How to setup Sign in with Apple with WorkOS or Auth0

When implementing Sign in with Apple, I quickly realized that Apple’s official documentation was confusing and lacked clarity. Since I am standardizing my user registration flow, I needed a seamless way to integrate Apple’s authentication system. However, I found that many guides were either incomplete or assumed prior knowledge of Apple’s Developer ecosystem.

To help others avoid the same frustration, I’ve put together this step-by-step guide that walks you through everything you need to set up Sign in with Apple—whether you’re using WorkOS or Auth0.

Why This Guide?

While trying to integrate Sign in with Apple using Auth0, I encountered a major problem: Auth0’s official documentation was vague and difficult to follow. Key steps were missing or buried in unrelated sections, making it hard to complete the setup.

Take a look at this screenshot from Auth0’s documentation, which illustrates the issue:

As you can see, the guide lacks clear explanations and assumes the user already knows how to retrieve and configure Apple’s required credentials. Because of this, I had to piece together information from multiple sources to make it work.

What You’ll Learn

In this guide, I’ll cover:

• How to retrieve the necessary credentials from your Apple Developer account.
• How to properly configure Sign in with Apple in both WorkOS and Auth0.
• An optional setup for Apple’s Private Email Relay, ensuring users can receive emails even if they choose to hide their real email address.

Prerequisites

Before getting started, make sure you have:

• An active Apple Developer account.
• Either a WorkOS or Auth0 account (depending on your authentication provider).

Now, let’s dive into the setup process! 🚀

Step 1: Retrieve Apple Credentials and Configure Sign in with Apple

To integrate Sign in with Apple, you’ll need to retrieve several credentials from your Apple Developer account and configure them correctly. This section will guide you through the process step by step.

1.1 Retrieve the Apple Team ID

1. Sign in to the Apple Developer Portal.
2. Navigate to Certificates, Identifiers & Profiles.
3. On the landing page, locate your Team ID under your name or company name.

🔹 Important: The Team ID is sensitive and should only be used by the server for authentication. It should never be exposed to the client.

1.2 Register an App ID

📌 Skip this step if you already have an App ID.

1. In the Certificates, Identifiers & Profiles section, click Identifiers in the sidebar.
2. Click the + button to create a new identifier.
3. Select App IDs → Click Continue.
4. Select App → Click Continue.
5. Enter the following details:
   1. Description: A human-readable name for your app (e.g., “MyApp”).
   2. Bundle ID: This should be in reverse domain notation (e.g., com.example.myapp).

6. Enable the Sign in with Apple capability.
7. Click Continue, review your selections, and click Register.

🔹 Why is this needed? The App ID allows Apple to recognize your app and link it to Sign in with Apple.

1.3 Register a Service ID

Next, we need to create a Service ID, which is required for web-based authentication.

1. In the Certificates, Identifiers & Profiles section, click Identifiers.
2. Click the + button to create a new identifier.
3. Select Service IDs → Click Continue.

4. Enter the following details:
   1. Description: A human-readable name for your service (e.g., “MyApp Service ID”).
   2. Service ID: A unique identifier (e.g., com.example.myapp).

5. Click Continue → Note down the Service ID for later → Click Register.
6. Select the newly created Service ID and click Edit.

7. Enable the Sign in with Apple capability.

8. Click Configure and complete the following:
   1. Select the App ID you created earlier.
   2. Enter api.workos.com or auth0.com in the Domains and Subdomains field.
   3. Paste the Return URI from WorkOS/Auth0 in the Return URLs field.

9. Click Next → Done → Continue → Save.

🔹 Why is this needed? The Service ID enables web-based authentication with Apple and links your app to the Apple authentication system.

1.4 Register a Private Key

A Private Key is required to securely authenticate your server with Apple.

1. In the Certificates, Identifiers & Profiles section, click Keys.
2. Click the + button to create a new key.
3. Enter a Key Name (e.g., “Sign in with Apple Key”).
4. Enable the Sign in with Apple capability → Click Configure.

