Download the Apple Pay domain verification file from your Apple Developer account under the Merchant Identifier configuration; the file name is apple-developer-merchantid-domain-association.
Host the file at the exact path /.well-known/apple-developer-merchantid-domain-association on each domain and subdomain where you intend to accept Apple Pay — the file must be served over HTTPS with a valid TLS certificate.
Ensure the file is served with content type text/plain or no content type header that would cause a browser or Apple's verification to reject it; do not rename the file or add an extension.
Register each domain in the Apple Developer portal under your Merchant Identifier by clicking Add Domain and entering the fully qualified domain name, then click Verify.
In your Payment Session request handler (on your server), call the Apple Pay Payment Session endpoint with your merchantIdentifier, domainName, displayName, and your merchant identity certificate for mTLS.
Validate the payment token returned from the browser using your merchant identity certificate's private key and the Apple Pay payment token decryption process before submitting to your payment processor.
Known gotchas
The verification file must be accessible without redirects at the exact /.well-known/ path — any redirect (including HTTP to HTTPS) will cause domain verification to fail.
Domain verification must be repeated for every subdomain individually; verifying example.com does not cover shop.example.com.
The merchant identity certificate used for Payment Session requests expires annually and must be renewed in the Apple Developer portal; expired certificates cause session requests to fail silently.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp