Problem Summary
As of September 1, 2025, Apple's StoreKit certificate endpoints are returning 401 Unauthorized errors for requests that were working perfectly on August 31, 2025.
Affected Endpoints
Both production and sandbox certificate endpoints now require authentication:
- https://api.storekit.itunes.apple.com/certificates
- https://api.storekit-sandbox.itunes.apple.com/certificates
What Was Working Before
const response = await fetch('https://api.storekit.itunes.apple.com/certificates', {
method: 'GET',
headers: {
'Accept': 'application/json',
'User-Agent': 'MyApp-Webhook-Handler/1.0'
}
});
// This worked perfectly until August 31, 2025
Current Error Response
$ curl -v -H "Accept: application/json" https://api.storekit.itunes.apple.com/certificates
< HTTP/2 401
< server: daiquiri/5
< content-type: text/plain
Unauthenticated
Request ID: KJQFUN5NTSSCWU35XBAT4HDXOI.0.0
What Ive Checked
- No changes to my code between August 31 and September 1
- Both production AND sandbox endpoints affected
- Apple Developer account is active (expires 2026)
- No official Apple announcement found in Developer News or documentation
- No mentions in Apple Developer Forums
Context
These endpoints are used for Apple App Store Server-to-Server webhook signature verification. The certificates are needed to validate incoming webhook payloads from Apple, which is critical for processing subscription events.
Questions
- Has anyone else experienced this issue starting September 1, 2025?
- Is there an official Apple announcement I missed?
- What authentication method is now required? (JWT token? App Store Connect API key?)
- Are there alternative endpoints for fetching Apples public certificates?
Additional Details
- Environment: Node.js with Firebase Cloud Functions
- Use Case: Webhook signature verification for App Store Server Notifications
- Timing: Worked August 31, 2025 → Failed September 1, 2025
- Impact: All webhook processing is currently broken
Any insights or solutions would be greatly appreciated!
