Apple authentication

Sign in with Apple lets people use the Apple ID they already have on iPhone, Mac, and the web. You configure identifiers and keys in Apple Developer, register Return URLs on your Services ID, then paste your Services ID (and any extra bundle IDs you need) into Client IDs and paste your Apple client-secret JWT into Secret Key (for OAuth) in WeWeb.

Apple’s overview: Sign in with Apple.

You need an active Apple Developer Program membership to create the identifiers and keys below.

What this integration supports

• Let users sign in with their Apple ID through Sign in with Apple.
• Work with the Sign in with social provider action in your interface workflows.
• Use the same WeWeb Users, Roles, protected pages, and protected API rules as any other sign-in method.
• Send users to different pages after sign in, after an error, or on first sign in.

Setup in Apple Developer

Work in Certificates, Identifiers & Profiles. Sign in with Apple for the web uses a primary App ID, a Services ID (web client), and a private key used to sign the JWT you paste into WeWeb as Secret Key (for OAuth).

Official walkthrough from Apple: Configure Sign in with Apple for the web.

1. Create an App ID with Sign in with Apple

1. Open Identifiers, click the add button (+), choose App IDs, then App.
2. Select type App and click Continue.
3. Enter a Description and a unique Bundle ID (reverse-DNS style, for example com.yourcompany.yourproduct).
4. On capabilities, enable Sign In with Apple.
5. Click Continue, then Register.

This App ID is the primary app Apple links your website Services ID to.

2. Create a Services ID and register Return URLs

The Services ID identifier string is your web OAuth client ID. You copy it into WeWeb Client IDs (and you can add optional extra bundle IDs there as a comma-separated list when your setup needs them).

1. Open Identifiers, click +, choose Services IDs, then Continue.
2. Enter a Description and a unique Identifier (for example com.yourcompany.yourproduct.web). Click Continue, then Register.
3. Open the Services ID from the list.
4. Enable Sign In with Apple, then click Configure.
5. In the configuration window:
   • Primary App ID: Choose the App ID you created in step 1.
   • Domains and Subdomains: Add each hostname where your WeWeb app is served, without https:// (for example your-domain.com and your-project-id-editor.weweb.io).
   • Return URLs: Add WeWeb’s auth callback for each origin you use. Apple sends users back only to URLs you list here.

WeWeb’s callback path on each origin is:

https://<origin>/api/auth/callback/apple

Add one Return URL per hosted environment, using the real hostname WeWeb uses:

Where the app runs	Return URL to register
WeWeb editor project	https://<your-project-id>-editor.weweb.io/api/auth/callback/apple
Published app	https://your-domain.com/api/auth/callback/apple
Preview or staging app	https://your-preview-domain.com/api/auth/callback/apple

6. Click Next, then Done, then save the Services ID (Continue / Save as Apple shows).

Apple limits how many website URLs you can register depending on account type (for example 10 for individuals and 100 for organizations). Plan Return URLs so every WeWeb origin you need fits within your limit.

RETURN URL VS SUCCESS PAGE

The Return URL belongs in Apple Developer on your Services ID. It must be exactly https://<origin>/api/auth/callback/apple for that origin.

The Success page, Error page, and New user page in WeWeb’s Sign in with social provider action control where users land after Apple finishes the callback. They are not pasted into Apple’s Return URLs field.

3. Create a key for Sign in with Apple

Apple expects your backend to authenticate with a JSON Web Token (client_secret) signed by a private key you create once.

1. Open Keys, click +.
2. Enter a Key Name.
3. Enable Sign In with Apple, click Configure, select your primary App ID, then Save.
4. Click Continue, then Register. Download the .p8 key file. Apple shows the Key ID once on this screen; copy it. You cannot download the same key again later.

Also copy your Team ID from Membership details (10-character string).

Store the .p8 file securely. Anyone with the key can mint secrets for your Apple integration.

4. Generate the client secret (JWT) for Secret Key (for OAuth)

Apple does not give a fixed string you can paste forever. Sign in with Apple uses a short-lived JWT as the OAuth client_secret. You create that JWT with your Team ID, Services ID identifier, Key ID, and the private key from the .p8 file, following Apple’s requirements (algorithm, audience, expiry; Apple allows up to six months for the token lifetime when you mint it).

