Guideline 5.2.2

Guideline 5.2.2 - Legal: Accessing Third-Party APIs Without Authorization

High RiskHardTypical Fix: 1-3 days0 Reports
Also known as:App accesses third-party service without authorizationUsing unofficial or reverse-engineered APIsApp scrapes data from third-party websitesAPI usage violates third-party service terms of useAccessing third-party content through unauthorized methods

Our Take

Apple is rejecting your app because it accesses a third-party service's API or data without authorization from the service provider. Under guideline 5.2.2, apps must use authorized APIs and have the necessary agreements in place with third-party services they integrate. This rejection typically targets apps that: (1) scrape data from websites instead of using official APIs, (2) use unofficial or reverse-engineered APIs from services like YouTube, Spotify, Instagram, Twitter/X, or TikTok, (3) access APIs in ways that violate the service's terms of service, or (4) use API keys or credentials that belong to someone else. The root cause is almost always that the developer built a feature around a third-party service without going through the proper API authorization process. Services like YouTube, Spotify, and Instagram have developer programs with terms of service that govern API usage. If your app uses their data without being enrolled and compliant, Apple will reject it — even if the data is technically publicly available via the API.

Resolution Guide

01

**Identify unauthorized API usage** — List every third-party service your app accesses. For each, verify you're using the official API through an authorized developer account.


02

**Replace scraping with official APIs** — If you're scraping websites or using unofficial endpoints, switch to the service's official API. Register as a developer and obtain proper API keys.


03

**Review terms of service** — Read the API terms of service for every third-party service you integrate. Ensure your usage is within the permitted scope (rate limits, data usage restrictions, attribution requirements).


04

**Add required attribution** — Many APIs require visible attribution (e.g., 'Powered by Spotify,' YouTube logo). Add any required branding or attribution.


05

**Document authorization in review notes** — In the App Review Notes, provide: the service name, your developer account or app registration ID, confirmation of terms compliance, and any relevant screenshots of your API dashboard.

Prevention

  • Always use official APIs with proper developer registration
  • Read and comply with API terms of service before building features
  • Never reverse-engineer or scrape data from services that offer official APIs
  • Monitor for API terms changes that could affect your compliance
  • Example Rejection Email

    From:Apple App Review Team
    Subject:Guideline 5.2.2 - Legal: Accessing Third-Party APIs Withou
    Guideline 5.2.2 - Legal - Intellectual Property Your app accesses a third-party service or its data without authorization. Specifically, your app appears to access [YouTube/Spotify/Instagram/Twitter] content or data using unofficial or unauthorized methods, or in a manner that may violate the third-party service's terms of use. Next Steps: Please update your app to: 1. Use only authorized, official APIs from the third-party service. 2. Ensure your use complies with the third-party service's API terms of service. 3. Provide documentation of your API authorization (developer account, API key registration) in the review notes if applicable.

    Consider Appealing

    Appeal if you are using official, authorized APIs and can demonstrate compliance with the service's terms. Provide your developer account credentials, API registration, and confirmation that your usage is within the service's permitted scope.

    Generate Appeal

    Before & After

    Before — Rejected

    App scrapes YouTube video metadata and thumbnails by parsing HTML from youtube.com pages; no YouTube Data API key or developer registration

    After — Approved

    App uses the official YouTube Data API v3 with a registered API key; developer account registered through Google Cloud Console; usage complies with YouTube API Terms of Service including attribution requirements

    What changed: Third-party data must be accessed through official, authorized APIs. Scraping or reverse-engineering is not acceptable even if the data is publicly visible.

    Community Solutions · 0

    Sign in to share your solution.

    More Guideline 5 (Legal) rejections

    View all Guideline 5 rejections