Logo for tanaschita.com

Authorizing App Store Connect API requests

Learn how to create and use a JSON Web Token when communicating with the App Store Connect API.

26 Dec 2022 · 4 min read

As mentioned in this developer guide on the App Store Connect API, a JSON Web Token (JWT) is needed to authorize each request we make.

The JWT is an open standard that defines a way to securely transmit information. To create a JWT, the following steps are required:

  1. Generate and download an API key from the Users and Access section in App Store Connect.
  2. Create a JWT header and payload.
  3. Sign the JWT with the private key of the API key.
  4. Include the JWT as a bearer token in the request's authorization header.

Let's look at each step in more detail.

Sponsorship logo
Preparing for a technical iOS job interview - updated for iOS 17
Check out my book on preparing for a technical iOS job interview with over 200 questions & answers. Test your knowledge on iOS topics such as Swift, SwiftUI, Combine, HTTP Networking, Authentication, SwiftData & Core Data, Concurrency with async/await, Security, Automated Testing, Machine Learning and more.
LEARN MORE

1. Generating an API key

An API key can be created in the Users and Access section in App Store Connect. When generating a key, we select a user role which determines what type of information this key can access. The roles are the same we already know from roles we can assign to team members.

An API key is a pair consisting of a public and a private key. After generating a key, we can download the private key as a .p8 file, while Apple keeps the public key.

For security reasons, Apple doesn't store the private key, so we can only download it once. From here, we can also revoke the API key immediately if it becomes inactive, lost or compromised.

2. Creating a JWT header and payload

A JWT header and payload might look as follows:

header

{
"alg": "ES256",
"kid": "79NWH6F376",
"typ": "JWT"
}

payload

{
"iss": "69a6de73-ea56-47e3-e053-5b8c7c11a4d1",
"iat": 1528407600,
"exp": 1528408800,
"aud": "appstoreconnect-v1",
"scope" : ["PATCH /v1/apps"]
}

Whereas

  • kid is the KEY ID of the API key we can copy from App Store Connect.
  • iss is the issuer id we can also copy from the API key entry in App Store Connect.
  • iat is the token's creation time in UNIX epoch time
  • exp is the token's expiration time in UNIX epoch time
  • scope specifies which API requests should be accepted for the token

3. Signing the JWT token

There are a variety of open source libraries available online for creating and signing JWT tokens. See JWT.io for more information.

4. Include JWT in the request's authorization header

We now can use the signed token to send requests to the App Store Connect API. For example:

curl -v -H 'Authorization: Bearer [signed token]'
"https://api.appstoreconnect.apple.com/v1/apps"
Sponsorship logo
Preparing for a technical iOS job interview - updated for iOS 17
Check out my book on preparing for a technical iOS job interview with over 200 questions & answers. Test your knowledge on iOS topics such as Swift, SwiftUI, Combine, HTTP Networking, Authentication, SwiftData & Core Data, Concurrency with async/await, Security, Automated Testing, Machine Learning and more.
LEARN MORE

Newsletter

Image of a reading marmot
Subscribe

Like to support my work?

Say hi

Related tags

Articles with related topics

continuous integration

networking

ios

Developer guide on the App Store Connect API

Learn how to automate App Store Connect.

28 Nov 2022 · 7 min read

Latest articles and tips

© 2024 tanaschita.com

Privacy policy

Impressum