Hi support, I'm getting the following error when I tried to re-verify my domain: Domain verification failed. Review your TLS Certificate configuration to confirm that the certificate is accessible and a supported TLS Cipher Suite is used. I have uploaded the required apple-developer-merchantid-domain-association.txt file and it is reachable from the Internet in the proper location https://www..com/.well-known/apple-developer-merchantid-domain-association.txt. The SSL certificate has been renewed and it offers at least one of required cipher suites based on the Apple document https://developer.apple.com/documentation/applepayontheweb/setting-up-your-server. The current verification will expire soon. Need your help urgently. Thanks, YaoF

I have the HCE entitlements, but it's not clear from the documentation I have, how to configure my app as the default app for the double tap of the power button. Nor can i see where this is in iOS 18.2 settings. The closest I can find is 'Settings > Default Apps > Contactless App', which still shows only Wallet after I install my app with all the new entitlements and provisioning profile. I have these entitlement successfully provisioning my app: <key>com.apple.developer.nfc.hce</key> <true/> <key>com.apple.developer.nfc.hce.iso7816.select-identifier-prefixes</key> <array> <string>A0000000031010</string> <string>A00000002501</string> <string>A0000000049999</string> <string>A0000000041010</string> </array> <key>com.apple.developer.nfc.hce.default-contactless-app</key> <true/> The documentation here: https://developer.apple.com/support/hce-transactions-in-apps/ also references a link to changes in Info.plist, but the url takes me to storekit-external-entitlement documentation about dating apps in the netherlands ???!!!??? Any help would be appreciated to at least get started by allowing me to change the double tap action to my app. Thanks

We are attempting to integrate the Apple Pay service into our website and have successfully verified our domain with Apple manually. However, we consistently receive an 'ApplePay reverify failed' email a month before the expiration time. Upon checking, we updated the SSL certificate for the domain before receiving the email, and the link still works fine in the browser. We would greatly appreciate any feedback from someone who can help us with this issue.

We created apps for many credit unions in Canada. Some of those apps has the feature to directly add users' debit cards to Apple Wallet (which is called by Apple as "in-app provisioning"). The feature has been working fine for at least 6 years for many credit unions. Recently, after updating one of those existing apps, we found out that the in-app provisioning is no longer working. Found it very strange, as we didn't touch the code base related to this feature for a very long time. One thing we found out is that the option to add in-app provisioning entitlement is missing during generating "provisioning profile" for the app. Is this a misconfiguration by App? Or do we need to request for additional entitlement migration as mentioned in the page: https://developer.apple.com/help/account/reference/provisioning-with-managed-capabilities ? Apple, please help, it's rather urgent.

Hi! I am working on automating the Apple Pay integration process in our CI/CD pipeline and would like to confirm whether a fully automated setup is currently possible for our preproduction environment. Right now, our process is as follows: A certificate is generated for the root domain and for each individual merchant subdomain. Both certificates are manually uploaded to our preproduction servers to test and verified via HTTP. We’d like to automate this flow in GitLab CI, mainly the generation of the necessary certificates programmatically or via API. However, from my research, it seems that Apple does not currently provide an API or any support to automate this task, but I’d like to confirm this directly with you. Is there any official support or workaround for this kind of automation? If not, do you have any plans to provide it in the future? Thanks in advance for your help.

I am encountering an issue with the in-app provisioning flow using PKAddPaymentPassViewController. Specifically, when presenting the controller to allow users to add a pass to Apple Wallet, the device selection screen is showing all the devices, even after setting the primaryAccountIdentifier on the PKAddPaymentPassRequestConfiguration. Here's the context: I'm using PKAddPaymentPassViewController for in-app provisioning. I provide a valid primaryAccountIdentifier in the configuration. But after adding the pass, if i print back the primaryAccountIdentifier it displays some other value different than the identifier i had set(Example masked identifier: FAPLMC1GB000000066aa4xxxxxxxxxxxa744f16axxxxxxxx). The provisioning flow works, but the device list shown to the user includes all the devices (e.g., Apple Watches and iPhone even though it is already added to Apple Watch or iPhone).

