Configure the web authentication:
| Field | Value |
|---|---|
| Primary App ID | Select the App ID you created earlier |
| Domains and Subdomains | utxos.dev |
| Return URLs | https://utxos.dev/api/auth |
- Click Save, then Continue, then Save again.
Create a Private Key
-
Navigate to Keys in the Apple Developer Portal.
-
Click the + button to create a new key.
-
Enter a Key Name (e.g., “UTXOS Sign In Key”).
-
Enable Sign In with Apple and click Configure.
-
Select your Primary App ID and click Save.
-
Click Continue, then Register.
-
Download the private key file (
.p8). Store it securely.
The private key can only be downloaded once. If you lose it, you must create a new key.
-
Note your Key ID displayed on the confirmation page.
-
Note your Team ID from the top-right of the Developer Portal (or from Membership details).
Configure UTXOS Dashboard
-
Open the UTXOS Dashboard and select your project.
-
Navigate to Settings > Authentication.
-
Select Apple from the provider list.
-
Enter your credentials:
| Field | Value |
|---|---|
| Services ID | Your Services ID identifier (e.g., com.yourcompany.yourapp.web) |
| Team ID | Your Apple Developer Team ID |
| Key ID | The Key ID from your private key |
| Private Key | The contents of your .p8 private key file |
-
Toggle Enable to activate Apple authentication.
-
Click Save project settings.
Verify the Integration
-
Open your application and initiate the wallet connection flow.
-
Select Login with Apple.
-
Complete the Apple Sign In process.
-
Confirm you are redirected back to your application with an active wallet session.
Apple may prompt users to hide their email address. UTXOS handles both real and relay email addresses.
Troubleshooting
”Invalid client_id” Error
The Services ID does not match your configuration. Verify you are using the Services ID identifier (not the App ID) in the UTXOS dashboard.
”redirect_uri is not valid” Error
The Return URL in your Services ID configuration does not match. Ensure https://utxos.dev/api/auth is configured exactly as shown.
”Invalid key” Error
Check that you pasted the entire contents of the .p8 file, including the -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY----- lines.
Users See “Sign in with Apple is not available”
This can occur if:
- The Services ID is not properly configured
- The domain
utxos.devis not verified - Your Apple Developer membership has lapsed
Private Email Relay Issues
If users choose to hide their email, Apple provides a relay address. Ensure your application handles @privaterelay.appleid.com email addresses.
Apple-Specific Considerations
Email Privacy
Apple allows users to hide their real email address. Your application receives a unique relay address that forwards to the user’s actual email.
Name Sharing
Apple only shares the user’s name on the first authorization. Subsequent sign-ins do not include name data. Store user names on first login.
Account Revocation
Users can revoke your app’s access from their Apple ID settings. Handle authentication failures gracefully for previously authenticated users.
Next Steps
- Enable Third-Party Authentication to use existing Apple sessions
- Add additional providers to give users more login options