Authorizing App Store Connect API requests

As mentioned in this developer guide on the App Store Connect API, a JSON Web Token (JWT) is needed to authorize each request we make.

The JWT is an open standard that defines a way to securely transmit information. To create a JWT, the following steps are required:

1. Generate and download an API key from the Users and Access section in App Store Connect.
2. Create a JWT header and payload.
3. Sign the JWT with the private key of the API key.
4. Include the JWT as a bearer token in the request's authorization header.

Let's look at each step in more detail.

Preparing for a technical iOS job interview

Check out my new book on preparing for a technical iOS job interview with over 200 questions & answers. Test your knowledge on iOS topics such as Swift & Objective-C, SwiftUI & UIKit, Combine, HTTP Networking, Authentication, Core Data, Concurrency with async/await, Security, Automated Testing and more.

LEARN MORE

1. Generating an API key

An API key can be created in the Users and Access section in App Store Connect. When generating a key, we select a user role which determines what type of information this key can access. The roles are the same we already know from roles we can assign to team members.

An API key is a pair consisting of a public and a private key. After generating a key, we can download the private key as a .p8 file, while Apple keeps the public key.

For security reasons, Apple doesn't store the private key, so we can only download it once. From here, we can also revoke the API key immediately if it becomes inactive, lost or compromised.

2. Creating a JWT header and payload

A JWT header and payload might look as follows:

header

{
    "alg": "ES256",
    "kid": "79NWH6F376",
    "typ": "JWT"
}

payload

{
    "iss": "69a6de73-ea56-47e3-e053-5b8c7c11a4d1",
    "iat": 1528407600,
    "exp": 1528408800,
    "aud": "appstoreconnect-v1",
    "scope" : ["PATCH /v1/apps"]
}

Whereas

• kid is the KEY ID of the API key we can copy from App Store Connect.
• iss is the issuer id we can also copy from the API key entry in App Store Connect.
• iat is the token's creation time in UNIX epoch time
• exp is the token's expiration time in UNIX epoch time
• scope specifies which API requests should be accepted for the token

3. Signing the JWT token

There are a variety of open source libraries available online for creating and signing JWT tokens. See JWT.io for more information.

4. Include JWT in the request's authorization header

We now can use the signed token to send requests to the App Store Connect API. For example:

curl -v -H 'Authorization: Bearer [signed token]'
"https://api.appstoreconnect.apple.com/v1/apps"

Preparing for a technical iOS job interview

Check out my new book on preparing for a technical iOS job interview with over 200 questions & answers. Test your knowledge on iOS topics such as Swift & Objective-C, SwiftUI & UIKit, Combine, HTTP Networking, Authentication, Core Data, Concurrency with async/await, Security, Automated Testing and more.

LEARN MORE