Vestibule OAuth2 for Gleam
Links
Search Hex GitHub
Docs menu: Apple strategy
Provider strategy

vestibule_apple

Sign in with Apple strategy with JWKS-backed ID token verification and form_post callback support.

When to use it

Use Apple when your application needs Sign in with Apple for web clients and can generate a client-secret JWT.

Default scopes: name email

Install

gleam add vestibule_apple

Setup shape

  1. Create an Apple App ID and enable Sign In with Apple.
  2. Create a Services ID for the OAuth client_id.
  3. Register an HTTPS return URL; Apple does not allow localhost callbacks.
  4. Create a Sign in with Apple key and generate an ES256 client-secret JWT.

Usage

import vestibule_apple

let apple = vestibule_apple.init()
let strategy = vestibule_apple.strategy(apple)

let assert Ok(checked_apple) = vestibule_apple.try_init()
let checked_strategy = vestibule_apple.strategy(checked_apple)

What Vestibule handles

  • init initializes the JWKS cache used to verify Apple ID tokens.
  • try_init lets applications handle duplicate initialization explicitly.
  • Apple sends name and email only on first consent.
  • User info comes from the verified id_token, not a userinfo endpoint.

Notes to keep explicit

  • Apple client_secret values are JWTs generated from Team ID, Key ID, Services ID, and the .p8 private key.
  • Do not commit the Apple private key; generate the client-secret JWT in your app or deployment pipeline.