Guideline 5.2.2
Guideline 5.2.2 - Legal: Accessing Third-Party APIs Without Authorization
Our Take
Apple is rejecting your app because it accesses a third-party service's API or data without authorization from the service provider. Under guideline 5.2.2, apps must use authorized APIs and have the necessary agreements in place with third-party services they integrate. This rejection typically targets apps that: (1) scrape data from websites instead of using official APIs, (2) use unofficial or reverse-engineered APIs from services like YouTube, Spotify, Instagram, Twitter/X, or TikTok, (3) access APIs in ways that violate the service's terms of service, or (4) use API keys or credentials that belong to someone else. The root cause is almost always that the developer built a feature around a third-party service without going through the proper API authorization process. Services like YouTube, Spotify, and Instagram have developer programs with terms of service that govern API usage. If your app uses their data without being enrolled and compliant, Apple will reject it — even if the data is technically publicly available via the API.
Resolution Guide
**Identify unauthorized API usage** — List every third-party service your app accesses. For each, verify you're using the official API through an authorized developer account.
**Replace scraping with official APIs** — If you're scraping websites or using unofficial endpoints, switch to the service's official API. Register as a developer and obtain proper API keys.
**Review terms of service** — Read the API terms of service for every third-party service you integrate. Ensure your usage is within the permitted scope (rate limits, data usage restrictions, attribution requirements).
**Add required attribution** — Many APIs require visible attribution (e.g., 'Powered by Spotify,' YouTube logo). Add any required branding or attribution.
**Document authorization in review notes** — In the App Review Notes, provide: the service name, your developer account or app registration ID, confirmation of terms compliance, and any relevant screenshots of your API dashboard.
Prevention
Example Rejection Email
Consider Appealing
Appeal if you are using official, authorized APIs and can demonstrate compliance with the service's terms. Provide your developer account credentials, API registration, and confirmation that your usage is within the service's permitted scope.
Before & After
App scrapes YouTube video metadata and thumbnails by parsing HTML from youtube.com pages; no YouTube Data API key or developer registration
App uses the official YouTube Data API v3 with a registered API key; developer account registered through Google Cloud Console; usage complies with YouTube API Terms of Service including attribution requirements
What changed: Third-party data must be accessed through official, authorized APIs. Scraping or reverse-engineering is not acceptable even if the data is publicly visible.
Community Solutions · 0
Sign in to share your solution.
More Guideline 5 (Legal) rejections
- Guideline 5 - Legal: Remove Watermark Feature
- Guideline 5.1.1 - Data Collection and Storage: Incomplete Privacy Manifest
- Guideline 5.1.1 - Data Collection and Storage: Missing Purpose Strings
- Guideline 5.1.1 - Data Collection and Storage: Privacy Manifest Missing
- Guideline 5.1.1 - Data Collection and Storage: Privacy Nutrition Label Mismatch
- Guideline 5.1.1 - Data Collection and Storage: Privacy Policy