I'm successfully using Apple subscriptions in my app, but I'm encountering SKErrorCodeDomain error 18 when trying to apply a subscription offer. I want apply offer code first time only for subscription. Below are details of what i set in appstore and what i have tested. Subscription Offer Details Offer Type: For the first month Customer Eligibility: New, Existing, and Expired Subscribers Code Status: Active Offer Code Creation Steps: App Store Connect → App → Subscription → Select Subscription Product → Offer Codes → Add → Add Custom Codes Signature Generation for Promotional Offers I'm following Apple's documentation to generate a signature: https://developer.apple.com/documentation/storekit/generating-a-signature-for-promotional-offers I’ve constructed the payload as instructed: appBundleId + '\u2063' + keyIdentifier + '\u2063' + productIdentifier + '\u2063' + offerIdentifier + '\u2063' + appAccountToken + '\u2063' + nonce + '\u2063' + timestamp Keys and Identifiers keyIdentifier, issuerId, and .p8 file are obtained from: App Store Connect → Users and Access → Integrations → In-App Purchase Test user created under: App Store Connect → Users and Access → Sandbox → Test Accounts Logged in with this account on the iPhone What I’ve Tried Verified all values used in the payload are correct Tried both seconds and milliseconds for the timestamp (as per documentation, it should be in milliseconds) Tried setting appAccountToken to: a valid UUID an empty string not setting it at all Used Apple’s sample code to generate a signature: https://developer.apple.com/documentation/storekit/generating-a-promotional-offer-signature-on-the-server Verified the generated signature locally, and it validated successfully: https://developer.apple.com/documentation/storekit/generating-a-signature-for-promotional-offers#Validate-locally-and-encode-the-signature Apple’s sample code to generate a signature Downloaded from const express = require('express'); const router = express.Router(); const crypto = require('crypto'); const ECKey = require('ec-key'); const secp256k1 = require('secp256k1'); const uuidv4 = require('uuid/v4'); const KeyEncoder = require('key-encoder'); const keyEncoder = new KeyEncoder('secp256k1'); const fs = require('fs'); function getKeyID() { return "KEYIDXXXXX"; } router.post('/offer', function(req, res) { const appBundleID = req.body.appBundleID; const productIdentifier = req.body.productIdentifier; const subscriptionOfferID = req.body.offerID; const applicationUsername = req.body.applicationUsername; const nonce = uuidv4(); const currentDate = new Date(); const timestamp = currentDate.getTime(); const keyID = getKeyID(); const payload = appBundleID + '\u2063' + keyID + '\u2063' + productIdentifier + '\u2063' + subscriptionOfferID + '\u2063' + applicationUsername + '\u2063'+ nonce + '\u2063' + timestamp; // Get the PEM-formatted private key string associated with the Key ID. // const keyString = getKeyStringForID(keyID); // Read the .p8 file const keyString = fs.readFileSync('./SubscriptionKey_47J5826J8W.p8', 'utf8'); // Create an Elliptic Curve Digital Signature Algorithm (ECDSA) object using the private key. const key = new ECKey(keyString, 'pem'); // Set up the cryptographic format used to sign the key with the SHA-256 hashing algorithm. const cryptoSign = key.createSign('SHA256'); // Add the payload string to sign. cryptoSign.update(payload); /* The Node.js crypto library creates a DER-formatted binary value signature, and then base-64 encodes it to create the string that you will use in StoreKit. */ const signature = cryptoSign.sign('base64'); /* Check that the signature passes verification by using the ec-key library. The verification process is similar to creating the signature, except it uses 'createVerify' instead of 'createSign', and after updating it with the payload, it uses `verify` to pass in the signature and encoding, instead of `sign` to get the signature. This step is not required, but it's useful to check when implementing your signature code. This helps debug issues with signing before sending transactions to Apple. If verification succeeds, the next recommended testing step is attempting a purchase in the Sandbox environment. */ const verificationResult = key.createVerify('SHA256').update(payload).verify(signature, 'base64'); console.log("Verification result: " + verificationResult) // Send the response. res.setHeader('Content-Type', 'application/json'); res.json({ 'keyID': keyID, 'nonce': nonce, 'timestamp': timestamp, 'signature': signature }); }); module.exports = router; Postman request and response Request URL: http://192.168.1.141:3004/offer Request JSON: { "appBundleID":"com.app.bundleid", "productIdentifier":"subscription.product.id", "offerID":"OFFERCODE1", "applicationUsername":"01234b43791ea309a1c3003412bcdaaa09d39a615c379cc246f5f479760629a1" } Response JSON: { "keyID": "KEYIDXXXXX", "nonce": "f98f2cda-c7a6-492f-9f92-e24a6122c0c9", "timestamp": 1753510571664, "signature": "MEYCIQCnA8UGWhTiCF+F6S55Zl6hpjnm7SC3aAgvmTBmQDnsAgIhAP6xIeRuREyxxx69Ve/qjnONq7pF1cK8TDn82fyePcqz" } Xcode Code func buy(_ product: SKProduct) { let discountOffer = SKPaymentDiscount( identifier: "OFFERCODE1", keyIdentifier: "KEYIDXXXXX", nonce: UUID(uuidString: "f98f2cda-c7a6-492f-9f92-e24a6122c0c9")!, signature: "MEYCIQCnA8UGWhTiCF+F6S55Zl6hpjnm7SC3aAgvmTBmQDnsAgIhAP6xIeRuREyxxx69Ve/qjnONq7pF1cK8TDn82fyePcqz", timestamp: 1753510571664) let payment = SKMutablePayment(product: product) payment.applicationUsername = "01234b43791ea309a1c3003412bcdaaa09d39a615c379cc246f5f479760629a1" payment.paymentDiscount = discountOffer SKPaymentQueue.default().add(payment) } Issue Even following instructions to the documentation and attempting various combinations, the offer keeps failing with SKErrorCodeDomain error 18. Has anyone else experienced this? Any suggestions as to what may be amiss or how it can be corrected?

