I'm successfully using Apple subscriptions in my app, but I'm encountering SKErrorCodeDomain error 18 when trying to apply a subscription offer. I want apply offer code first time only for subscription. Below are details of what i set in appstore and what i have tested. Subscription Offer Details Offer Type: For the first month Customer Eligibility: New, Existing, and Expired Subscribers Code Status: Active Offer Code Creation Steps: App Store Connect → App → Subscription → Select Subscription Product → Offer Codes → Add → Add Custom Codes Signature Generation for Promotional Offers I'm following Apple's documentation to generate a signature: https://developer.apple.com/documentation/storekit/generating-a-signature-for-promotional-offers I’ve constructed the payload as instructed: appBundleId + '\u2063' + keyIdentifier + '\u2063' + productIdentifier + '\u2063' + offerIdentifier + '\u2063' + appAccountToken + '\u2063' + nonce + '\u2063' + timestamp Keys and Identifiers keyIdentifier, issuerId, and .p8 file are obtained from: App Store Connect → Users and Access → Integrations → In-App Purchase Test user created under: App Store Connect → Users and Access → Sandbox → Test Accounts Logged in with this account on the iPhone What I’ve Tried Verified all values used in the payload are correct Tried both seconds and milliseconds for the timestamp (as per documentation, it should be in milliseconds) Tried setting appAccountToken to: a valid UUID an empty string not setting it at all Used Apple’s sample code to generate a signature: https://developer.apple.com/documentation/storekit/generating-a-promotional-offer-signature-on-the-server Verified the generated signature locally, and it validated successfully: https://developer.apple.com/documentation/storekit/generating-a-signature-for-promotional-offers#Validate-locally-and-encode-the-signature Apple’s sample code to generate a signature Downloaded from const express = require('express'); const router = express.Router(); const crypto = require('crypto'); const ECKey = require('ec-key'); const secp256k1 = require('secp256k1'); const uuidv4 = require('uuid/v4'); const KeyEncoder = require('key-encoder'); const keyEncoder = new KeyEncoder('secp256k1'); const fs = require('fs'); function getKeyID() { return "KEYIDXXXXX"; } router.post('/offer', function(req, res) { const appBundleID = req.body.appBundleID; const productIdentifier = req.body.productIdentifier; const subscriptionOfferID = req.body.offerID; const applicationUsername = req.body.applicationUsername; const nonce = uuidv4(); const currentDate = new Date(); const timestamp = currentDate.getTime(); const keyID = getKeyID(); const payload = appBundleID + '\u2063' + keyID + '\u2063' + productIdentifier + '\u2063' + subscriptionOfferID + '\u2063' + applicationUsername + '\u2063'+ nonce + '\u2063' + timestamp; // Get the PEM-formatted private key string associated with the Key ID. // const keyString = getKeyStringForID(keyID); // Read the .p8 file const keyString = fs.readFileSync('./SubscriptionKey_47J5826J8W.p8', 'utf8'); // Create an Elliptic Curve Digital Signature Algorithm (ECDSA) object using the private key. const key = new ECKey(keyString, 'pem'); // Set up the cryptographic format used to sign the key with the SHA-256 hashing algorithm. const cryptoSign = key.createSign('SHA256'); // Add the payload string to sign. cryptoSign.update(payload); /* The Node.js crypto library creates a DER-formatted binary value signature, and then base-64 encodes it to create the string that you will use in StoreKit. */ const signature = cryptoSign.sign('base64'); /* Check that the signature passes verification by using the ec-key library. The verification process is similar to creating the signature, except it uses 'createVerify' instead of 'createSign', and after updating it with the payload, it uses `verify` to pass in the signature and encoding, instead of `sign` to get the signature. This step is not required, but it's useful to check when implementing your signature code. This helps debug issues with signing before sending transactions to Apple. If verification succeeds, the next recommended testing step is attempting a purchase in the Sandbox environment. */ const verificationResult = key.createVerify('SHA256').update(payload).verify(signature, 'base64'); console.log("Verification result: " + verificationResult) // Send the response. res.setHeader('Content-Type', 'application/json'); res.json({ 'keyID': keyID, 'nonce': nonce, 'timestamp': timestamp, 'signature': signature }); }); module.exports = router; Postman request and response Request URL: http://192.168.1.141:3004/offer Request JSON: { "appBundleID":"com.app.bundleid", "productIdentifier":"subscription.product.id", "offerID":"OFFERCODE1", "applicationUsername":"01234b43791ea309a1c3003412bcdaaa09d39a615c379cc246f5f479760629a1" } Response JSON: { "keyID": "KEYIDXXXXX", "nonce": "f98f2cda-c7a6-492f-9f92-e24a6122c0c9", "timestamp": 1753510571664, "signature": "MEYCIQCnA8UGWhTiCF+F6S55Zl6hpjnm7SC3aAgvmTBmQDnsAgIhAP6xIeRuREyxxx69Ve/qjnONq7pF1cK8TDn82fyePcqz" } Xcode Code func buy(_ product: SKProduct) { let discountOffer = SKPaymentDiscount( identifier: "OFFERCODE1", keyIdentifier: "KEYIDXXXXX", nonce: UUID(uuidString: "f98f2cda-c7a6-492f-9f92-e24a6122c0c9")!, signature: "MEYCIQCnA8UGWhTiCF+F6S55Zl6hpjnm7SC3aAgvmTBmQDnsAgIhAP6xIeRuREyxxx69Ve/qjnONq7pF1cK8TDn82fyePcqz", timestamp: 1753510571664) let payment = SKMutablePayment(product: product) payment.applicationUsername = "01234b43791ea309a1c3003412bcdaaa09d39a615c379cc246f5f479760629a1" payment.paymentDiscount = discountOffer SKPaymentQueue.default().add(payment) } Issue Even following instructions to the documentation and attempting various combinations, the offer keeps failing with SKErrorCodeDomain error 18. Has anyone else experienced this? Any suggestions as to what may be amiss or how it can be corrected?