Use Apple’s documentation: Generate and validate tokens.

Copy the resulting JWT string. You will paste it into WeWeb as Secret Key (for OAuth). When the JWT expires, generate a new one and update that field.

Connect Apple in WeWeb

When Apple configuration and the JWT are ready:

1. Open Data & API → Authentication → SSO Providers.
2. Open the Apple section.
3. Turn on Enable.
4. Set:
   • Client IDs: Your Services ID identifier from step 2 (for example com.yourcompany.yourproduct.web). If your setup requires additional Apple bundle identifiers to be accepted as client IDs, list them in this field as a comma-separated list together with the Services ID.
   • Secret Key (for OAuth): The JWT you generated in step 4.
5. Save.

One Services ID can cover every Return URL your project lists in Apple, within Apple’s URL limits. If you maintain different Apple apps or Services IDs per environment, store the matching Client IDs and JWT in each WeWeb environment (Editor vs Production) as needed.

APPLE CALLBACK VS SUCCESS PAGE

Apple Return URLs must use WeWeb’s fixed path /api/auth/callback/apple on each origin. The success page in your workflow is separate.

Test sign in

1. In the editor, add a button or link in your interface.
2. Attach a workflow with Sign in with social provider.
3. Set Provider to apple, and choose Success page, Error page, and optional New user page.
4. Preview on an origin you added as a Domain and Return URL in Apple, then complete Sign in with Apple.

For sessions, roles, and protected content after sign-in, see Using authentication in WeWeb ->.

Common pitfalls

Return URL or domain mismatch

If Apple shows an error about redirect_uri, invalid_request, or an unknown redirect:

• Every failing origin must appear under Domains and Subdomains on the Services ID.
• Every origin must have the Return URL https://<that-origin>/api/auth/callback/apple listed exactly, including https and the path.

Confusing the App ID with the Services ID

The Bundle ID App ID enables Sign in with Apple. The value you put in WeWeb Client IDs for web login is the Services ID identifier from step 2, not the App ID’s bundle identifier.

Using the success page as the Return URL

The workflow’s Success page is not registered in Apple. Apple only accepts WeWeb’s /api/auth/callback/apple URL on each host.

Lost .p8 key or expired JWT

If you lose the private key, create a new key in Keys, generate a new JWT with the new Key ID and private key, and replace the value in Secret Key (for OAuth) in WeWeb. Revoke the old key in Apple when you are done. JWTs expire; refresh Secret Key (for OAuth) on a schedule that fits Apple’s allowed lifetime (up to six months per token when minted correctly).

Hide My Email

Users can choose to hide their email. Apple may supply a privaterelay.appleid.com address. Your app should treat it as a normal email for login and messaging rules.

Reference

WeWeb settings reference

Setting	Description	Where to find it in Apple
Enable	Turns Apple sign-in on for the project.	Not in Apple; enable in WeWeb after setup.
Client IDs	Your Services ID identifier for the web client, plus optional extra bundle IDs in a comma-separated list if your project needs them.	Identifiers → Services IDs (and App IDs for bundle IDs).
Secret Key (for OAuth)	The JWT client_secret for Apple’s token endpoint.	You generate it from Team ID, Services ID, Key ID, and .p8 per Apple’s token docs.

Apple values to prepare

Item	What it is
Team ID	Ten-character team ID from Membership.
Services ID	Identifier string for the web client (OAuth client_id).
Key ID	From the Keys detail after creating a Sign in with Apple key.
Private key	Contents of the downloaded .p8 file (used only to generate the JWT you paste into Secret Key (for OAuth)).
Return URLs	Full https://<origin>/api/auth/callback/apple per WeWeb environment.
Domains	Same hosts as your Return URLs, entered without scheme.

FAQs

Which Return URL should I add in Apple?

Add https://<origin>/api/auth/callback/apple for each WeWeb editor, preview, and live origin you use. Match Apple’s Domains list to those hosts.

Is the success page the same as Apple’s Return URL?

No. Return URLs end with /api/auth/callback/apple. The success page is a page in your app after the flow completes.

Can I use Apple sign-in and email/password together?

Yes. You can enable multiple providers and let users choose how to sign in.

CONTINUE LEARNING

After Apple sign-in works, decide what signed-in users can access.

Managing roles ->