All guides

How to Create an App Store Connect API Key (Step by Step)

To create an App Store Connect API key, sign in to App Store Connect as an Account Holder or Admin, open Users and Access, go to the Integrations tab, and generate a Team Key with a role. You download the private key as a .p8 file once — Apple never shows it again — and pair it with the Issuer ID (shown on the same page) and the Key ID. Those three values authenticate any tool that manages your app via the API. This guide walks the exact steps, the roles, and how to store the key safely.

What an App Store Connect API key is and what it automates

The App Store Connect API is Apple's programmatic interface to everything you normally do in the App Store Connect website: editing metadata and localizations, uploading screenshots, managing in-app purchase and subscription pricing, reading sales and analytics, and managing TestFlight. An API key lets a tool — fastlane, a CI job, or a native app like MetaFlow — do those things on your behalf without your Apple ID password and without web clicks. Authentication uses a JSON Web Token signed with your private key, so the key is effectively a credential that acts as whichever role you assigned it. There are two kinds: Team Keys (created by admins, scoped to your team, used by most tools) and Individual Keys (tied to one user). For managing your own apps, you want a Team Key.

Step by step: generating a team key

You must be the Account Holder or an Admin to create team keys. In App Store Connect, open Users and Access from the top navigation, then select the Integrations tab (older interfaces called it Keys). Under App Store Connect API, click the plus button to generate a new key. Give it a descriptive name you will recognize later (for example, 'MetaFlow' or 'CI Release'), choose an access role, and click Generate. App Store Connect creates the key and shows a one-time Download link for the private key file. Download it immediately — you cannot download it again. The key now appears in the list with its Key ID, and the Issuer ID is displayed above the list, shared by all keys on the team.

  • You must be Account Holder or Admin to create team keys
  • Users and Access → Integrations tab → App Store Connect API
  • Name the key, choose a role, Generate, then download the .p8 once

Issuer ID, Key ID, and the .p8 file — what each is for

Three values together authenticate every API request, and it helps to know what each one does. The Issuer ID is a UUID identifying your whole team; it is the same for every key you create and is shown at the top of the Integrations page. The Key ID is a short identifier (around ten characters) unique to each individual key, shown next to the key in the list. The .p8 file is the actual private key — the secret — and it is the piece Apple lets you download exactly once. A tool signs a short-lived JSON Web Token with the .p8, stamps it with the Key ID and Issuer ID, and sends it as a bearer token. If you lose the .p8 you cannot recover it; you revoke that key and generate a new one. Guard the .p8 like a password, because that is exactly what it is.

  • Issuer ID — one UUID for your whole team, shared by all keys
  • Key ID — short identifier unique to each individual key
  • .p8 file — the private key itself, downloadable only once

Choosing the right role: least privilege

When you generate a key you assign it an access role, and the key can do exactly what that role can do — no more. Apply least privilege: give the key the narrowest role that still lets your tool do its job. For a tool that edits metadata, manages screenshots, and updates pricing, the App Manager role is usually sufficient and is the common recommendation. Admin grants broad control including user management, which a metadata tool has no reason to hold, so reserve it for keys that genuinely need it. Developer is more limited and may block some publishing actions. If a tool documents a required role, match it; otherwise start at App Manager and step up only if an operation is denied. A tightly scoped key limits the blast radius if it ever leaks.

  • Match the role to the job — least privilege
  • App Manager suits metadata, screenshots, and pricing tools
  • Avoid Admin unless the key genuinely needs user management

Keeping the key safe: one-time download, Keychain, revocation

Because the .p8 downloads only once and never expires on its own, its security is entirely on you. Never commit it to a Git repo, never paste it into a chat or ticket, and never email it — leaked App Store Connect keys have been abused. Store it in a secrets manager for CI, or in the macOS Keychain for a local Mac tool, where it is encrypted at rest and gated by your login. Prefer tools that read the key from the Keychain over ones that keep a loose copy on disk. If a key is exposed, or when a contractor leaves, revoke it in the same Integrations tab — revocation is immediate and you simply generate a fresh key for anything legitimate. Rotating keys periodically is good hygiene for the same reason you rotate any long-lived credential.

  • Never commit, email, or paste the .p8 anywhere shared
  • Store it in the macOS Keychain or a secrets manager, encrypted at rest
  • Revoke a leaked or retired key immediately in the Integrations tab

Connecting your key to MetaFlow and editing your first locale

MetaFlow authenticates with the same three values — Issuer ID, Key ID, and .p8 — and stores them in the macOS Keychain so they never leave your Mac. Once connected, your apps and locales load automatically.

  1. 1In App Store Connect, generate an App Manager team key and download the .p8 once
  2. 2Copy the Issuer ID from the top of the Integrations page and the Key ID next to your key
  3. 3In MetaFlow, add a new connection and paste the Issuer ID, Key ID, and the .p8 file
  4. 4MetaFlow stores the credentials in the macOS Keychain — nothing is synced to the cloud
  5. 5Your apps, versions, and every locale load automatically once the key is verified
  6. 6Open the metadata editor, pick a locale, and make your first edit or run a translation
Download on App Store

FAQ

Can I download the .p8 private key again later?

No. Apple lets you download the private key file exactly once, right after you generate it. If you lose it, you cannot recover it — you revoke that key in the Integrations tab and generate a new one.

Which role should I give an App Store Connect API key?

Apply least privilege. For a tool that edits metadata, manages screenshots, and updates pricing, App Manager is usually enough. Avoid Admin unless the key genuinely needs user management, since a broader role means a bigger blast radius if it leaks.

Do I need to be an admin to create a key?

To create Team Keys — the kind most tools use — yes, you must be the Account Holder or an Admin. Individual Keys are tied to a single user, but Team Keys are what you want for managing your team's apps.

Is it safe to give a third-party tool my API key?

It depends on the tool. Prefer tools that store the key in the macOS Keychain or a proper secrets manager and keep it local, like MetaFlow does. Scope the key with least privilege and revoke it immediately if you ever suspect it was exposed.