# Guideline 5.2.2 - Legal: Accessing Third-Party APIs Without Authorization

**Guideline:** 5.2.2 · **Store:** Apple App Store · **Risk:** high · **Difficulty:** hard · **Typical turnaround:** 1-3 days

Canonical URL: https://appstorereject.com/rejections/apple/5/guideline-522-legal-accessing-third-party-apis-without-authorization

## Description

Apple is rejecting your app because it accesses a third-party service's API or data without authorization from the service provider. Under guideline 5.2.2, apps must use authorized APIs and have the necessary agreements in place with third-party services they integrate. This rejection typically targets apps that: (1) scrape data from websites instead of using official APIs, (2) use unofficial or reverse-engineered APIs from services like YouTube, Spotify, Instagram, Twitter/X, or TikTok, (3) access APIs in ways that violate the service's terms of service, or (4) use API keys or credentials that belong to someone else. The root cause is almost always that the developer built a feature around a third-party service without going through the proper API authorization process. Services like YouTube, Spotify, and Instagram have developer programs with terms of service that govern API usage. If your app uses their data without being enrolled and compliant, Apple will reject it — even if the data is technically publicly available via the API.

## Common variations

- App accesses third-party service without authorization
- Using unofficial or reverse-engineered APIs
- App scrapes data from third-party websites
- API usage violates third-party service terms of use
- Accessing third-party content through unauthorized methods

## Example rejection email

```
Guideline 5.2.2 - Legal - Intellectual Property

Your app accesses a third-party service or its data without authorization.

Specifically, your app appears to access [YouTube/Spotify/Instagram/Twitter] content or data using unofficial or unauthorized methods, or in a manner that may violate the third-party service's terms of use.

Next Steps:
Please update your app to:
1. Use only authorized, official APIs from the third-party service.
2. Ensure your use complies with the third-party service's API terms of service.
3. Provide documentation of your API authorization (developer account, API key registration) in the review notes if applicable.
```

## Resolution steps

## Quick Assessment
- **Risk level:** High
- **Resolution path:** Fix & Resubmit
- **Typical turnaround:** 1-3 days

## The Fix

01. **Identify unauthorized API usage** — List every third-party service your app accesses. For each, verify you're using the official API through an authorized developer account.

02. **Replace scraping with official APIs** — If you're scraping websites or using unofficial endpoints, switch to the service's official API. Register as a developer and obtain proper API keys.

03. **Review terms of service** — Read the API terms of service for every third-party service you integrate. Ensure your usage is within the permitted scope (rate limits, data usage restrictions, attribution requirements).

04. **Add required attribution** — Many APIs require visible attribution (e.g., 'Powered by Spotify,' YouTube logo). Add any required branding or attribution.

05. **Document authorization in review notes** — In the App Review Notes, provide: the service name, your developer account or app registration ID, confirmation of terms compliance, and any relevant screenshots of your API dashboard.

## Prevention
- Always use official APIs with proper developer registration
- Read and comply with API terms of service before building features
- Never reverse-engineer or scrape data from services that offer official APIs
- Monitor for API terms changes that could affect your compliance

## Appeal guidance

Appeal if you are using official, authorized APIs and can demonstrate compliance with the service's terms. Provide your developer account credentials, API registration, and confirmation that your usage is within the service's permitted scope.

## Before / after examples

**Before:** App scrapes YouTube video metadata and thumbnails by parsing HTML from youtube.com pages; no YouTube Data API key or developer registration
**After:** App uses the official YouTube Data API v3 with a registered API key; developer account registered through Google Cloud Console; usage complies with YouTube API Terms of Service including attribution requirements
**Why it works:** Third-party data must be accessed through official, authorized APIs. Scraping or reverse-engineering is not acceptable even if the data is publicly visible.

## Common questions

**Can you appeal a 5.2.2 rejection?**

Appeal if you are using official, authorized APIs and can demonstrate compliance with the service's terms. Provide your developer account credentials, API registration, and confirmation that your usage is within the service's permitted scope.

**How long does this typically take to fix?**

Typical turnaround is 1-3 days (difficulty: hard). After resubmission, most re-reviews complete within 24-48 hours.

---
*Machine-readable source: https://api.appstorereject.com/api/rejections/detail?slug=guideline-522-legal-accessing-third-party-apis-without-authorization*