# F2 — Sign in with Apple Entitlement Fix **Date:** 2026-04-27 **Approach used:** B — ASC API direct calls (Approach A skipped as non-interactive) ## Summary Successfully enabled "Sign in with Apple" (`APPLE_ID_AUTH`) capability on all required bundle IDs via the ASC REST API. No git changes made. Main repo remains on `main`. ## Per Bundle ID Status | Bundle ID | Internal ID | Was SIWA enabled? | Action taken | |---|---|---|---| | `ai.nanostreet.app.dev` | `P5ZYL6L3UN` | ❌ NO | Enabled via POST `/v1/bundleIdCapabilities` | | `ai.nanostreet.app.preview` | `Z3Y97KB2N3` | ✅ YES | No action needed | | `ai.nanostreet.app` (prod) | `BY9UL62S7M` | ❌ NO | Enabled via POST `/v1/bundleIdCapabilities` | Note: `preview` bundle ID covers both the `preview` and `staging` EAS profiles (they share the same App ID per TASK.md). ## Verification Final GET on all 3 bundle IDs confirmed SIWA in capabilities list: - `ai.nanostreet.app.dev`: `['IN_APP_PURCHASE', 'PUSH_NOTIFICATIONS', 'APPLE_ID_AUTH', 'ASSOCIATED_DOMAINS', 'APP_GROUPS']` ✓ - `ai.nanostreet.app.preview`: `['IN_APP_PURCHASE', 'PUSH_NOTIFICATIONS', 'APPLE_ID_AUTH', 'ASSOCIATED_DOMAINS']` ✓ - `ai.nanostreet.app`: `['IN_APP_PURCHASE', 'PUSH_NOTIFICATIONS', 'APPLE_ID_AUTH', 'ASSOCIATED_DOMAINS']` ✓ No other capabilities were modified. `APP_GROUPS` was already present on `.dev` — untouched. ## API Details - JWT: ES256, kid=`B55Z7M9TJ8`, iss=`93397c87-47a5-4acb-bbe5-565e49823a95` - POST body required `settings: [{key: "APPLE_ID_AUTH_APP_CONSENT", options: [{key: "PRIMARY_APP_CONSENT"}]}]` (First attempt without settings failed with HTTP 409; settings format sourced from existing preview capability) ## Next Steps EAS will pick up the new App ID capabilities when provisioning profiles are regenerated. Two paths: 1. **Auto-regeneration** — next `eas build --profile development` will detect the profile is stale and regenerate automatically. 2. **Force regeneration now** — run: ``` eas credentials -p ios --profile development # → "Build credentials → Manage everything → Provisioning Profile → Remove → Create new" ``` Repeat for `--profile production` if needed. `preview`/`staging` already have working profiles. 3. **Trigger a build** — once PR #205 (sdk-fix expo-dev-client) merges to main: ``` gh workflow run build-dev.yml --ref main ``` iOS build should succeed without the provisioning profile entitlement error. ## Blocker / Follow-up None. All capabilities enabled and verified. Apple propagation should be near-instant for ASC API changes.