diff --git a/.env.example b/.env.example
index 28ab78e..866eb86 100644
--- a/.env.example
+++ b/.env.example
@@ -28,12 +28,22 @@ EMAIL_HOST_USER=your-email@gmail.com
 EMAIL_HOST_PASSWORD=your-app-password
 DEFAULT_FROM_EMAIL=honeyDue <noreply@honeyDue.treytartt.com>
 
+# Sign in with Apple
+# APPLE_CLIENT_ID must equal the iOS bundle ID of the build hitting this
+# backend. The Apple identity-token `aud` claim is checked against it
+# (see internal/services/apple_auth.go::verifyAudience). With DEBUG=false
+# an empty value rejects every Apple token.
+#   Release builds: com.myhoneydue.honeyDue
+#   Debug builds:   com.myhoneydue.honeyDue.dev
+APPLE_CLIENT_ID=com.myhoneydue.honeyDue.dev
+APPLE_TEAM_ID=V3PF3M6B6U
+
 # APNs Settings (iOS Push Notifications)
 # Direct APNs integration - no external push server needed
 APNS_AUTH_KEY_PATH=/path/to/AuthKey_XXXXXX.p8
 APNS_AUTH_KEY_ID=XXXXXXXXXX
 APNS_TEAM_ID=XXXXXXXXXX
-APNS_TOPIC=com.tt.honeyDue
+APNS_TOPIC=com.myhoneydue.honeyDue.dev
 APNS_PRODUCTION=false  # Set to true for production APNs, false for sandbox
 
 # FCM Settings (Android Push Notifications)
diff --git a/deploy-k3s-dev/config.yaml.example b/deploy-k3s-dev/config.yaml.example
index 50fdf6b..fc16be3 100644
--- a/deploy-k3s-dev/config.yaml.example
+++ b/deploy-k3s-dev/config.yaml.example
@@ -42,7 +42,7 @@ email:
 push:
   apns_key_id: ""
   apns_team_id: ""
-  apns_topic: com.tt.honeyDue
+  apns_topic: com.myhoneydue.honeyDue.dev
   apns_production: false
   apns_use_sandbox: true                # Sandbox for dev
 
@@ -85,8 +85,9 @@ tls:
   # If mode=cloudflare, create secrets/cloudflare-origin.crt and .key
 
 # --- Apple Auth / IAP (optional) ---
+# client_id MUST equal the iOS Debug bundle ID for the dev backend.
 apple_auth:
-  client_id: ""
+  client_id: "com.myhoneydue.honeyDue.dev"
   team_id: ""
   iap_key_id: ""
   iap_issuer_id: ""
diff --git a/deploy-k3s-dev/scripts/00-init.sh b/deploy-k3s-dev/scripts/00-init.sh
index 0689c07..122ddaf 100755
--- a/deploy-k3s-dev/scripts/00-init.sh
+++ b/deploy-k3s-dev/scripts/00-init.sh
@@ -147,7 +147,7 @@ email:
 push:
   apns_key_id: "${APNS_KEY_ID}"
   apns_team_id: "${APNS_TEAM_ID}"
-  apns_topic: com.tt.honeyDue
+  apns_topic: com.myhoneydue.honeyDue.dev
   apns_production: false
   apns_use_sandbox: true
 
@@ -189,7 +189,7 @@ tls:
 
 # --- Apple Auth / IAP ---
 apple_auth:
-  client_id: "com.tt.honeyDue"
+  client_id: "com.myhoneydue.honeyDue.dev"
   team_id: "${APNS_TEAM_ID}"
   iap_key_id: ""
   iap_issuer_id: ""
diff --git a/deploy-k3s/config.yaml.example b/deploy-k3s/config.yaml.example
index 97d9314..3c2c709 100644
--- a/deploy-k3s/config.yaml.example
+++ b/deploy-k3s/config.yaml.example
@@ -62,7 +62,7 @@ email:
 push:
   apns_key_id: ""
   apns_team_id: ""
-  apns_topic: com.tt.honeyDue
+  apns_topic: com.myhoneydue.honeyDue
   apns_production: true
   apns_use_sandbox: false
 
@@ -100,8 +100,10 @@ admin:
   basic_auth_password: ""                   # HTTP basic auth password for admin panel
 
