Sign in with Apple in web fails / error: 'invalid_client'
I'm facing issues with Sign in with Apple in my Better Auth setup:
Current Status
- ✅ Apple Sign In works in my Expo (native) app using ID token
- ❌ Apple Sign In fails on web
Configuration Details
- Using Better Auth with Expo plugin
- JWT payload for client secret looks correct:
- Web Service ID:
de.xxx.web
- App Bundle ID: de.xxx.app
Error Messages
Server logs show:
I've added https://appleid.apple.com to trustedOrigins as suggested (should not be needed?), but still experiencing web authentication issues. Any ideas what might be causing this discrepancy between native and web authentication?12 Replies
Did you ever track this down? I'm getting the same error.
@zsmooth no.. hard to believe that Apple as one of the iconic ux companies has this kind of auth credential garbage 🥸
Adding it to trustedDomains worked for me. I think this is a better auth bug, not an apple bug
Thanks for sharing!
Im having the same issue, did you ever fix it? where is that option to set trustedDomains?
nvm I figure it out, I had an invalid_code as in my apple secret wasn't generated with the proper signinid, setting up al this stuff in apple is a PITA tho
Also had to follow this for CSRF https://gist.github.com/Maxiviper117/95a31750b74510bbb413d2e4ae20b4e8
hey, just stumbled across your post here. Im facing the same error and trying to solve this for hours. Whats the signinid? I just have the client_secret and client_id
Your client id would be what the identifier for the specific service id that you set up so enable sign in with a web service is inside apple developer account
Your cloent secret you would have to generate it using a pem cert you can download from apple
I'm using this bun script to generate the credentials
bun run generate-apple-secret.ts --team <TEAM_ID> --key <KEY_ID> --client <CLIENT_ID> --private <PATH_TO_P8>
and I also set the appBundleIdentifier. However, very frustratingly, login was working for me using the release version on testflight but apple review team couldn't login. Adding "https://appleid.apple.com" to the trustedOrigins solved the issue but wasn't obvious since I never observed the error directly.@here do we have to generate a new client_secret every time the jwt exp is met... I mean with my local development server Im getting invalid_client or invalid_code every hour
has anyone here had that experience?
i'm generating the client_secret on the server and caching it, and then automatically regenerating it every time it's a day away from expiring. i don't get the examples i see where people are generating the secret on the command line. makes no sense to me
it's not so easy to cache it if you are deploying with next on vercel unfortunately. I'll switch to generating it on deploy via next.config.js but that still means having to deploy at least once in 6 months
Yeah you’d have to save it somewhere. I’m on Cloudflare and save it in Workers KV. Doesn’t Vercel have something similar?