> ## Documentation Index
> Fetch the complete documentation index at: https://docs.replit.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Configure Apple OAuth

> Set up Sign in with Apple for your app's authentication

This guide walks you through creating the Apple App ID, Services ID, and Private Key required for Sign in with Apple. You'll collect a **Team ID**, **Services ID**, **Key ID**, and **Private Key** to plug into the **Auth pane**.

<Note>
  This page covers only the provider-side setup in the Apple Developer portal. For the overall Clerk Auth flow — including enabling Apple and entering credentials in the **Auth pane** — see [Configuring OAuth credentials for an SSO provider](/core-concepts/project-editor/auth-and-security/clerk-auth#configuring-oauth-credentials-for-an-sso-provider) in the Clerk Auth doc.
</Note>

## Prerequisites

* An [Apple Developer account](https://developer.apple.com/account) (requires enrollment in the Apple Developer Program)
* A [published Replit app](/category/replit-deployments) — custom OAuth credentials are only available in the **Production** environment
* The **Apple** provider's edit panel opened in: **Auth pane** → **Configure** tab → **SSO providers** section → select the **Production** environment → select **Edit** next to **Apple**

## Step 1: Create an Apple App ID

1. Navigate to the [Apple Developer portal](https://developer.apple.com/account)
2. Go to **Certificates, IDs & Profiles** then **Identifiers**
3. Select **App IDs** from the dropdown
4. Select the **+** icon to register a new identifier
5. Select **App IDs**, then **Continue**
6. Choose **App**, then **Continue**
7. Fill in:
   * **Description**: Name for your App ID
   * **Bundle ID**: Your unique identifier
8. Enable **Sign In with Apple** under Capabilities
9. Select **Continue**, then **Register**
10. **Save your App ID Prefix** (shown at top) - this is your **Team ID**

## Step 2: Create an Apple Services ID

1. On the Identifiers page, select **Services IDs** from the dropdown
2. Select **+** to register a new identifier
3. Select **Services IDs**, then **Continue**
4. Fill in:
   * **Description**: Name for your Services ID
   * **Identifier**: Your unique identifier (save this - it's your **Services ID**)
5. Select **Continue**, then **Register**

### Configure the Services ID

1. Select your newly created Services ID
2. Enable **Sign In with Apple**
3. Select **Configure**
4. Set:

   * **Primary App ID**: Select your App ID from Step 1
   * **Domains and Subdomains**: Copy the value shown under **Provider setup** in the **Auth pane** (without the `https://` protocol prefix)
   * **Return URLs**: Copy the value shown under **Provider setup** in the **Auth pane**

   See [Configuring OAuth credentials for an SSO provider](/core-concepts/project-editor/auth-and-security/clerk-auth#configuring-oauth-credentials-for-an-sso-provider) for how to find these values.
5. Select **Next**, then **Done**, then **Continue**, then **Save**

## Step 3: Create an Apple Private Key

1. In the Apple Developer portal sidebar, select **Keys**
2. Select **+** to register a new key
3. Enter a **Key Name**
4. Enable **Sign In with Apple**
5. Select **Configure**, then select your App ID from Step 1
6. Select **Save**, then **Continue**, then **Register**
7. **Save the Key ID**
8. **Download** the private key file (.p8)

<Warning>
  You can only download the private key once. Store it securely — you cannot download it again.
</Warning>

## Step 4: Configure Apple Private Email Relay

Apple's Hide My Email feature lets users sign in without revealing their real email. To send emails to these users, register your email source.

1. In the Apple Developer portal sidebar, select **Services**
2. Under **Sign in with Apple for Email Communication**, select **Configure**
3. Select **+** to add an Email Source
4. Enter the Email Source value shown under **Provider setup** in the **Auth pane**
5. Select **Next**, then **Register**, then **Done**
6. Wait for DNS verification (green check icon)

<Info>
  In some regions (China, India), Apple IDs may be tied to phone numbers instead of email. If your app requires email for all users, Sign in with Apple may fail for users in these regions.
</Info>

## Troubleshooting

### Invalid client

* Verify all credentials are entered correctly
* Ensure the Private Key includes the BEGIN and END lines
* Check that your Services ID is properly configured

### Invalid redirect URI

* Verify the Return URL in the Apple Services ID configuration exactly matches the value shown under **Provider setup** in the **Auth pane**
* Check the domain in Domains and Subdomains matches your published domain (without `https://`)

### Email relay not working

* Verify the Email Source shows a green check in the Apple Developer portal
* Wait for DNS propagation if recently added

### Not working on custom domain

* Add the custom-domain entries shown under **Provider setup** in the **Auth pane** to Domains and Subdomains (without `https://`) and to Return URLs

## Additional resources

* [Apple Sign in with Apple Documentation](https://developer.apple.com/sign-in-with-apple/)
* [Private Email Relay Service Guide](https://developer.apple.com/help/account/configure-app-capabilities/configure-private-email-relay-service)