New requirement for apps using Sign in with Apple for account creation
<p>Starting January 1, 2026, developers based in the Republic of Korea must provide a <a href="https://developer.apple.com/help/account/capabilities/enabling-server-to-server-notifications">server‑to‑server notification endpoint</a> when registering a new Services ID, or updating an existing Services ID, to <a href="https://developer.apple.com/help/account/capabilities/configure-sign-in-with-apple-for-the-web">associate their website</a> with an app using <a href="https://developer.apple.com/design/human-interface-guidelines/sign-in-with-apple">Sign in with Apple</a>.</p><p>As a reminder, registering a notification endpoint allows Apple to send you important updates about the people who use your app and their account status, including:</p><ul> <li>Changes in email forwarding preferences.</
October 9, 2025
Starting January 1, 2026, developers based in the Republic of Korea must provide a server‑to‑server notification endpoint when registering a new Services ID, or updating an existing Services ID, to associate their website with an app using Sign in with Apple.
As a reminder, registering a notification endpoint allows Apple to send you important updates about the people who use your app and their account status, including:
-
Changes in email forwarding preferences.
-
Account deletions in your app.
-
Permanent Apple Account deletions.
To learn more about server-to-server notifications, see WWDC20 session 10173: Get the most out of Sign in with Apple.
When you receive these notifications, you should immediately update any data associated with the account change in the app, as well as any necessary server infrastructure, to give people more control of the personal data they’ve shared. For more information, see Processing changes for Sign in with Apple accounts.
Before submitting a new app to the App Store, or updating an existing app configuration to register a new Services ID or modify an existing Services ID, please read the guidance below.
Account change guidance
Account changes are directly related to privacy and control for the user and their personal data, and confirming account changes should be straightforward and transparent.
For account email forwarding changes:
-
Ensure any displayed user data affected by the account change matches the change event in the notification payload. Typically, this data is displayed in the app’s account settings or user profile.
-
If people need to visit a website to finish changing or verifying their email address, include a link directly to the page on your website where they can complete the process.
-
Keep users informed. If the email forwarding change affects other services you offer, let them know. If your app supports In-App Purchases, help people understand how billing, order tracking, and cancellations will be handled with the new email address.
For account deletions:
- See TN3194: Handling account deletions and revoking tokens for Sign in with Apple.
Note: Always follow applicable legal requirements for storing and retaining user account information and for handling account changes and deletions. This includes complying with local laws where your apps are available. If you have questions regarding your legal obligations, check with your legal counsel.
Resources
-
App Review Guidelines
-
Human Interface Guidelines: Managing accounts
Sign in to highlight and annotate this article
Conversation starters
Daily AI Digest
Get the top 5 AI stories delivered to your inbox every morning.
More about
availableupdateservice
How to Build a Responsible AI Framework for Transparent, Ethical, and Secure Apps
<h2> Building AI That Earns Trust </h2> <p>Artificial Intelligence has gone from a futuristic concept to the core engine of modern digital transformation. From the sophisticated predictive analytics shaping supply chains to the machine learning powering healthcare diagnostics, AI is now central to business success. </p> <p>But as AI becomes more powerful, one question rightly dominates every boardroom discussion, from Sydney to Melbourne to Perth: </p> <p>“Can we make AI smarter without losing control, inviting regulatory penalties, or eroding customer trust?” </p> <p>The answer, unequivocally, is yes. However, achieving this balance requires moving beyond abstract ‘ethics’ and implementing a concrete, verifiable responsible AI framework. This framework is not a philosophical paper; it is
Your AI Agent Is Running Wild and You Can't Stop It
<p>It's 9 AM. Your email campaign agent started 10 minutes ago. It's processing 50,000 customer records, sending personalized outreach emails in batches of 100.</p> <p>At 9:05 you notice the email template has a broken unsubscribe link. Every email going out violates CAN-SPAM.</p> <p>The agent has already sent 3,000 emails. It's running on 3 Cloud Run instances across two regions. It's sending 100 emails every 2 seconds.</p> <p>You need to stop it. Now.</p> <h2> Why Ctrl+C Doesn't Work in Production </h2> <p>If your agent runs as a local script, sure - Ctrl+C. But production agents don't work that way.</p> <p><strong>Cloud functions and containers.</strong> Your agent is a Cloud Run service or Lambda function. There's no terminal to Ctrl+C. You can delete the service, but cold start timeou
Knowledge Map
Connected Articles — Knowledge Graph
This article is connected to other articles through shared AI topics and tags.
More in Releases
Your AI Agent Did Something It Wasn't Supposed To. Now What?
<p>Your agent deleted production data.</p> <p>Not because someone told it to. Because the LLM decided that <code>DROP TABLE customers</code> was a reasonable step in a data cleanup task. Your system prompt said "never modify production data." The LLM read that prompt. And then it ignored it.</p> <p>This is the fundamental problem with AI agent security today: <strong>the thing you're trying to restrict is the same thing checking the restrictions.</strong></p> <h2> How Agent Permissions Work Today </h2> <p>Every framework does it the same way. You put rules in the system prompt:</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>You are a data analysis agent. You may ONLY read data. Never write, update, or delete. If asked to modify data, refuse and explain
Discussion
Sign in to join the discussion
No comments yet — be the first to share your thoughts!