#nick-apple-verification

nick-apple-verification

It does. It's rare but it changed last year or so

Okay, and how do I manage such an event in order to prevent outages?

I mean; does its expiration cause service interruption or does it just mean I need to use a new file if adding new domains?

yeah the new file is for new domain right now

so mostly you can either always load it from us, or detect when adding a domain fails and investigate

"Always load it from you" ? I'm supposed to host the file myself, so I'm not sure what you mean. It's the Apple device that checks for the presence of this file, so it must have a meaning outside Stripe?

😅

There's a file, used to verify a domain. When you verify a domain, you make an API request (or a manual action in the Dashboard). When you do, we (Stripe) verify the file first, and if it matches, we ask Apple to go and verify it when we register your domain with them

So if you have file AAAAA and it works but say on May 1st Apple moves to a file BBBBBBB and you don't have it, when you go and register example.com on May 3rd, it will fail because we (Stripe) look at the file for that domain and it shows AAAAA instead of BBBBBBB

Alright, so it's a dual-function file

We (Stripe) have the file ourselves at https://stripe.com/files/apple-pay/apple-developer-merchantid-domain-association so your code could fetch that file first to store it on the server in the right place

aha

I thought it was account-specific

it is not! It's "payment processor specific"

so if you use Braintree, they have another file

Got it

in theory, Apple always said they could re-verify if they wanted to

we don't think they do, but it's a bit of a grey area 😅

I thought it was used to validate my domain specifically for Apple Pay in my Stripe account's context

that's the case yes

(while being unique for my account I mean)

but mostly you register the domain with the API key of account A and we tell Apple "hey the merchant with identifier XXXXXX is trying to register example.com" and they go and check the file matches Stripe.
But not that it matches a unique file for you. OTherwise you couldn't register the domain for multiple accounts

Makes sense

Just wanted to understand its function. What we do right now is just re-route all requests for the file to an S3 bucket that has the same file in it, so if it changes I would have to revalidate all domains at once in this case, I guess

(because we have Apple Pay in multiple applications on different domains)

well it would really only impact new domains

yeah but if they share the file and I add a new domain, get a new key and replace it, I would replace it for all domains at once in my setup

gotcha

But as long as it's only when adding new domains it won't matter at all

I just wanted to make sure I would not reactively have to update it in response to something external

yep makes sense

I really hope we never get into a world where Apple re-checks domains, I don't think most integrations are prepared for that 😅

Never hurts to be prepared - or at the very least understand how it works

So another thing; I created a new apple pay cert cause it expires in like 4 months and I was looking over all our apple pay stuff. Do I need to do anything other than just delete the old cert and activate the new one on Apples developer site?

you need to activate the new one on Apple first

Of course

that way they start using that one fully and after that you can delete the old one

Great

yeah you say "of course" but damn if I haven't been in incidents because someone did the opposite 😹

it's a bit of an opaque process since you can't really track what it does 😦

Hehe. I mean, since I can have 2 on Stripe and only 1 on Apple, it's the only logical thing

I'll just activate the new one and delete the old one on Stripe in a few days

👍