App Store Connect API Keys: Roles and .p8 Security
Updated July 12, 2026 · by the Shipzen team
An App Store Connect API key is the credential that lets tools talk to
Apple's official
App Store Connect API
on your behalf: CI pipelines uploading builds, fastlane pushing metadata, and
native desktop clients editing your
listings. The key has three parts — a Key ID, an
Issuer ID, and a private key file ending in .p8 — and the
tool signs short-lived JWTs with them for every request. Getting the key's role right,
and handling the .p8 file correctly, is most of the security story.
Team keys vs individual keys
Apple issues two kinds of keys, and they are not interchangeable:
| Team key | Individual key | |
|---|---|---|
| Scope | All apps in the account, access set by the role you assign | Tied to one user's own apps and permissions |
| Who can create it | Admin (or Account Holder) | Any user, unless an Admin revokes the permission |
| Provisioning, Sales and Finance, notarytool | Supported | Not available |
| How many | Multiple keys allowed | One active key per user |
Practical rule: shared infrastructure (CI, release tooling, a team's metadata workflow) gets a team key with a deliberately chosen role. An individual key is fine for personal scripts, because it can never exceed what you personally can do — but it also cannot touch provisioning, notarization, or sales reports at all.
Creating a team key, step by step
- In App Store Connect, open Users and Access, then the Integrations tab.
- Select App Store Connect API in the left column, then the Team Keys tab.
- Click the add button, name the key after the tool that will use it (one key per tool), and pick a role.
- Copy the Issuer ID and the new key's Key ID from the same page.
- Download the
.p8private key and store it somewhere safe immediately.
You need an Admin account to generate team keys. Individual keys work differently: any user can create their own from their profile — but if the Generate API Key button is missing there, an Admin has revoked the Generate Individual API Keys permission and has to grant it back first.
Which role should the key get?
Key roles are the same roles Apple defines for users, and the least-privilege logic is the same too:
- Developer — uploads builds and manages TestFlight builds. Enough for most CI pipelines that only ship binaries.
- App Manager — everything release-shaped: builds, versions, App Store metadata, pricing, submissions. The right ceiling for release tooling and metadata editors.
- Finance — payments and financial reports. Required if the tool reads sales and finance data; only team keys can reach those endpoints.
- Admin — adds user management and account-wide settings. Almost no tool needs this. Reserve it for the rare integration that genuinely manages users.
One thing a role cannot fix: team keys apply across every app in the account. If a contractor should only touch one app, an individual key tied to their scoped user account models that better than any team key role.
.p8 security rules
The private key is downloadable exactly once — Apple keeps no copy. That single fact drives all the handling rules:
- Store it in a real secret store: the macOS Keychain on a workstation, your CI provider's encrypted secrets otherwise.
- Never commit it, paste it into chat tools, or bake it into build artifacts.
- Lost the file? There is no re-download — revoke the key and create a new one.
- Suspect a leak? Revoke immediately in Users and Access. Revocation is permanent (revoked keys cannot be reinstated), and the key stops working for every tool that held it.
- Name keys per tool so revoking one integration never breaks the others.
The same standard applies to vendors: any app or service that asks you to upload your
.p8 to their servers is asking you to trust their security team
with write access to your App Store presence. Local-first tools keep the key on your
machine — that is the model to insist on.
What the API can and can't do
A key with the right role covers the daily publishing surface: app metadata and screenshots, TestFlight, customer reviews, analytics and sales reports, and pricing. It does not cover everything Apple's website can do:
- Privacy nutrition labels have no official public write API — privacy declarations still happen in the App Store Connect web UI.
- Agreements, banking, and tax are account-legal surfaces handled on the web, mostly by the Account Holder role — see our Apple Developer account setup guide.
A trustworthy tool is explicit about that boundary instead of promising to automate all of it — more on that in what a desktop client can and can't do.
Where Shipzen fits
Shipzen is a native macOS App Store Connect client that authenticates
with your own API key and stores it in the macOS Keychain. Requests go directly from
your Mac to Apple — there is no Shipzen server in the middle, so your .p8
never leaves your machine. An App Manager team key (or your individual key) is all it
needs to run its pre-submission validator,
locale scanner, and metadata editor.
App Store Connect, the way you need to see it. One email at launch, no spam.
Join the waitlist