I am working on implementing merchant token notifications. When calling this endpoint https://developer.apple.com/documentation/merchanttokennotificationservices/merchant-token-event-retrieval, the result contains a CardMetadata object with an expirationDate field (see https://developer.apple.com/documentation/merchanttokennotificationservices/cardmetadata). What is the format of this field? The spec only mentions that it has a maximum length of 8 characters.

Hello, we have problem. Kind regards, -Martin

Hello, we are experiencing issues with adding VISA cards via In-App Provisioning on iOS using PassKit. The same flow works correctly with Mastercard, but for VISA cards the Apple broker endpoint returns HTTP 500. Details Device: iPhone15,3 (iPhone 15 Pro), iOS 18.6.1 (22G90) Region: CZ App: [REDACTED] (version 0.4.3) Issuer ID: [REDACTED] Merchant ID and entitlements are configured and validated. SEID: [REDACTED] Request flow GET /broker/v4/devices/{SEID}/issuerProvisioningCertificates?encryptionVersion=EV_ECC_v2 Request ID: B61363A8-0BFF-4CD6-92BC-52C461DFFAAD Response: 200 OK Conversation ID: e12c64c9a0b54981adfad8d00800d836 Returned nonce: [REDACTED] Timestamp: 2025.08.21_14-01-46+0200 POST /broker/v4/devices/{SEID}/cards Request ID: F29B73CA-CDDE-4C0C-9F40-B87AE006FDDD Payload fields present (values redacted): encryptedCardData [REDACTED], ephemeralPublicKey [REDACTED], publicKeyHash [REDACTED], nonce [REDACTED], issuerIdentifier [REDACTED], encryptionVersion=EV_ECC_v2 Response: 500 Internal Server Error (latency ~0.41s) Timestamp: 2025.08.21_14-01-47+0200 Observation Provisioning succeeds with Mastercard but consistently fails with VISA. The GET issuerProvisioningCertificates succeeds; the POST …/cards returns 500. Request Could you please: Provide internal error details for Request ID F29B73CA-CDDE-4C0C-9F40-B87AE006FDDD (and/or Conversation ID e12c64c9a0b54981adfad8d00800d836), Confirm whether the 500 originates before or after the broker’s call to VTS (Visa Token Service), and Validate that our app/merchant/issuer configuration is fully enabled for VISA push provisioning in our region. Attached privately: sysdiagnose with full traces (can share via secure channel upon request). Kind regards, Martin

Hello, We are experiencing a consistent delay when initiating Apple Pay sessions using the https://apple-pay-gateway.apple.com/paymentservices/startSession endpoint. Below is a detailed overview of our setup and the issue. Setup Our web service is hosted in AWS and there is a proxy server between our web service and Apple servers. We are passing the correct domain in the initiativeContext field of the startSession request. The .well-known/apple-developer-merchantid-domain-association file is hosted on a different domain, which is also correctly configured and associated with our merchant ID in the Apple Developer portal. Observed Behavior When the same request is made from a local development environment, Apple responds immediately (under 1 second). When the request is made from our AWS-hosted service, Apple responds with a valid session, but only after a consistent ~15-second delay. The content and response are otherwise identical — only the timing differs. We would appreciate any insights or suggestions from others who have faced similar behavior or from the Apple Pay team. Thank you in advance!

We have implemented In-App Provisioning, but when I start the tokenization process, I receive an error before the terms and conditions. We are testing with a version of the app on TestFlight. The error message is: Could not add card. Try again later or contact your card issuer for more information. Could you please help me?

