Client error: POST https://appleid.apple.com/auth/token resulted in a 400 Bad Request response: {"error":"invalid_client","email_verified":false}

JWT token

<?php
require 'vendor/autoload.php';

use Firebase\JWT\JWT;

$teamId = 'xyz';
$clientId = 'xyz';
$keyId = 'xyz';
$authKey = file_get_contents('xyz.p8');

$now = time();
$payload = [
    'iss' => $teamId,         // Issuer (your team ID)
    'iat' => $now,            // Issued at (current time)
    'exp' => $now + 86400 * 180, // Expiration (6 months)
    'aud' => 'https://appleid.apple.com',
    'sub' => $clientId        // Subject (your client ID)
];

$header = [
    'alg' => 'ES256',
    'kid' => $keyId
];

$jwt = JWT::encode($payload, $authKey, 'ES256', $keyId, $header);

echo $jwt;

I recreated my JWT token to make sure it was not expired and I made sure the ES256 algorithm was being used.

Has anyone with this issue found a solution?

Acceptance Criteria

• invalid_client error from Apple's token endpoint is caught and a user-friendly message is returned
• Root cause is documented: likely misconfigured client_secret or expired key
• Package includes validation/helper for client_secret generation to prevent this error

Test Coverage

• Unit test: invalid_client response from Apple is handled gracefully (no unhandled exception)
• Integration test: descriptive error is surfaced to the application when Apple returns 400

WSJF Priority Score

• Score: 2.75
• User/Business Value: 7
• Time Criticality: 8
• Risk Reduction/Opportunity Enablement: 8
• Calculation: (7 + 8 + 8) ÷ size