Drawback Abstract
As of September 1, 2025, Apple’s StoreKit certificates endpoints are returning 401 Unauthorized errors for requests that have been working completely on August 31, 2025.
Affected Endpoints
Each manufacturing and sandbox certificates endpoints now require authentication:
What Was Working Earlier than
const response = await fetch('https://api.storekit.itunes.apple.com/certificates', {
methodology: 'GET',
headers: {
'Settle for': 'utility/json',
'Person-Agent': 'MyApp-Webhook-Handler/1.0'
}
});
// This labored completely till August 31, 2025
Present Error Response
$ curl -v -H "Settle for: utility/json" https://api.storekit.itunes.apple.com/certificates
< HTTP/2 401
< server: daiquiri/5
< content-type: textual content/plain
Unauthenticated
Request ID: KJQFUN5NTSSCWU35XBAT4HDXOI.0.0
What Ive Checked
- No modifications to my code between August 31 and September 1
- Each manufacturing AND sandbox endpoints affected
- Apple Developer account is energetic (expires 2026)
- No official Apple announcement present in Developer Information or documentation
- No mentions in Apple Developer Boards
Context
These endpoints are used for Apple App Retailer Server-to-Server webhook signature verification. The certificates are wanted to validate incoming webhook payloads from Apple, which is important for processing subscription occasions.
Questions
- Has anybody else skilled this subject beginning September 1, 2025?
- Is there an official Apple announcement I missed?
- What authentication methodology is now required? (JWT token? App Retailer Join API key?)
- Are there different endpoints for fetching Apples public certificates?
Further Particulars
- Atmosphere: Node.js with Firebase Cloud Capabilities
- Use Case: Webhook signature verification for App Retailer Server Notifications
- Timing: Labored August 31, 2025 → Failed September 1, 2025
- Affect: All webhook processing is at present damaged
Any insights or options could be significantly appreciated!