The App Store Connect API lets you automate nearly everything you would normally do through the web interface. Managing app metadata, TestFlight builds, in-app purchases, user roles, sales reports, customer reviews — all of it is accessible through a well-structured REST API that Apple provides for free to every developer program member.
But getting started is harder than it should be. The official documentation is thorough yet dense, and the authentication mechanism — JSON Web Tokens signed with an elliptic curve key — trips up most developers on their first attempt. This guide walks you through the entire process, from generating your API key to making your first authenticated request.
What Can You Automate
The App Store Connect API covers a wide surface area. Almost every action you perform in the web UI has an API equivalent, and in some cases the API gives you capabilities the UI does not.
App metadata and versions. Update your app name, subtitle, description, keywords, and promotional text across all localizations programmatically. Manage app versions, submit builds for review, and track submission statuses. If you ship multiple apps, this alone saves hours of manual form-filling.
TestFlight builds and testers. Add and remove beta testers, create and manage beta groups, assign builds to groups, set build-level test information, and monitor build processing statuses. Teams that ship frequent betas can automate their entire tester onboarding workflow.
In-app purchases and subscriptions. Create and manage consumables, non-consumables, auto-renewable subscriptions, and non-renewing subscriptions. Configure pricing across territories, set up promotional offers, and generate offer codes. This is one of the most tedious workflows in the web UI, and automating it is transformative.
User management and roles. Invite users to your team, assign roles (Admin, Developer, Marketing, Finance, and more), manage access to specific apps, and remove users. Useful for larger teams or agencies managing multiple developer accounts.
Sales and financial reports. Download sales, subscription, and financial reports programmatically. Build dashboards, track revenue trends, or feed data into your analytics pipeline. The reporting endpoints use a different base URL and authentication model, but the same API key works.
Customer reviews. Fetch customer reviews and developer responses, filter by rating or territory, and post responses. If you want to monitor sentiment across your apps or build an internal review dashboard, the API makes this straightforward.
Setting Up Your API Key
Before you can make any API calls, you need to generate an API key in App Store Connect. This is a one-time setup that takes about two minutes.
Step 1: Navigate to API key management. Log in to App Store Connect, click "Users and Access" in the top navigation, then select the "Integrations" tab. Under "App Store Connect API," you will see the key management interface.
Step 2: Generate a new key. Click the "+" button to create a new key. Give it a descriptive name — something like "CI/CD Pipeline" or "Internal Dashboard" — so you remember its purpose later. Choose a role that matches the level of access you need:
- Admin gives full access to everything, including user management and agreements
- Developer covers app metadata, builds, TestFlight, and in-app purchases
- Finance provides access to sales, financial reports, and agreements
For most automation use cases, Developer is sufficient. Use Admin only if your scripts need to manage team members or agreements.
Step 3: Download the private key. After generating the key, you will see a "Download API Key" button. This downloads a .p8 file containing your private key. You can only download this file once. If you lose it, you have to revoke the key and generate a new one. Store it somewhere secure — a password manager, an encrypted vault, or a CI/CD secrets store.
Step 4: Note your Key ID and Issuer ID. The Key ID appears in the key list next to your key name. The Issuer ID appears at the top of the API keys page. You need both of these values, along with the private key file, to authenticate your API requests.
JWT Authentication Explained
The App Store Connect API uses JSON Web Tokens (JWT) for authentication. Unlike a simple API key you pass in a header, JWTs are self-contained tokens that you generate, sign with your private key, and include in each request. This means there is no token exchange endpoint — you create the token yourself.
A JWT consists of three parts, each Base64URL-encoded and separated by dots:
The header specifies the signing algorithm and key ID. App Store Connect requires the ES256 algorithm (ECDSA with P-256 curve and SHA-256 hash). Your Key ID goes in the kid field, and the type is always JWT.
The payload contains claims about the token. The required claims are: iss (your Issuer ID), iat (issued-at timestamp, in seconds since Unix epoch), exp (expiration timestamp), and aud (audience, always appstoreconnect-v1). The maximum token lifetime is 20 minutes — set exp to no more than 1200 seconds after iat.
The signature is computed by signing the encoded header and payload with your .p8 private key using the ES256 algorithm. This is what proves the token came from someone who holds the private key.
The flow works like this: your code reads the .p8 private key file, constructs the header and payload with the correct claims, signs them with ES256, and produces a complete JWT string. You then include this token in every API request as a Bearer token in the Authorization header.
Common pitfalls that will waste your time:
- Wrong algorithm. If you use RS256 (RSA) instead of ES256 (ECDSA), authentication will fail silently. The
.p8key Apple provides is an EC key, not an RSA key. - Expired tokens. Tokens are valid for a maximum of 20 minutes. If you generate a token once and reuse it across a long-running script, requests will start failing partway through. Regenerate tokens as needed.
- Key format issues. The
.p8file is a PEM-encoded PKCS#8 private key. Some JWT libraries expect raw key bytes, others want the PEM string with headers. Make sure you are passing the key in the format your library expects. - Clock skew. If your system clock is off by more than a few seconds, Apple's servers may reject your
iatclaim. Ensure your system time is synchronized.