5. Select the previously created App ID and click Save.

6. Click Continue → Review the details → Click Register.

7. Download the private key (you won’t be able to download it again).

8. Note down the Key ID for later use.

🔹 Important: The private key file (.p8) is only available for download once. Store it securely!

1.5 (Optional) Set Up Private Email Relay

Apple allows users to hide their email address, which means they will receive an anonymous @privaterelay.appleid.com email. To ensure they still receive important emails from your app, you need to set up Private Email Relay.

1. Navigate to Sign in with Apple settings in WorkOS/Auth0 → Copy the Outbound Email Domains.
2. In your Apple Developer Account, go to Services → Click Sign in with Apple for Email Communication → Click Configure.
3. Click the + button → Paste the Outbound Email Domains from WorkOS/Auth0 into the Domains and Subdomains field.
4. Click Next → Click Register.

🔹 Why is this needed? This step ensures email forwarding works correctly for users who choose to hide their email address.

Step 2: Configure Sign in with Apple in WorkOS and Auth0

Now that you’ve retrieved the necessary Apple credentials, the next step is to integrate Sign in with Apple into either WorkOS or Auth0. This section provides a step-by-step guide to configuring each platform correctly.

2.1 Configure Sign in with Apple in WorkOS

1. Log in to the WorkOS Dashboard
   1. Navigate to WorkOS Dashboard.
   2. Click on Authentication in the sidebar.
   3. Locate Sign in with Apple and click Edit.

2. Enable Sign in with Apple
   1. Toggle Enabled.
   2. Enter the credentials retrieved from Apple:
   3. Team ID
   4. Service ID
   5. Private Key ID
   6. Private Key Contents (copy & paste the .p8 private key file contents).

3. Test the Integration
   1. Try signing in with an Apple account in your application.
   2. Check the WorkOS logs to confirm the authentication flow works correctly.

🔹 Common Issues & Fixes:

• Invalid private key error? Ensure the .p8 key is correctly copied and has no extra spaces.
• Mismatched Return URI? Double-check that the Apple Developer settings match WorkOS.

2.2 Configure Sign in with Apple in Auth0

1. Log in to the Auth0 Dashboard
   1. Navigate to Auth0 Dashboard.
   2. Click on Connections → Social.
   3. Locate Sign in with Apple and click Settings.

3. Enter Apple Credentials#
   1. Client ID (Service ID from Apple Developer)
   2. Team ID
   3. Key ID
   4. Private Key (copy & paste the .p8 key contents)

3. Set Authorization & Token URLs

• In Advanced Settings, enter the following values:

• Authorization URL:

🔹 Common Issues & Fixes:

• Error: Invalid client ID? Ensure the Service ID in Apple Developer matches the Client ID in Auth0.
• Token error? Ensure the Authorization and Token URLs are correctly set.

Now that you’ve successfully configured Sign in with Apple in either WorkOS or Auth0, your users can authenticate using their Apple accounts.

📌 Final Checklist Before Deployment:

✅ Ensure Return URIs match between Apple Developer and your auth provider.

✅ Verify that Sign in with Apple is enabled in WorkOS/Auth0.

✅ Test the authentication flow with a real Apple account.

With this setup, your app is now ready to support Apple’s authentication system smoothly! 🚀

Conclusion

Setting up Sign in with Apple can be challenging, especially with the lack of clear documentation from Apple and third-party providers. In this guide, I walked through the exact steps needed to retrieve credentials from Apple, configure authentication in WorkOS and Auth0, and ensure everything is properly linked.

By following these steps, you should now have a fully functional Sign in with Apple integration, allowing users to seamlessly log in with their Apple ID. If you encounter issues, double-check your return URIs, private keys, and service configurations—these are common pain points.

What’s Next?

To further scale user management, I’ll be writing a follow-up blog post on how to set up a proxy server with Hummingbird 2. This will allow better authentication handling and load balancing, making it easier to manage authentication flows at scale. Stay tuned! 🚀