-1

From reading the Apple documentation, the flow for using and updating Wallet passes goes like this:

  • User taps an "add to wallet" button
  • App calls its API which provides a pkpass file
  • App presents the pass to the system, which triggers usual UI flow to add it to wallet

The pass contains a webServiceURL property, which points at my API which handles the POST and DELETE commands described in the docs, and also requires an authenticationToken to authenticate it. These two things together are used by iOS to request updates to a pass or to delete it, independent of anything my apps do.

This token is what concerns me. It's a token that I provide to Apple, and they provide back to me to authenticate against my own service. This is not an OAuth flow, it's just a string that identifies the user in a secure way (e.g. a hash of a user ID). Does this token need to be created in any particular way (e.g. a JWT), am I free to invent something, or is there some other convention for this?

I'm also unclear about when this endpoint will be called. Will it be called automatically when an expiry time approaches? Does it need to be kicked via a push notification to tell it to update?

Synchro
  • 35,538
  • 15
  • 81
  • 104
  • You are free to invent something, but I would use a JWT. There are lots of libraries available for issuing and validating jwts. Why reinvent the wheel? When the pass is first installed you will get a POST with the pass device token. You can send a push to this token to trigger a pass refresh. The GET url will then be called to request the latest pass data. When the use deletes the pass you will get the DELETE call to remove the push token https://developer.apple.com/library/archive/documentation/PassKit/Reference/PassKit_WebService/WebService.html#//apple_ref/doc/uid/TP40011988-CH0-SW1 – Paulw11 Aug 24 '23 at 20:50
  • Thanks - I'd missed those docs, they're really helpful. I find JWTs really unpleasant to use, monstrously overcomplicated and opaque, but I guess I'll go with the flow. – Synchro Aug 25 '23 at 16:13
  • I've now got this working. FWIW I used [the firebase PHP JWT package](https://github.com/firebase/php-jwt) rather than the stock Laravel one as it's much easier to work with. – Synchro Aug 26 '23 at 17:01

0 Answers0