Skip to main content
Use this guide to cover the App Review items Apple most often flags for Para integrations.

1. Sign-in options

If your app includes any third-party logins (like Google or Facebook), Apple also expects a privacy-preserving option such as Sign in with Apple. This ensures users can sign in without sharing personal data or tracking identifiers. Actions:
  • Add Sign in with Apple anywhere other providers appear.
  • Test it in a release build before submission.
If your app only uses first-party sign-ins (email, phone, or passkeys), Apple doesn’t require Sign in with Apple.

2. Reviewer login flow

Make it effortless for reviewers to log in—especially if your app also supports external wallets. Actions:
  • Show standard sign-in options (email, phone, or Apple) first.
  • Add a line in onboarding: “No external wallet required — continue with email, phone, or Apple.”
  • In your Reviewer Notes, list exact steps to log in without a wallet.
Reviewer Notes example: 
Use email or phone (OTP), or Sign in with Apple, to log in. No external wallet (e.g., MetaMask) is required to access the app.

3. Wallet-only positioning

If your app is a non-custodial wallet and not an exchange, make that clear. Reviewers often check for exchange or on-ramp features. Add to Reviewer Notes: 
The app is a non-custodial wallet using the Para SDK. It does not include exchange, swap, bridge, or on/off-ramp services. No tokens are sold or issued.

Features:
- Creates/imports non-custodial wallets via passkeys or MPC.
- Displays addresses and signs user transactions.
- Uses public RPC endpoints only.

Exclusions:
- No buy/sell/swap/bridge flows.
- No fiat or crypto on-/off-ramp.
- No KYC/AML required (wallet-only app).

Para SDK:
- Handles authentication and signing only.
- Private keys never leave the user’s device.

Request:
- Review under Guideline 3.1.5(i) as a wallet-only app.

4. Account deletion

If users can sign up, Apple requires an in-app account deletion option (not just deactivation). Keep it simple:
  • Provide a Delete Account action somewhere obvious (Settings is fine).
  • If you need Para to remove the user record as well, reach out to support after you handle your own data.
Reviewer Notes example: 
In-app account deletion is available at Settings → Account → Delete Account. Para is an SDK provider and does not host user accounts. Contact us if Para-level deletion is required.

5. Passkeys & entitlements

If you’re using passkeys or autofill, set up Associated Domains in Xcode and host an AASA file. Checklist:
  • Add Associated Domains capability.
  • Include webcredentials:your.domain.
  • Host https://your.domain/.well-known/apple-app-site-association.
This enables secure credential sharing and Apple’s passkey autofill.

6. Reviewer Notes checklist

Paste these details into App Store Connect → Reviewer Notes:
  • Login path (e.g., Continue → Sign in with Apple → Approve prompt)
  • Test credentials or OTP instructions
  • Note that the app is wallet-only, not an exchange
  • Location of Delete Account in settings
  • Any feature flags or regional settings
  • Confirmation that backend services are live

7. Privacy & SDK compliance

Apple now enforces privacy manifest rules for all third-party SDKs. Before you submit:
  • Include privacy manifests for every SDK.
  • Ensure binary SDKs have valid signatures.
  • Declare reasons for any required-reason APIs.
  • Update your App Privacy answers to reflect data use accurately.

8. Export compliance

Para SDK uses standard encryption (TLS, secure enclave, etc.). Answer Yes to App Store Connect’s encryption question and select the “standard algorithms” exemption. If your app uses custom cryptography, you may need to upload documentation.

9. Final pre-submission checklist

Sign-in & onboarding

  • Sign in with Apple (if you offer other OAuth logins)
  • Onboarding text: No external wallet required
  • Associated Domains configured for passkeys

Privacy & compliance

  • In-app Delete Account button visible
  • Privacy manifests complete & signed
  • App Privacy details updated
  • Export compliance questions answered

Reviewer experience

  • Reviewer Notes completed (using template)
  • Test credentials provided
  • Backend services online
  • Privacy policy link included