I'm reaching out regarding a recurring issue I'm experiencing with MusicKit developer tokens.
I'm using a valid .p8 private key to sign JWTs for Apple MusicKit integration. Each token I generate includes the appropriate claims (iss, iat, exp) and is signed with the ES256 algorithm, with an expiration date set approximately 6 months ahead.
Everything works as expected immediately after generating the token. However, after a few days, the same JWT (still well within its expiration period) suddenly begins returning invalid/unauthorized responses when used in Postman and other API clients.
Importantly:
-
I did not delete or revoke the .p8 key during this time.
-
I verified the JWT contains valid claims and a proper structure.
-
The issue consistently resolves only when I create a new .p8 file and regenerate a fresh JWT with it—after which the cycle repeats.
-
This issue occurs even when the environment and app identifiers remain unchanged.
I would greatly appreciate it if you could help me understand:
-
Why these tokens become invalid after a few days, despite having a long exp value and an unchanged key.
-
Whether there's any automatic revocation or timeout policy on .p8 keys that could explain this behavior.
-
If there's a better way to maintain long-lived developer tokens without requiring new .p8 key generation every few days.
Thank you for your help and clarification on this issue.
Best regards, Liad Altif