App Store Connect API Keys: Roles and .p8 Security

Updated July 12, 2026 · by the Shipzen team

An App Store Connect API key is the credential that lets tools talk to Apple's official App Store Connect API on your behalf: CI pipelines uploading builds, fastlane pushing metadata, and native desktop clients editing your listings. The key has three parts — a Key ID, an Issuer ID, and a private key file ending in .p8 — and the tool signs short-lived JWTs with them for every request. Getting the key's role right, and handling the .p8 file correctly, is most of the security story.

Team keys vs individual keys

Apple issues two kinds of keys, and they are not interchangeable:

Team key Individual key
Scope All apps in the account, access set by the role you assign Tied to one user's own apps and permissions
Who can create it Admin (or Account Holder) Any user, unless an Admin revokes the permission
Provisioning, Sales and Finance, notarytool Supported Not available
How many Multiple keys allowed One active key per user

Practical rule: shared infrastructure (CI, release tooling, a team's metadata workflow) gets a team key with a deliberately chosen role. An individual key is fine for personal scripts, because it can never exceed what you personally can do — but it also cannot touch provisioning, notarization, or sales reports at all.

Creating a team key, step by step

  1. In App Store Connect, open Users and Access, then the Integrations tab.
  2. Select App Store Connect API in the left column, then the Team Keys tab.
  3. Click the add button, name the key after the tool that will use it (one key per tool), and pick a role.
  4. Copy the Issuer ID and the new key's Key ID from the same page.
  5. Download the .p8 private key and store it somewhere safe immediately.

You need an Admin account to generate team keys. Individual keys work differently: any user can create their own from their profile — but if the Generate API Key button is missing there, an Admin has revoked the Generate Individual API Keys permission and has to grant it back first.

Which role should the key get?

Key roles are the same roles Apple defines for users, and the least-privilege logic is the same too:

One thing a role cannot fix: team keys apply across every app in the account. If a contractor should only touch one app, an individual key tied to their scoped user account models that better than any team key role.

.p8 security rules

The private key is downloadable exactly once — Apple keeps no copy. That single fact drives all the handling rules:

The same standard applies to vendors: any app or service that asks you to upload your .p8 to their servers is asking you to trust their security team with write access to your App Store presence. Local-first tools keep the key on your machine — that is the model to insist on.

What the API can and can't do

A key with the right role covers the daily publishing surface: app metadata and screenshots, TestFlight, customer reviews, analytics and sales reports, and pricing. It does not cover everything Apple's website can do:

A trustworthy tool is explicit about that boundary instead of promising to automate all of it — more on that in what a desktop client can and can't do.

Where Shipzen fits

Shipzen is a native macOS App Store Connect client that authenticates with your own API key and stores it in the macOS Keychain. Requests go directly from your Mac to Apple — there is no Shipzen server in the middle, so your .p8 never leaves your machine. An App Manager team key (or your individual key) is all it needs to run its pre-submission validator, locale scanner, and metadata editor.

App Store Connect, the way you need to see it. One email at launch, no spam.

Join the waitlist