AppsFlyer started failing after Apr 18 incident: mixed 403 Forbidden and 400 Unauthorized

Hi everyone,

We’re investigating a sudden failure on our AppsFlyer integration and wanted to check whether anyone else has seen the same pattern.

Context:

• AppsFlyer integration was working before
• failures started after the RevenueCat incident on Apr 18, 2026:
  https://status.revenuecat.com/incidents/10dkhmtf8155
• RevenueCat’s incident update mentioned delayed third-party integration events and replay of queued requests

What we’re seeing:

• after the last successful AppsFlyer delivery, subsequent RevenueCat -> AppsFlyer events started failing
• failures affect all our app versions 1.3.1 ,  1.3.2 and 1.3.3
• failures affect multiple event types
• AppsFlyer responses are now a mix of:
  • 403 Forbidden
  • 400 Unauthorized

What we already checked:

• RevenueCat AppsFlyer config uses the correct iOS App ID
• we are using an AppsFlyer Dev Key, not an S2S token
• the dev key has not changed
• RevenueCat is definitely attempting delivery to AppsFlyer
• successful and failed events exist for 1.3.1 , 1.3.2 and 1.3.3, so this does not look like a client app regression

Examples from our payloads:

• successful:
  • rc_initial_purchase_event
  • rc_trial_started_event
  • rc_cancellation_event
  • rc_expiration_event
• failed:
  • rc_expiration_event
  • rc_trial_cancelled_event
  • rc_billing_issue_event
  • rc_renewal_event

So far this looks more like a RevenueCat -> AppsFlyer auth / authorization issue than an app-code issue, especially given the timing after the Apr 18 incident.

Questions:

1. Has anyone else seen RevenueCat -> AppsFlyer start failing after the Apr 18 incident?
2. Has anyone seen mixed 403 Forbidden and 400 Unauthorized responses from AppsFlyer on RevenueCat deliveries?
3. Did switching from AppsFlyer Dev Key to S2S token help in this situation?
4. Did RevenueCat or AppsFlyer support identify a root cause for similar failures?

Any data points would help.

Marc