 # --- Apple Auth / IAP (optional, leave empty if unused) ---
+# client_id MUST equal the iOS Release bundle ID — Apple identity tokens
+# are rejected if the `aud` claim doesn't match.
 apple_auth:
-  client_id: ""
+  client_id: "com.myhoneydue.honeyDue"
   team_id: ""
   iap_key_id: ""
   iap_issuer_id: ""
diff --git a/deploy/prod.env.example b/deploy/prod.env.example
index 937aedb..042dc10 100644
--- a/deploy/prod.env.example
+++ b/deploy/prod.env.example
@@ -35,7 +35,7 @@ DEFAULT_FROM_EMAIL=honeyDue <noreply@honeyDue.treytartt.com>
 # APNS private key goes in deploy/secrets/apns_auth_key.p8
 APNS_AUTH_KEY_ID=CHANGEME_APNS_KEY_ID
 APNS_TEAM_ID=CHANGEME_APNS_TEAM_ID
-APNS_TOPIC=com.tt.honeyDue
+APNS_TOPIC=com.myhoneydue.honeyDue
 APNS_USE_SANDBOX=false
 APNS_PRODUCTION=true
 
@@ -80,7 +80,11 @@ FEATURE_PDF_REPORTS_ENABLED=true
 FEATURE_WORKER_ENABLED=true
 
 # Optional auth/iap values
-APPLE_CLIENT_ID=
+# APPLE_CLIENT_ID must equal the iOS Release bundle ID. The Apple
+# identity-token `aud` claim is verified against this value
+# (internal/services/apple_auth.go::verifyAudience). Leaving it empty
+# with DEBUG=false rejects every Apple token as invalid audience.
+APPLE_CLIENT_ID=com.myhoneydue.honeyDue
 APPLE_TEAM_ID=
 GOOGLE_CLIENT_ID=
 GOOGLE_ANDROID_CLIENT_ID=
diff --git a/docker-compose.dev.yml b/docker-compose.dev.yml
index 35e8c78..b106bb6 100644
--- a/docker-compose.dev.yml
+++ b/docker-compose.dev.yml
@@ -85,7 +85,7 @@ services:
       APNS_AUTH_KEY_PATH: ${APNS_AUTH_KEY_PATH}
       APNS_AUTH_KEY_ID: ${APNS_AUTH_KEY_ID}
       APNS_TEAM_ID: ${APNS_TEAM_ID}
-      APNS_TOPIC: ${APNS_TOPIC:-com.tt.honeyDue}
+      APNS_TOPIC: ${APNS_TOPIC:-com.myhoneydue.honeyDue.dev}
       APNS_USE_SANDBOX: "true"
       FCM_SERVER_KEY: ${FCM_SERVER_KEY}
 
@@ -158,7 +158,7 @@ services:
       APNS_AUTH_KEY_PATH: "/certs/apns_key.p8"
       APNS_AUTH_KEY_ID: ${APNS_AUTH_KEY_ID}
       APNS_TEAM_ID: ${APNS_TEAM_ID}
-      APNS_TOPIC: ${APNS_TOPIC:-com.tt.honeyDue}
+      APNS_TOPIC: ${APNS_TOPIC:-com.myhoneydue.honeyDue.dev}
       APNS_USE_SANDBOX: "true"
       FCM_SERVER_KEY: ${FCM_SERVER_KEY}
 
diff --git a/docs/deployment/10-secrets-config.md b/docs/deployment/10-secrets-config.md
index a11d798..95b9c6d 100644
--- a/docs/deployment/10-secrets-config.md
+++ b/docs/deployment/10-secrets-config.md
@@ -55,7 +55,7 @@ APNS_AUTH_KEY_ID=DISABLED01
 APNS_AUTH_KEY_PATH=/secrets/apns/apns_auth_key.p8
 APNS_PRODUCTION=false
 APNS_TEAM_ID=DISABLED01
-APNS_TOPIC=com.tt.honeyDue
+APNS_TOPIC=com.myhoneydue.honeyDue
 APNS_USE_SANDBOX=false
 BASE_URL=https://myhoneydue.com
 B2_BUCKET_NAME=honeyDueProd