When running the test app with test flight before actually opening the app, the execution region is Korea and the country code is Korea, but the currency code on the payment screen is displayed as dollars or euros instead of won. In the payment settings, the currency code is set to won for Korea and dollars for the United States, and the European region is not set at all, but in some phones it is displayed as euros, and in some phones it is not like this, and in some cases it is displayed as won normally.

Hello All - I'm attempting to enable my companies app to add credit card to Apple Wallet. Part of our app enables customers to generate new virtual cards on demand and I'm attempting to enable the ability to add these cards to the Apple Wallet. Everything seems to be working all the way to the final stage of the process where I get a PKPassKitErrorDomain systemCancelled and I can't seem to find any clues as to why the system is canceling. For context - I have the com.apple.developer.payment-pass-provisioning entitlement. I have both the Wallet and In-App Provisioning capabilities enabled in the App. I have defined a PKAddPaymentPassViewControllerDelegate class that implements both the generateRequest and didFinishAdding methods. I'm leveraging PKAddPaymentPassViewController in SwiftUI by using a UIViewControllerRepresentable implementing class that returns the view controller properly when makeUIViewController is called. I build a PKAddPaymentPassRequest object and ensure that it is properly filled with encryptedPassData, activationData, and ephemeralPublicKey. As a user I'm able to go to the virtual card view, open the instance of PKAddPaymentPassViewController, select the destination for the card, see the Add Card information. I get to the point where the view tells me it's contacting the card issuer and then I get an error message "Could Not Add Card - Try again later or contact your card issuer for more information" with a "Set Up Later" button. I then get the system canceled error. I should mention that I'm able to add these virtual cards manually via the Apple Wallet. The process works similarly but requires me to provided an OTP to conclude the process. This flow works and I have active cards in my wallet. I'm having a very hard time figuring out how to try and debug this issue further. The only error that the system returns is the system canceled notice. Any insight into where I might be missing something or how to debug the issue further would be greatly appreciated. Any thought on how I could debug this further would also be greatly appreciated. Thanks in advance - AYAL