Hi team, I'm currently trying to add a specific subdomain (with a path) to Apple's Sandbox domain list, but it seems Apple only allows the main domain to be entered. Due to strict client security policies, we aren't allowed to use just the main domain, which is creating a roadblock in our implementation. Is there any way to add a full subdomain or URL path to the Sandbox configuration? I'm happy to join a call to explain the scenario further if that would help. Thanks in advance for your support!

Hi, I set up a Sandbox Tester account in my company’s Apple Developer Program and signed in on my iPhone under Settings → App Store → Sandbox Account. When I go to Wallet → Add, I only see options for Credit or Debit Card or Travel Card. The option to add an Apple Pay Sandbox Card is missing, and when I try entering the test card numbers from Apple’s documentation (developer.apple.com/apple-pay/sandbox-testing), the card is not valid. Has anyone experienced this and found a solution? Thanks! PS: I can't post this to Wallet Category, I keep getting error that it contains sensitive text.

Hello, I am experiencing an issue with the Apple Pay capability on my App ID. I have created a Merchant ID. I enabled Apple Pay in the App ID configuration and linked it to the merchant. However, sometimes when I revisit the App ID in the Apple Developer portal, the Apple Pay capability appears disabled, even though I saved it. This happens intermittently; at some times the capability is correctly shown as enabled, and other times it disappears. Context: I am using Expo Managed Workflow with EAS Build for iOS. The issue prevents the provisioning profile from including Apple Pay, which causes Stripe isPlatformPaySupported function to return false on ios devices. Attached: Screenshots of the App ID page showing Apple Pay enabled and disabled. Could you please advise why the capability is not being consistently saved, and how to ensure it stays enabled? Thank you,

Hello everyone. I encountered a problem when integrating Apple Pay. I obtained all the renewal orders through the Apple interface, and their purchaseDate is 8 hours later than the actual payment time. Why is this happening? According to the documentation, the purchaseDate value provided by Apple is a millisecond timestamp that represents the actual payment time of the user, so theoretically there shouldn’t be any timezone issues. This works well in client-initiated subscriptions, but in renewal scenarios, the purchaseDate becomes unreliable. Could this be due to some configuration in the configuration center? For example, I actually received an Apple notification at 1746686911000 (2025-05-08 06:48:31 Etc/GMT). However, the data returned by the Apple interface is as shown below: { "appAccountToken": "xxxx", "bundleId": "xxxx", "currency": "GBP", "environment": "Production", "expiresDate": 1762616831000, "inAppOwnershipType": "PURCHASED", "isUpgraded": false, "offerDiscountType": "", "offerIdentifier": "", "offerType": 0, "originalPurchaseDate": 1746456432000, "originalTransactionId": "320002311698411", "price": 39990, "productId": "xxxx", "purchaseDate": 1746715631000, "quantity": 1, "revocationDate": 0, "revocationReason": 0, "signedDate": 1746687092825, "storefront": "GBR", "storefrontId": "xxxx", "subscriptionGroupIdentifier": "xxxx", "transactionId": "320002315815857", "transactionReason": "RENEWAL", "type": "Auto-Renewable Subscription", "webOrderLineItemId": "320001062124562" } You can see that the purchaseDate is 1746715631000 (2025-05-08 14:48:31 Etc/GMT), which is even later than the current time. Can someone explain this behavior that is inconsistent with the documentation, or did I do something wrong? I would be very grateful for any help anyone can provide.

Hi Everyone, My team is working on an online marketplace for FMBs in Saudi Arabia (with a plan to expand to other markets later). We are currently working on integrating multiple payment gateways with embedded Apple Pay support into our platform. We’ve encountered an issue with the apple-developer-merchantid-domain-association file. Based on advice from one of our payment partners, we've ensured that the domain association file is uploaded in the correct format. This works successfully with our first payment gateway. However, for the additional payment gateways we are integrating, we would also like to enable Apple Pay with embedded support. The challenge is that each payment gateway requires its own domain verification, but the verification file uses the same file name. This prevents us from supporting multiple gateways on the same domain. Has anyone in the house been able to implement a similar solution, or know how we can best implement this? Please, I'll appreciate advise on how we can configure Apple Pay domain verification to support multiple payment gateways on the same domain? Any specific guidance or best practices would be greatly appreciated. Best regards,

We are integrating iOS 16 recurring payments in our app, everything works fine but we have a few questions Question 1 let recurringPaymentRequest = PKRecurringPaymentRequest(         paymentDescription: "Pro Membership",         regularBilling: regularBilling,         managementURL: url       ) we assume managementURL is supposed to come in the user's wallet where he/she can tap to change the recurring payment option to our backend, but in the wallet, the transaction appears without this URL and have no indication that it is a recurring payment, Can someone guide what we missed Question 2 For apps that only have apple pay on mobile, managementURL can open the app as a deep link from the Wallet app and the user can update or delete the payment method for the automatic reload payment from the app directly, Question 3 For cancellation, the recurring payment app should have some UI where the user can tap which hit our backend and remove the apple pay merchant token from our system and apply cancellation business logic, no apple API involves in the cancellation of recurring payment

