Universal Links and Associated Domains App Review checklist
Universal Links are a contract between a domain, an app, and a route. Review friction starts when a link opens the wrong place, requires hidden auth, or fails back to a broken web page.
Treat Universal Links as a route matrix, not an entitlement toggle. Apple associated domains create a two-way association between app and website, and Universal Links let the app handle URLs for that domain. AppReviewReady interpretation: prove every submitted URL has a working app route and a useful web fallback.
Map every URL to an app state
List marketing links, password reset links, email verification links, invite links, content links, checkout return links, support links, and App Clip routes. Each URL should have an expected app destination, web fallback, signed-out behavior, and expired-token behavior.
Do not test only the happy path from Safari. Reviewers may open links from Mail, Messages, Notes, QR codes, or App Store metadata. The route should land on the same user-understandable state.
Verify domain association and AASA deployment
- Associated Domains entitlement should include the exact production domains.
- The apple-app-site-association file should be reachable over HTTPS without redirects that break validation.
- Path patterns should be narrow enough to avoid taking over unrelated website URLs.
- Staging domains should not appear in production metadata or Review Notes unless intentionally used for testing.
- Domain ownership changes should trigger a release checklist review.
Design fallback states before review
If the app is not installed, the web page should explain the action or offer a download path. If the user is signed out, the app should preserve the intended destination after authentication. If the link is expired, the error should be specific enough for support.
AppReviewReady interpretation: a Universal Link failure often looks like an App Review access failure. Include at least one direct route in Review Notes when a link-dependent feature is central to testing.
Run a route-state matrix
- Open each URL from a fresh install, existing install, signed-out state, signed-in state, and deleted account state.
- Test wrong device, wrong region, expired token, revoked invite, and no-network states.
- Confirm the route respects account permissions and does not reveal private content before auth.
- Check analytics attribution without storing sensitive link tokens.
- Retest after website routing, CDN, or domain certificate changes.
Give review a link verification note
Keep the note short and route-specific. A reviewer should not need to debug associated domains to reach the feature being reviewed.
After release, monitor link failures separately from ordinary page views. A broken Universal Link can look like a conversion drop, password-reset failure, invite failure, or checkout return problem depending on the route.
For paid flows, test the link after payment, after cancellation, and after the session expires.
Universal Link review route: Domain: [domain] Example URL: [URL] Expected app screen: [screen] Signed-out behavior: [login then return] Expired behavior: [message] Web fallback: [URL behavior] AASA last verified: [date]
Primary references checked for this guide
Policy statements above are grounded in the linked Apple documentation. Operational recommendations are AppReviewReady's interpretation and should be tested against your app and the current guideline text.
Check link readiness
Review associated domains, deep links, auth states, and fallbacks before submission.
Open the tool