RORK LABJP
TOOLING — Rork's developer repos keep moving: rork-xcode was updated on July 16, rork-device on July 15, and rork-plist on July 13OPUS46 — Claude Opus 4.6 is live in Rork, and Rork Max is built to assemble apps on top of Claude CodeSIM — A cloud iOS simulator runs in the browser, with one click to install on a device and two clicks to publish to the App StoreMAX — Rork Max emits pure Swift rather than React Native, reaching iPhone, iPad, Apple Watch, Apple TV, Vision Pro, and even iMessageNATIVE — That opens up HealthKit, ARKit and LiDAR, NFC, Dynamic Island, Live Activities, 3D through Metal, and on-device inference with Core MLSEED — Rork raised a $15M seed led by Left Lane Capital, with Peak XV and a16z Speedrun joining the roundTOOLING — Rork's developer repos keep moving: rork-xcode was updated on July 16, rork-device on July 15, and rork-plist on July 13OPUS46 — Claude Opus 4.6 is live in Rork, and Rork Max is built to assemble apps on top of Claude CodeSIM — A cloud iOS simulator runs in the browser, with one click to install on a device and two clicks to publish to the App StoreMAX — Rork Max emits pure Swift rather than React Native, reaching iPhone, iPad, Apple Watch, Apple TV, Vision Pro, and even iMessageNATIVE — That opens up HealthKit, ARKit and LiDAR, NFC, Dynamic Island, Live Activities, 3D through Metal, and on-device inference with Core MLSEED — Rork raised a $15M seed led by Left Lane Capital, with Peak XV and a16z Speedrun joining the round
Articles/Dev Tools
Dev Tools/2026-05-03Advanced

Sign in with Apple in Rork: Server-Side Verification, Account Linking, and the Mandatory Deletion Flow

Dropping a Sign in with Apple button into your Rork app and shipping it is the fastest path to a rejection. This guide walks through the full picture: nonce hashing, server-side ID token verification with Apple's JWKs, the mandatory account deletion flow, and the often-forgotten revoke_token call back to Apple.

Sign in with Apple2Authentication8JWT3App Store Review8Cloudflare Workers24

Premium Article

"I added a Sign in with Apple button and shipped it — and got rejected." If you build with Rork as a solo developer, this story shows up surprisingly often. My very first app went through two rejections before finally clearing review on the third attempt. The reviewer's note was terse, and I had to reverse-engineer what was actually missing.

This guide is the document I wish I had on attempt one. We'll build the full implementation that pairs cleanly with Rork's code generation: expo-apple-authentication on the client, plus a Cloudflare Workers backend doing the JWS verification, nonce check, and the account deletion flow (with the revoke_token call to Apple). We'll also touch on Guideline 4.8 — the rule that forces you to offer Sign in with Apple alongside any third-party social login.

Why a "button-only" implementation will never pass

Sign in with Apple isn't just another OAuth provider. Apple's App Store Guidelines spell out exactly how it must be implemented in 4.8 and 5.1.1(v). Here are the specific traps that bit me:

  • Guideline 4.8: If your app uses a third-party authentication service (Google, Facebook, Twitter, etc.), you must also offer Sign in with Apple "as an equivalent option." "Equivalent" includes UI presentation. Tucking the Apple button in a smaller box at the bottom of the screen is grounds for rejection
  • Guideline 5.1.1(v): Apps that allow account creation must let users delete their account from inside the app. This became fully mandatory in June 2022. Users must be able to reach the delete flow within 2–3 taps from somewhere in your settings
  • The understated footnote in Apple's docs: Once you obtain the identityToken, you are required to verify the JWS signature on the server using Apple's public keys. Trusting the email field returned to the client and writing it straight into your database is not a production implementation

If you nail those three points, Sign in with Apple rejections essentially disappear. The rest of this article shows working code for each of them.

The full picture: four layers, each with a clear job

Before writing any code, get the layer model in your head. Without this mental map, debugging becomes "something is broken somewhere," which is the worst place to start.

  • Layer 1 — User interaction (the React Native screen Rork generates for you): Renders the Sign in with Apple button, calls AppleAuthentication.signInAsync(), and receives back the identityToken and authorizationCode
  • Layer 2 — Client preprocessing: Generates a nonce, hashes it with SHA-256, and passes the hashed value into the sign-in call. Never trusts what the user-side claims; always forwards the data to the server for verification
  • Layer 3 — Server verification (Cloudflare Workers + Hono): Pulls Apple's public keys from the JWKs endpoint, verifies the JWT signature, checks aud/iss/nonce/expiry/sub, and only then issues your own session token
  • Layer 4 — Deletion flow: When the user taps "Delete account" inside the app, you not only purge their data from your DB; you also call Apple's revoke_token endpoint to tear down the auth association. Skip this and a ghost entry sits forever under "Settings → Apple ID → Apps Using Your Apple ID"

We'll implement these in order. The server examples use Cloudflare Workers, but the same shape works on Vercel Edge Functions or AWS Lambda.

Thank you for reading this far.

Continue Reading

What follows includes implementation code, benchmarks, and practical content we hope you'll find useful. This site runs without ads — server and development costs are supported entirely by members like you. If it's been helpful, we'd be truly grateful for your support.

WHAT YOU'LL LEARN
Indie developers who got rejected for 'just dropping in a Sign in with Apple button' will leave with a production-grade implementation, including server-side ID token verification, in a single sitting
You'll learn the implementation pressure points: fetching Apple's public keys to verify the JWT, passing the nonce as a hashed value while keeping the raw on the server, and surviving the trap that email is only returned on the very first sign-in
You'll have a complete account deletion flow that satisfies App Store Guideline 5.1.1(v) end-to-end, including the revoke_token call to Apple, eliminating an entire class of rejection risk from your release pipeline
Secure payment via Stripe · Cancel anytime

Unlock This Article

Get full access to the rest of this article. Buy once, read anytime. This site is ad-free — your support goes directly toward keeping it running.

or
Unlock all articles with Membership →
Share

Thank You for Reading

Rork Lab is ad-free, supported entirely by members like you. We publish practical guides daily with implementation code, benchmarks, and production-ready patterns. If you've found it useful, we'd love to have you on board.

  • Copy-paste ready implementation code
  • New advanced guides published daily
  • $5/mo or $10 for lifetime access
View Membership →

Related Articles

Dev Tools2026-04-24
Adding Sign in with Apple to Your Rork App — What Review Actually Requires and Where People Get Stuck
A practical walkthrough for adding Sign in with Apple to an existing Rork app. Covers the exact Guideline 4.8 requirements that reject Google/Facebook-only apps, the non-obvious parts of expo-apple-authentication, backend token verification with identityToken, and the account deletion requirement most tutorials skip.
Dev Tools2026-04-02
Building a Production-Ready REST API with Rork, Hono.js & Cloudflare Workers — JWT Auth, D1, R2, and Rate Limiting
Build a production-grade REST API for your Rork app with Hono.js and Cloudflare Workers — JWT auth, D1 SQLite, R2 storage, and rate limiting, all from scratch.
Dev Tools2026-07-11
Verifying StoreKit 2 Signed Transactions in a Cloudflare Worker
If you trust whatever the device says about its purchase state, a tampered entitlement walks right through. This walks through verifying StoreKit 2 signed transactions (JWS) in a Cloudflare Worker so you grant entitlements without trusting the client, with working code.
📚RECOMMENDED BOOKS
Build a Large Language Model (From Scratch)
Sebastian Raschka
LLM Dev
Prompt Engineering for LLMs
Berryman & Ziegler
Prompting
AI Engineering
Chip Huyen
AI Eng
* Contains affiliate links
See all →