To sync your iCloud calendar with Google or Outlook, Hetk connects to iCloud over CalDAV — and Apple requires an app-specific password for any third-party tool that does this. Your normal Apple ID password will not work, by design. This guide walks through creating one, where it goes in Hetk, and the single mistake that causes almost every “wrong password” error.
Why iCloud needs an app-specific password
iCloud has no OAuth for calendar data, the way Google and Microsoft do. CalDAV is the only way in, and Apple does not let third-party CalDAV clients use your main Apple ID password. Instead you generate a separate, single-purpose password for each app.
This is safer, not just an extra step. An app-specific password only works for the one app you made it for, and you can revoke it later without changing your Apple ID or disturbing anything else you have connected. If you ever stop using Hetk, you revoke that one password and its access is gone.
One requirement: your Apple ID must have two-factor authentication turned on. Apple only offers app-specific passwords on accounts that do. If you do not have it enabled, turn it on first under Apple ID → Sign-In and Security.
Create the password, step by step
- Go to appleid.apple.com and sign in with your Apple ID.
- In the Sign-In and Security section, choose App-Specific Passwords.
- Click the + (or “Generate an app-specific password”).
- Give it a name you will recognise later, such as
Hetk calendar sync. The name is only a label for you; it does not affect anything. - Confirm with your Apple ID password if prompted. Apple shows you the new password as four groups of letters, like
abcd-efgh-ijkl-mnop. - Copy it now. Apple shows it once and will not display it again — if you lose it, you simply delete it and make a new one.
Where it goes in Hetk
- In Hetk, add an Apple iCloud account.
- Enter the Apple ID email you just signed in with.
- Paste the app-specific password, including the dashes, exactly as Apple showed it.
Hetk uses this password only to make CalDAV requests to caldav.icloud.com, and stores it encrypted at rest. From there you connect a Google or Microsoft account and create a sync between a calendar on each. See Hetk + Apple iCloud for what syncs and what does not.
The “wrong password” fix almost everyone needs
If Hetk rejects the password, the cause is nearly always the same: you entered your Apple ID password instead of the app-specific password. They look interchangeable but they are not. iCloud’s CalDAV endpoint rejects the Apple ID password outright.
Run through this checklist:
- Use the generated password, not your Apple ID password. This is the fix in the large majority of cases.
- Include the dashes. Paste it in the
abcd-efgh-ijkl-mnopformat Apple gave you. - Check the email. Use the Apple ID address itself, not an alias.
- Confirm two-factor is on. Without it, Apple never issued a real app-specific password.
- If in doubt, regenerate. Delete the old password at appleid.apple.com and create a fresh one. It costs nothing and rules out a copy-paste slip.
What happens if I change my Apple ID password later?
Changing your Apple ID password revokes every app-specific password at once, including the one Hetk uses. Sync stops until you generate a new app-specific password and reconnect iCloud in Hetk. Nothing is lost; you just repeat the steps above.
How to revoke Hetk’s access
Go to appleid.apple.com → Sign-In and Security → App-Specific Passwords, and delete the password you created for Hetk. It takes effect immediately, and Hetk’s CalDAV requests stop working at once. Your other app-specific passwords are unaffected.