Heimdall — Sign in with Apple
Add Sign in with Apple to any Heimdall app. Native iOS + macOS, web redirect flow, account linking by verified email, audit + webhook events on every signin.
Heimdall now speaks Apple ID. Configure your Apple Services ID, bundle ids, and signing key once per app under /v1/apps/:appId/auth-config/providers/apple, and your customers sign in with the system "Sign in with Apple" sheet on every Apple platform — no SDK, no PKCE dance to bolt on yourself.
Two integrations, same backend. Native iOS / macOS apps post the ID token straight to POST /:appSlug/v1/auth/oauth/apple after the user finishes the Apple sheet. Web apps redirect to GET /:appSlug/v1/auth/oauth/apple/authorize?return_to=… and pick up a single-use code on the callback that they exchange for tokens server-side via POST /:appSlug/v1/auth/oauth/exchange. Access and refresh tokens never travel through URLs or browser history.
Linking policy is yours. When an Apple sign-in lands on an email that already has a password account in your app, you choose what happens: confirm (default, safe — returns a typed link_required error so your UI can ask the user to sign in with their original method first), auto (link silently if the provider says the email is verified and isn't a private relay), or reject. Private-relay @privaterelay.appleid.com emails never auto-link regardless — they aren't deliverable through your channels.
Every signin and signup fires the matching user.signin / user.signup webhook and writes an audit log entry; tokens issued through the federated flow carry amr: ["oauth", "apple"] so you can tell at a glance which of your users came in through password vs Apple.