Most languages have mature JWT libraries that handle the signing mechanics. In Swift, you can use the swift-jwt package. In Python, PyJWT with the cryptography backend works well. In Node.js, jsonwebtoken is the standard choice. The library handles Base64URL encoding, signature computation, and token assembly — you just supply the key, algorithm, and claims.
Making Your First API Call
With a signed JWT in hand, you are ready to make your first request. The base URL for the App Store Connect API is:
https://api.appstoreconnect.apple.com/v1/
The simplest starting point is listing your apps. Send a GET request to /v1/apps with your JWT in the Authorization header:
GET https://api.appstoreconnect.apple.com/v1/apps
Authorization: Bearer eyJhbGciOiJFUzI1NiIsIm...
The response uses the JSON:API specification. This means every resource has a type, id, and attributes object. Relationships between resources are expressed through relationships fields, and you can include related resources in a single request using the include query parameter.
A typical response for the apps endpoint looks like this: each app object contains attributes like name, bundleId, sku, and primaryLocale. The response also includes pagination information — links with self, next, and first URLs.
You can filter and sort results using query parameters. For example, to find a specific app by bundle ID:
GET /v1/apps?filter[bundleId]=com.example.myapp
To include related app store versions in the same response:
GET /v1/apps?include=appStoreVersions
This relational data model is powerful but takes some getting used to if you have only worked with simpler REST APIs. The JSON:API format reduces the number of requests you need to make, since you can pull in related resources with include instead of making separate calls.
Rate Limits to Know
Apple does not officially document the rate limits for the App Store Connect API, but consistent testing across the developer community points to approximately 300 requests per minute as the practical ceiling. Exceed that, and you will start receiving 429 Too Many Requests responses.
When you hit a rate limit, Apple returns a 429 status code with a Retry-After header indicating how many seconds to wait before retrying. The correct response is to implement exponential backoff: wait the specified time, then retry. If you hit the limit again, double your wait time.
For most use cases, 300 requests per minute is generous. But if you are building a dashboard that polls multiple endpoints for multiple apps, or running a migration script that creates hundreds of in-app purchases, you will need to be mindful of pacing. Batch your requests where possible, use include to reduce the number of calls, and add delays between bursts of requests.
Popular Use Cases
Once you have authentication working, the API opens up a range of practical automations.
Automated release notes updates. Generate release notes from your commit history or changelog, then push them to App Store Connect for each new version. No more copy-pasting between your project management tool and the web UI.
Bulk tester management for TestFlight. Maintain a CSV or database of beta testers and sync them with TestFlight groups automatically. Add testers when they sign up, remove them when they leave the program, and assign them to the right groups based on criteria you define.
Monitoring build processing status. After uploading a build, poll the API to check processing status and send a notification (Slack, email, webhook) when it completes — or when it fails. No more refreshing the TestFlight page waiting for the spinner to finish.
Fetching and responding to reviews. Build a Slack bot or internal dashboard that surfaces new reviews as they arrive, filtered by rating or territory. Draft responses in your own system and post them through the API. This is especially useful for apps with high review volume across multiple territories.
Tools Built on the API
You do not have to build everything from scratch. Several mature tools already wrap the App Store Connect API and handle authentication, pagination, and error handling for you.
Fastlane is the most widely used automation tool in the iOS ecosystem. Written in Ruby, it provides actions for uploading builds, managing metadata, taking screenshots, and more. If your primary need is CI/CD integration, Fastlane is a solid choice with a massive community behind it.
appstoreconnect-swift-sdk is an open-source Swift package that provides a type-safe wrapper around the entire API. If you are building tools in Swift — whether scripts, command-line utilities, or Mac apps — this SDK handles JWT generation, request construction, and response parsing for you.
Runway is a release management platform that sits on top of the App Store Connect API and provides team collaboration features, release checklists, and monitoring dashboards. It is aimed at teams that want a managed solution rather than building their own tooling.
Forge takes a different approach. Instead of wrapping the API in a script or web platform, Forge is a native Mac app built entirely on the App Store Connect API. It gives you a fast, visual interface for every endpoint — reviews, metadata, TestFlight, in-app purchases, subscriptions, user management, and more — without writing a single line of code. If you have ever opened the App Store Connect website and waited fifteen seconds for a page to load, Forge solves that problem. And with Forge Agent, you can even interact with the API through natural language conversation.
When to Use the API vs. a Tool
If you are building a CI/CD pipeline, a custom dashboard, or a specialized workflow that does not exist in any off-the-shelf tool, the raw API is the right choice. You get full control, no dependencies on third-party tools, and access to every endpoint Apple exposes.
But for day-to-day management tasks — checking reviews, updating metadata, managing testers, monitoring builds — using a tool built on the API saves significant time. You skip the JWT implementation, the pagination handling, the error recovery, and the JSON:API parsing. You get a ready-made interface that surfaces the data you need without the plumbing.
If you would rather skip the API complexity and get a visual interface built on top of it, Forge gives you all the power of the API in a native Mac app. Every feature in Forge maps directly to App Store Connect API endpoints, but you interact with them through a polished UI instead of raw HTTP requests.
Download Forge and start managing your apps the fast way. You can explore all the features on the features page, or go straight to the download page to get started.