We are encountering an issue where Apple Pay shows an unexpected popup with a message and an "OK" button when confirming a payment (after double-tapping the power button). This issue began appearing last week without any changes to the codebase or configurations. Steps to Reproduce: Open the app and initiate an Apple Pay payment. Add a valid card if not already present. Confirm the payment using the side button (double-tap). Instead of completing the transaction, a popup appears with a generic message and an "OK" button. Expected Behavior: Apple Pay should process the payment and provide a confirmation or error based on the transaction status. Actual Behavior: A popup appears with a generic title and an “OK” button. The transaction is not processed. Environment Details: Platform: iOS Apple Pay integration has been functioning correctly for years No recent updates to Apple Pay-related code or configuration Configurations Checked: App Identifier is correctly set with the bundle ID Apple Pay Payment Processing is enabled in the App ID configuration Correct Merchant ID is selected and matches in Xcode capabilities *.entitlements file contains correct Apple Pay entitlement Payment Processing Certificates are valid and in place Additional Notes: The issue appeared suddenly without any modifications to the app. We suspect it may be due to external changes (e.g., Apple system update or merchant validation issue). Please advise on any further steps we can take to diagnose or resolve this issue.

When integrating the Wallet Extension, after clicking my app icon from the "From Apps on Your iPhone" list, I encountered the message: "Cannot Add Card. 'XXX' is not responding. Wait a few minutes and try again. If the problem continues, contact the card issuer's customer service" instead of the configured login page appearing as expected. What could be causing this issue, and how should I resolve it?

When integrating the Wallet Extension, after clicking my app icon from the "From Apps on Your iPhone" list, I encountered the message: "Cannot Add Card. '***' is not responding. Wait a few minutes and try again. If the problem continues, contact the card issuer's customer service" instead of the configured login page appearing as expected. What could be causing this issue, and how should I resolve it?

Apple Pay processed a transaction but the account has insufficient funds. Later the transaction is declined. Is it expected from Apple Pay? Does Apple Pay throws an error if the account has insufficent funds- iOS Swift ? Does anyone know the code to handle this scenario in Swift iOS?

Hi team, We were wondering what's the correct way of configuring a test environment with Apple Pay. Not sure if this is explicitly mentioned in the documentation, but in order to avoid having the same certificates shared between test and production, should we have a different merchant identifier (and pair of certificates) for test purposes only? The above is the main question. However, two follow up questions: Do you know if payment processors usually allow the merchant ID to be configured, so that only payments generated with the prod certificates can be accepted? Is there any risk of someone getting hold of the certificates generated for the test environment (which are usually less safe than production) and using that to process payments in production?

During checkout at apple.com using a non-supported Apple Pay on the Web browser, apple.com presents a QR like code offering to "Scan Code with iPhone" to pay. The payment continues using Apple Pay on the iPhone after scan. We already offer Apple Pay and Apple Pay on the Web. Is this QR code option available for us for non-supported browsers? Could you point me to the docs to add it? Thank you.

Hello, I am looking for some help on how to use the Apple Pay Web Merchant Registration API. Have been approved to use the API and attempted to test on a merchant ID set up for testing. Below are steps taken before the request. Create merchant ID com.test.merchant. Create Apple Pay Merchant Identity Certificate for using it with the request via p12. Create Platform Integrator platformintegrator.com.test With the below request, I am getting a 401. Any input would be much appreciated! curl --cert-type P12 --cert cert.p12:{password} -i -d '{\ "domainNames":["customer.test.com"],\ "partnerMerchantName": "customer.test.com",\ "partnerInternalMerchantIdentifier":"customer.test.com"}'\ "encryptTo":"com.test.merchant",\ https://apple-pay-gateway-cert.apple.com/paymentservices/registerMerchant The response: { "statusMessage": "Payment Services Exception Unauthorized", "statusCode": "401" } Also tried using the platformintegrator.com.test for the encryptTo but resulted in a 401 as well.

Hello, I'm experiencing an irregular issue with Apple Pay merchant domain verification. As you know, Apple requires domain verification every two months to maintain Apple Pay functionality. The problem is that while the verification sometimes happens automatically without any issues, other times it fails to complete, even though the required file "apple-developer-merchantid-domain-association.txt" is correctly available on our server. When automatic verification fails, the Apple Pay service becomes non-functional on our website, forcing us to perform a manual verification to restore the pending service. Is it normal to encounter such inconsistent automatic verification processes? What could be causing these intermittent verification failures, whereas manual verification always succeed? suggesting this might not be related to IP address restrictions described on the Apple documentation. Thank you in advance,