Hello, I am setting up a feature for my company's banking app that allows users to add their payment/debit card they have with us to the Apple Wallet on their device. We have the in-app provisioning entitlement setup and configured in the app and configured with our banking partner/TSP. We are able to manually provision production environment cards via the Wallet app. I am using test card data from my TSP. I send them the two certificates, nonce, and nonce signature data and am given activationData, encryptedPassData, and an ephmeralPublicKey that we then set on an instance of PKAddPaymentPassRequest. We call the handler on the delegate method that is called with that request object and get an error: The operation couldn’t be completed. (PKPassKitErrorDomain error 2.) Looking at the PassKit library shows this is PKUnsupportedVersionError - Unsupported pass version. Our TSP hasn't been super helpful in troubleshooting this issue and just said we should contact Apple as it is an Apple error. I am trying to figure out if the issue is with how we are implementing the feature or with the test data itself given to us.

Hi, We’re a franchise business with over 100 franchisees, and each franchisee has their own unique Merchant ID. We're building a single app that allows customers to place orders, and based on the selected franchisee, the payment needs to be processed through that specific franchisee’s merchant account. However, when we integrate Apple Pay and publish the app, it asks us to provide a payment gateways' Merchant ID, but we don’t use just one – we have many. How can we handle this situation? Is there a way to dynamically use multiple Merchant IDs in one app, depending on which franchisee the customer is ordering from?

Hello, I am developing an Apple Pay and In-App Provisioning integration for the bank where I work. All entitlements are properly configured, and we are integrated correctly with our Payment Network Operator (PNO). We are using PKAddPaymentPassViewControllerDelegate to handle the provisioning process. The flow progresses as expected up to the Terms and Conditions screen. However, after accepting the terms, the process fails with the message: "Could not add card." Upon checking the device logs using the Wallet profile configuration, I observed the following response from Apple's backend: Response: https://nc-pod10-smp-device.apple.com:443/broker/v4/devices/041315032816900221610987313158566F368A9CEBA1291E/cards/745f792b9d0644e5a6e713d54f505296/enable 500 Time profile: 1.80458 seconds { x-conversation-id = "6ec59a63424f4035915e32f22ea645e4" Vary = "accept-language" Content-Type = "application/json" x-pod = "nc-pod10" x-keystone-correlationid = "E3DD5A5A-FD18-4500-8570-2BD1334E281C" Date = "Thu, 17 Apr 2025 07:05:03 GMT" x-apay-service-response-details = "via_upstream" Content-Length = "49" x-envoy-upstream-service-time = "964" x-pod-region = "paymentpass.com.apple" } { errorCode = 40456; statusCode = 500; } This seems to indicate that the card enablement step is failing on the server side. Our internal systems have not logged any request failure from Apple at this step, which makes it difficult to pinpoint whether the issue is in the PNO integration, entitlement configuration, or something else. We are currently testing in a production environment on a physical device (not using sandbox), and provisioning flows are initiated through our iOS app using PKAddPaymentPassRequest. Could you please help us interpret error code 40456 and identify what steps we should take to resolve this issue? If needed, we can also provide the full device log and additional details. Thank you in advance for your support. Best regards, Mansur Bagwan

