Does your website use third-party services? Get GDPR compliant in minutes.

Apple Sign-in

What does Apple Sign-in do?

Sign in with Apple is Apple's OAuth 2.0 and OpenID Connect identity provider. It lets visitors log in to websites and apps with their Apple ID, optionally hiding their email via a relay address.

Sign in with Apple is Apple''s identity provider, available since 2019. It implements OAuth 2.0 and OpenID Connect and is required for iOS apps that offer third party social sign in. On the web it is delivered as the Sign in with Apple JS SDK or via direct OAuth redirects to appleid.apple.com. The service is positioned as a privacy first alternative to Google and Facebook social login.

What Apple Sign-in does

The website renders a Sign in with Apple button. On click, the user is redirected to appleid.apple.com, authenticates with their Apple ID (password plus biometrics or 2FA), and authorises the requested scopes (name and email). Apple returns an OAuth authorization code that the website exchanges for an ID token and a refresh token signed by Apple. The flow is identical to standard OpenID Connect.

Cookies and data collected

The Sign in with Apple JS SDK can set a small first party cookie on the merchant domain to remember the sign in state. The bulk of the cookies live on appleid.apple.com (s_pers, dssid2, dssf, geo). The merchant receives a stable Apple user identifier (sub), the user''s email (real or a privaterelay.appleid.com address) and their name on first authorisation.

GDPR and ePrivacy implications

The OAuth flow is initiated by the user and processes data under contract performance (Article 6(1)(b) GDPR). Cookies set strictly to complete the sign in are considered strictly necessary under Article 5(3) ePrivacy. Any analytics cookies dropped by the Sign in with Apple JS SDK on the button page are non strictly necessary and require consent. Apple acts as an independent controller for its own account management and as a processor for the assertion you receive.

Get GDPR compliant in 10 minutes

Free plan available · No credit card required

Try FlowConsent free

Data transfers to the United States

Apple operates appleid.apple.com globally, with EU and US infrastructure. OAuth tokens may be validated through US data centres. Apple is certified under the EU-US Data Privacy Framework. Transfers also rely on Standard Contractual Clauses. Document the transfer in your record of processing activities.

How to deploy it compliantly

Implement Sign in with Apple via the official SDK, request only the scopes you need (name, email), and handle the privaterelay.appleid.com address as a real email for transactional purposes. Disclose Apple in your privacy notice as an authentication processor with a US transfer mechanism. Offer at least one alternative authentication method to respect freedom of choice.

GDPR consent category

Essential

Websites using Apple Sign-in must obtain user consent under GDPR regulations.

Legal basisContract performance (Art. 6(1)(b) GDPR) for the sign in initiated by the user, consent (Art. 6(1)(a)) for any non strictly necessary cookies on the button page

Risk levellow

Applicable regulationsGDPR, ePrivacy Directive, EU-US Data Privacy Framework, App Store and Apple Developer Program License Agreement

DPIA considerations

A DPIA is usually not required for a standard OAuth integration. It can be useful when Apple Sign-in is the only sign in option (accessibility, lock in), or when the application combines it with extensive profiling. Document the scopes requested, the email handling (real address vs relay), and the US transfer mechanism.

Sample consent text

Sign in with Apple is an authentication service operated by Apple. We use it to let you create an account or sign in with your Apple ID. Apple sets cookies on the Apple ID domain and processes your identity tokens in the EU and the United States. This is necessary for the sign in flow you initiated and does not require additional consent.

Technical details

Tracking methodOAuth 2.0 and OpenID Connect flow with Apple ID, JavaScript SDK for the Sign in with Apple JS button, server side token validation

Server locationApple infrastructure operated globally with EU and US presence; OAuth token validation against appleid.apple.com

Data transferred outside the EUSign in with Apple is operated by Apple Inc (US). OAuth tokens and identity assertions flow through Apple servers in the EU and the US. Transfers rely on the EU-US Data Privacy Framework (Apple is certified) and on Standard Contractual Clauses combined with a Transfer Impact Assessment.

Third-party domains contacted

appleid.apple.comappleid.cdn-apple.comidmsa.apple.comprivaterelay.appleid.com

Cookies placed

Name	Type	Duration	Purpose
aasp	http_cookie	Session	State cookie set by the Sign in with Apple SDK on the merchant domain to bind the OAuth callback to the originating session.
s_pers	http_cookie	2 years	Apple analytics cookie set on appleid.apple.com to recognise returning Apple ID sessions.
dssid2	http_cookie	Session	Apple session identifier used during the Apple ID authentication.
dssf	http_cookie	Session	Apple fraud prevention cookie used during the Apple ID authentication flow.
geo	http_cookie	Session	Stores the region detected by Apple for the current Apple ID session.

Apple Sign-in is an essential service, but transparency matters. Manage all your consent with FlowConsent.

Get started free Scan your site

Frequently asked questions

What cookies does Apple Sign-in set?

The Sign in with Apple JS SDK can set a small first party cookie on the merchant domain to remember the sign in state. The main cookies live on appleid.apple.com (s_pers, dssid2, dssf, geo) and are necessary to complete the OAuth flow.

Does Apple Sign-in require GDPR consent?

The cookies set strictly to complete the sign in benefit from the strictly necessary exemption of Article 5(3) ePrivacy. The processing of the OAuth flow relies on contract performance once the user initiates it. Analytics or marketing cookies that the SDK loads beyond the strictly necessary scope require consent.

What is the legal basis for processing?

Contract performance under Article 6(1)(b) GDPR once the user clicks the Sign in with Apple button. Consent under Article 6(1)(a) for any additional non strictly necessary cookies on the button page.

Are data transferred outside the EU?

Yes. Apple Inc is a US company and operates appleid.apple.com globally with EU and US data centres. OAuth tokens may be validated in the United States. Apple is certified under the EU-US Data Privacy Framework and offers SCCs.

Do I need a DPIA?

A DPIA is usually not required for a standard OAuth integration. It becomes useful when Apple Sign-in is the only sign in option (which raises accessibility and lock in concerns) or when the application combines it with extensive profiling.

How do I implement Apple Sign-in compliantly?

Use the official SDK, request only the scopes you need (name, email), respect the privaterelay.appleid.com address as a real email for transactional purposes, disclose Apple in the privacy notice, and offer at least one alternative authentication method.

Are there alternatives to Apple Sign-in?

Alternatives include email and password with magic links, Google Sign-in, Microsoft Account, Sign in with passkey (WebAuthn), GitHub OAuth, and identity providers like Auth0, Clerk, Stytch, Okta or Keycloak. Pick based on audience and regulatory requirements.

How do I update my cookie policy for Apple Sign-in?

List the small first party cookie set by the JS SDK as strictly necessary and reference appleid.apple.com cookies as third party authentication cookies. Mention Apple as authentication provider, the US transfer mechanism, and link to Apple's privacy notice.

Get compliant — Try FlowConsent free

Free plan · 10-min setup