How to create an App Store Connect API key, step by step

Updated 3 July 2026

You create an App Store Connect API key under Users and Access → Integrations → App Store Connect API. Click the + button, name the key, pick an access role, and generate it – then download the .p8 private key file immediately, because Apple lets you download it exactly once. You will also need two identifiers shown on the same page: the issuer ID (shared by your whole team) and the key ID (unique per key).

The one prerequisite that trips people up: the very first time, your team's Account Holder must request API access on that page and accept Apple's terms. Until that happens, nobody on the team can create keys.

The steps

  1. Request API access (first time only). Sign in to App Store Connect as the Account Holder, open Users and Access → Integrations. If you see a Request Access button, click it, agree to the terms, and submit. Access is usually granted immediately. Individual developers are their own Account Holder; on a company team, you may need to ask the person who owns the membership.
  2. Create the key. On the same Integrations page, under Team Keys, click the + (Generate API Key) button. Give the key a descriptive name – the name is only a label, so something like "Itsyconnect on my MacBook" beats "Key 2".
  3. Choose the access role. The role decides what the key can see. Admin gives full API access, including sales reports, finance data, and analytics. App Manager can edit apps and TestFlight but cannot read sales or analytics. Developer is enough for uploading builds from CI. Pick the smallest role that covers your use case – but note that dashboards and analytics tools genuinely need Admin, because Apple only returns download, revenue, and engagement data to Admin keys.
  4. Download the .p8 file – you get one chance. Click Generate, then Download API Key. The .p8 private key downloads once and can never be downloaded again; if you lose it, you revoke the key and create a new one. Store it somewhere safe (a password manager works well) and never commit it to a repository.
  5. Note the issuer ID and key ID. The issuer ID appears at the top of the Integrations page and is the same for every key on your team. The key ID is listed next to your new key. API clients ask for all three: issuer ID, key ID, and the .p8 file – together they let a tool sign short-lived tokens to authenticate with Apple.

Which role do you actually need?

Use caseMinimum role
Upload builds from CI (fastlane, Xcode Cloud alternatives)Developer
Edit metadata, screenshots, TestFlightApp Manager
Read sales, proceeds, downloads, analyticsAdmin
Finance and payment reportsAdmin or Finance
Full-featured dashboard apps (Itsyconnect, and similar)Admin

Keeping the key safe

  • Treat the .p8 file like a password: it can read your revenue and edit your apps. Never put it in a git repository, a shared drive, or an email.
  • A key cannot be edited after creation – you cannot rename it or change its role. To change anything, revoke it and generate a new one.
  • Revoking a key takes effect immediately and breaks every tool using it, which makes per-tool keys a good habit: one key per app or CI system means revoking one thing breaks one thing.
  • Check where a local-first tool stores the key. Itsyconnect, for example, encrypts it with AES-256-GCM, keeps the encryption key in the macOS Keychain, and sends the private key only to Apple – never to any other server.

Frequently asked questions

Where do I find my App Store Connect issuer ID?

In App Store Connect, open Users and Access → Integrations → App Store Connect API. The issuer ID is displayed at the top of the page, above the list of keys. It is a UUID and is the same for all keys on your team.

I lost my .p8 file. Can I download it again?

No – Apple allows exactly one download per key. Revoke the lost key on the Integrations page and generate a new one. Anything that used the old key needs the new key ID and .p8 file.

Why does my analytics tool require an Admin key?

Apple's API only returns sales reports, proceeds, and analytics data to keys with the Admin role (Finance covers financial reports only). App Manager and lower roles can manage apps but get permission errors on sales and analytics endpoints, so any dashboard that shows revenue or downloads needs Admin.

Is an App Store Connect API key safer than logging in with my Apple ID?

Generally yes. A key has a fixed, auditable scope, works without your password or two-factor codes, and can be revoked in one click without touching your account. Tools that ask for your actual Apple ID password should be treated with far more suspicion than tools that ask for an API key.

Related guides

Get Itsyconnect

Itsyconnect is a free, local-first Mac app that replaces the App Store Connect website – analytics, releases, TestFlight, reviews, keywords, and screenshots in one fast interface, with bring-your-own-key AI. Completely free, open source, no account, and your data never leaves your Mac. Download for Mac →