We have developed Apple Wallet Extension for our App. The in-app provisioning for the card is working. However when we try to add the card from Wallet extension it gives error saying "Your issuer does not yet offer support for this card". From the apple documentation we can see the issues is same as mentioned in Scenario 2 at following link https://applepaydemo.apple.com/in-app-provisioning#8.4 We are getting eligibilityStatus as 0 Below is the response from Wallet captured using SysDiagnosis https://crt-pod1-smp-device.apple.com:443/broker/v4/devices/0434320BCB1A90022306073796318273728D0A367FA927F4/cards 200 Time profile: 1.77856 seconds { x-conversation-id = ...... Content-Type = "application/json" x-pod = "crt-pod1" x-xss-protection = "1; mode=block" Server = "Apple" x-pod-region = "paymentpass.com.apple" regionbrokerurl = "https://crt-pod1-smp-device.apple.com:443/broker" Date = "Wed, 06 Aug 2025 11:39:30 GMT" Content-Length = "488" x-envoy-upstream-service-time = "1400" Strict-Transport-Security = "max-age=31536000; includeSubdomains" cross-origin-opener-policy = "same-origin" x-keystone-correlationid = ...... x-content-type-options = "nosniff" Vary = "accept-language" x-frame-options = "SAMEORIGIN" } { applicationIdentifier = ......; auxiliaryCapabilities = { }; cardType = 4; deviceProvisioningDataExpected = 1; eligibilityStatus = 0; identifier = ......; learnMoreURL = "https://www.apple.com/ae/apple-pay/banks/ae/en-ae.html"; nonce = ......; paymentApplications = ( { appletTypeIdentifier = Argon; paymentType = Credit; } ); region = "paymentpass.com.apple"; sanitizedPrimaryAccountNumber = 7008; sanitizedPrimaryAccountPrefix = ""; }

Why did my sandbox test fail due to not being able to obtain the product list?

Hi All, We operate a store with a single domain but multiple merchants, some of whom use PayPal as their payment gateway, while others use Stripe. We are looking to introduce Apple Pay for the various merchants. From what I understand, a .well-known file is required for each merchant to enable Apple Pay. How can we implement this, given that our merchants are using different payment gateways? Best regards, Joe

We have an Apple Pay account and have successfully created and verified the payment processing certificate in our Apple Developer account. When initiating an Apple Pay payment, the Apple session is created successfully with the correct data return from api , but it is not accepted with the error: “Payment not completed.” The issue occurs even though the merchant validation step works without errors. Our websites where this is happening are: https://magicdeliver.com/ https://www.pulsarmodular.com/ Could you please help us identify the cause of the issue and guide us on resolving it?

I'm implementing Apple Pay in my Flutter web app and I'm following the guidelines for domain verification using the apple-developer-merchantid-domain-association file. When I access the file at https://mydomain.com/.well-known/apple-developer-merchantid-domain-association through my web app, the browser silently downloads the file instead of displaying its content on the webpage. My question is: Is this the expected behavior for the apple-developer-merchantid-domain-association file? Should the browser download the file silently, or is there another step required, such as displaying the content on the webpage for verification purposes? I've consulted some resources and they indicate that the file download is the correct behavior. However, I'd appreciate confirmation from the community to ensure I'm implementing the verification process correctly. Summary is how do we know if apple has verified it?

I've completed the setup required for in-app push provisioning on the iOS platform. Encountering an issue at the completion handler step while sending data back to the PassKit framework. The delegate method used is: func addPaymentPassViewController(completionHandler handler: @escaping (PKAddPaymentPassRequest) -> Void) The error observed is: Error Domain=PKPassKitErrorDomainCode=2 which is PKUnsupportedVersionError The device used for testing is running iOS version 17.4.1.

I'm encountering an issue with Apple Pay on both Wallet and the Watch app where the app name is not showing up on the back of the payment card(Card details). The pass was successfully provisioned, and everything seems to be working, but the expected app name or brand isn't displayed, and instead, I see the generic "Something went wrong. Try again Later" message. Do we need to configure something to get this displayed in Wallet app?

I am attempting to verify my domain https://technoq.genesistechnologies.tech for use with Apple Pay Merchant ID. However, when I attempt verification, the process fails with the message: “Domain verification failed.” Unfortunately, no additional details are provided. I have already completed the following steps: Downloaded the verification file apple-developer-merchantid-domain-association.txt. Placed it in the .well-known directory as instructed. Confirmed that it is publicly accessible at: https://technoq.genesistechnologies.tech/.well-known/apple-developer-merchantid-domain-association.txt Verified that a valid SSL certificate is configured for the domain. Could you please advise on why the verification might be failing and what additional steps I should take to resolve this issue?