You uploaded a build, filled in App Review notes with a demo username and password, and within 24 hours the submission flips to Metadata Rejected with a message like “We were unable to sign in to the app with the credentials you provided” or “login error: invalid credentials.” On your phone the same account works fine. The reviewer is hitting your backend from an unfamiliar IP (often Cupertino or a VPN egress in Beijing for Apple’s China region team), through a fresh device with no cached session, and your account either tripped a security rule or never worked outside your test environment.
This is one of the most common Guideline 2.1 rejections and one of the fastest to fix — but only if you can confirm exactly why the credentials failed on the reviewer’s side.
Common causes
Ordered by hit rate. About 70% of cases are #1 or #2.
1. Backend security rule locked the account
Your auth service (Auth0, Firebase Auth, Cognito, Supabase, custom) saw repeated logins from an unusual geo / IP / user-agent and triggered rate limiting, geo-blocking, or “suspicious activity” auto-lock. The reviewer sees a 401 that looks like wrong credentials but is actually a lock.
How to spot it: Check your auth provider’s dashboard for the demo user during the review window. Look for failed attempt logs from an Apple IP range (Cupertino: 17.0.0.0/8) or a China region IP if you’re being reviewed there. If you see “account locked” or “too many attempts,” that’s it.
2. The demo account requires 2FA or SMS / email verification
Reviewer types the password, your app asks for a one-time code sent to a phone number or inbox the reviewer can’t access. They give up. You never tested the cold-start flow on a fresh device because your phone was already enrolled.
How to spot it: Sign out completely, wipe app data, reinstall, and log in with the demo credentials on a device that has never seen this account. If a 2FA prompt appears, the reviewer hit the same wall.
3. The account expired or was deleted between submissions
You created a demo account for the v1.0 submission six months ago, then your cleanup script purged inactive accounts, or the password was rotated, or someone on the team disabled the user. The credentials in App Review notes are stale.
How to spot it: Look up the demo account in your admin panel. Check last_login, disabled_at, password_changed_at. If any of these are newer than the credentials in your notes, the account is dead.
4. Credentials in App Review notes were transcribed wrong
Typos in 0 vs O, l vs 1, trailing spaces, smart quotes pasted from a doc, or the wrong field label (“username” when your app wants email). Reviewer enters exactly what you wrote.
How to spot it: Copy the credentials from your App Review notes (App Store Connect → App Information → Review notes) and paste them into the production login form. If even one character is off, that’s the rejection.
5. Region-locked features behind login
The reviewer is in the US (or your assigned reviewer region), the account works there for basic login, but the home screen is empty because content is geo-restricted to a region the reviewer can’t reach. They mark login as broken because the app looks dead.
How to spot it: Check your content / feature gating logic. If a logged-in user in the reviewer’s region sees an empty state, you need either a sample data set for that region or VPN guidance in notes.
6. App requires a separately-provisioned backend (sandbox / staging) the reviewer was never given
Your production build points at staging for App Review, and the staging domain is behind Cloudflare Access or VPN. Reviewer can’t even reach the auth endpoint.
How to spot it: Decompile or strings the build and check the API base URL. If it’s staging.api.yourapp.com and you have Cloudflare Access rules, that’s the problem.
Information to collect
- The exact reviewer message and which Guideline (2.1 vs 4.0) was cited.
- Auth provider logs for the demo user, filtered to the past 48 hours.
- The credentials as they appear in App Review notes, character by character.
- Your auth provider’s rate limit + geo-block rules currently in effect.
- A second device (never logged in before) you can use to re-test cold start.
Shortest path to fix
Step 1: Cold-test the credentials on a fresh device
Borrow a phone or use a fresh simulator. Settings → General → Reset → Erase All Content and Settings, install the production build (TestFlight or App Store install of the previous version), and log in using only what’s written in App Review notes. Do not use Keychain autofill. If anything other than the home screen appears within 60 seconds, fix that first.
Step 2: Unblock the demo user in your auth backend
In Auth0 / Firebase / Cognito / Supabase / your own DB:
# Firebase Auth example
firebase auth:export users.json --project your-project
# find the demo user, confirm disabled=false, emailVerified=true
# Or via Admin SDK
node -e "const a=require('firebase-admin');a.initializeApp();a.auth().updateUser('UID',{disabled:false,emailVerified:true})"If the user is in a rate-limit table, drop their entry. If they’re in a geo-block list, whitelist their account or whitelist Apple’s IP range (17.0.0.0/8) for the demo user only.
Step 3: Strip 2FA + verification from the demo user
In your user table, set mfa_enabled = false, requires_phone_verification = false, requires_email_verification = false. If your code path enforces 2FA for all users globally, add a feature flag that exempts accounts whose email matches apple-review-*@yourdomain.com.
Step 4: Rewrite App Review notes with unambiguous credentials
In App Store Connect → your app → App Information → App Review Information, paste exactly:
Demo account
Login URL: (in-app, tap "Sign In" on launch)
Email: apple-review-2026@yourdomain.com
Password: ReviewPass-Spring2026!
This account is monogamous (single device) but reset on each submission.
No 2FA. Region-locked features are pre-enabled for this user; ignore
the location prompt.Use straight ASCII quotes, no smart punctuation. Avoid words like “see attached” — Apple does not reliably display attachments in the review tool.
Step 5: Pre-seed sample data and disable analytics for the user
Reviewer logging in to an empty home screen still triggers 2.1. Pre-populate the demo user with three sample documents / messages / playlists so the first screen has real content. Also flag the user as is_internal = true so they don’t pollute your analytics.
Step 6: Resubmit (binary unchanged)
In App Store Connect → App Store tab → tap the build → Submit for Review. Demo account fixes are metadata-only; you do not need to upload a new build.
How to confirm the fix
- Logging in with the App Review notes credentials on a clean device reaches the home screen with sample content in under 30 seconds.
- Auth provider logs show your test login from a non-Apple IP succeeded without lock or 2FA prompt.
- App Review notes preview in App Store Connect renders correctly with no encoding artifacts.
- The submission moves from Metadata Rejected to Waiting for Review within 1-2 hours of resubmission.
If it still fails
- Reply in Resolution Center with a step-by-step demo: paste the credentials again, attach a 30-second QuickTime screen recording of you logging in cold.
- Ask the reviewer for the exact error code or screenshot — sometimes the failure is captcha, not credentials.
- Provide a second demo account in case the first was rate-limited by reviewer + your simultaneous testing.
- If you suspect IP geofencing, ask App Review to confirm their egress region via the Contact App Review form and add that region to your allowlist.
Prevention
- Maintain a single
apple-review@yourdomain.comaccount that is permanently exempted from MFA, rate limits, geo-blocks, and inactivity sweeps via a database flag, not a maintained allowlist. - Add a CI step that logs into the demo account once per day from a foreign IP (GitHub Actions runner is non-US) and alerts if it fails.
- Pre-seed the demo account with sample data each release so a cold login lands on a populated home screen.
- Document the credentials in a
REVIEW.mdin your repo; update App Review notes from that file every submission. - Never tie the demo account to a real person’s phone number or email — use a shared inbox you control forever.