Hello Apple Developer Community, I recently encountered a serious security issue involving a third-party app development company that requested full JSON API key access to my Apple Developer account. After conducting research, I realized that granting this access would allow permanent backend control over my app—even after our contract ended. Key Issue: • Third-party developers extract JSON API keys from client accounts. • These keys allow unrestricted backend access, even after being removed from the account. • With this access, they can: • Modify apps remotely • Interfere with financial settings • Restrict client access while maintaining their own backend control Why This Matters: • This could be happening at scale, affecting many developers unknowingly. • It’s a major security risk—developers could be losing control of their apps without realizing it. • Apple’s policies do not explicitly warn against this kind of practice, which leaves developers vulnerable. I Need Guidance: • Is there an official Apple security team I can report this to? • How can developers safeguard themselves from these kinds of exploits? • Does Apple have a protocol for auditing third-party developer activity within client accounts? I have full documented evidence of this practice, including chat logs, emails, and technical breakdowns. This is a serious issue that needs the right eyes on it. Please advise on the next steps Apple recommends for reporting and addressing this vulnerability. Kindly find my evidence below. https://drive.google.com/drive/folders/1uZnAvJE48OazvSgMYr6-wSB1Ss5rF5r4

We use Bitrise for our build pipelines and the step for building and signing the iOS app fails when calling the v1/devices endpoint. Specifically, the next endpoint from the App Store API returns this error when getting the next page of devices. PARAMETER_ERROR.INVALID: A parameter has an invalid value: 'XXXXXXXXXXXXX' is not a valid cursor for this request I am able to recreate this in Postman. The first query without a cursor works just fine. https://api.appstoreconnect.apple.com/v1/devices?filter%5Bplatform%5D=IOS&filter%5Bstatus%5D=ENABLED&limit=20 { data: [ ... ], "links": { "self": "https://api.appstoreconnect.apple.com/v1/devices?filter%5Bstatus%5D=ENABLED&filter%5Bplatform%5D=IOS&limit=20", "next": "https://api.appstoreconnect.apple.com/v1/devices?filter%5Bstatus%5D=ENABLED&filter%5Bplatform%5D=IOS&cursor=XXXXXXXXXXXX&limit=20" }, "meta": { "paging": { "total": 90, "limit": 20 } } } However when I try to get the next page of devices with the next URL from the App Store API I get the same error as before. { "errors": [ { "id": "...", "status": "400", "code": "PARAMETER_ERROR.INVALID", "title": "A parameter has an invalid value", "detail": "'XXXXXX' is not a valid cursor for this request", "source": { "parameter": "cursor" } } ] } Recently I refreshed the certificates and provisioning profiles and removed outdated device listings, so this might play a role in what is happening.

In the Apple Summary Sales Report using App Store Connect API, you can get a daily count of downloads and re-downloads by using the 1F and 3F values in the Product Type Identifier column. You can then cross check the download numbers against the downloads reported in the Analytics section of App Store Connect. When looking at a month of data, the first time download numbers seem to line up exactly ("1F" in the API versus "First-Time Downloads" in Appstore Store Connect). There is a discrepancy though between reported re-downloads. The total units for "3F" does not line up with the "Redownloads" numbers reported in the Analytics section of App Store Connect. The "3F" redownloads from the API appear to be 60% higher for a month compared to the App Store Connect reporting interface. What could be going on here? Is there some type of de-duplication process run on the App Store Connect web report data that is not run on the data coming out of the App Store Connect API? Any insight would be greatly appreciated.

Our test application has the status "Approved" on the test build list view. However, when adding testers to the test build, the process failed with the error message "An error has occurred. Try again later." **Here is the API request: ** https://appstoreconnect.apple.com/iris/v1/builds/d9bc89fa-e94d-4a33-a39c-20550c0673ec/relationships/individualTesters Here is the response: { "errors" : [ { "id" : "5b833be8-18d1-4ce9-b47d-7a315ef49a50", "status" : "409", "code" : "STATE_ERROR", "title" : "The request cannot be fulfilled because of the state of another resource.", "detail" : "Tester(s) cannot be assigned" } ] } Does anyone experience the same issue? Any insight on the root cause? I am wondering if this could be fixed by itself. Any input and help is appreciated.

I am using the App Store Connect API to update app information. When I send data for the Thai (th) locale, the update is successful. However, when I send data for English - United States (en-US), I receive a 409 error (STATE_ERROR). PATCH request URL (for updating whatsNew) is "https://api.appstoreconnect.apple.com/v1/appStoreVersionLocalizations/{localizationId" Example Data (translations list) ✅ Success: th (Thai) ["th", "แอพซื้อขายหุ้นสาธิตนี้เป็นแอพที่ให้คุณฝึกซื้อขายหุ้นโดยไม่ต้องใช้เงินจริง", "เราได้ปรับปรุงฟังก์ชันการทำงานและแก้ไขข้อบกพร่องเพื่อให้ใช้งานได้สะดวกยิ่งขึ้น"] ❌ Failure (409 error): en-US (English - United States) ["en-US", "This stock demo trading app is an app that allows you to practice stock trading without using real money.", "We have enhanced functionality and fixed bugs to make it even more comfortable to use."] Error Details The error occurs when executing the http.patch() request in the _updateAppStoreConnectInfo function. Error log: { "errors": [ { "id": "899835a1-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "status": "409", "code": "STATE_ERROR", "title": "The request cannot be fulfilled because of the state of another resource.", "detail": "Attribute 'whatsNew' cannot be edited at this time" } ] } What I Have Tried The request succeeds for th, but fails for en-US. Both requests have the same format. According to Apple’s official documentation (https://developer.apple.com/documentation) a 409 error occurs when there is an issue with the request data, but I am unsure what is incorrect. I tested 32 languages, and some worked while others did not. In this inquiry, I picked th (Thai) and en-US (English - United States) as examples. Questions Why does the en-US request return a 409 error while the th request succeeds? What could be causing the error message “Attribute ‘whatsNew’ cannot be edited at this time”? Is there a way to resolve this issue? Any help would be greatly appreciated. Thank you!

I have a Unity application in which I'm implementing a GameCenter login with PlayFab. I fetch the items and use them in the PlayFab request, which returns me the error 'Authentication failed. Signature does not match the authentication request data'. I've reproduced the request using Insomnia with the same results. I have this exact same flow implemented in another application, which works normally. I'm positive that the PlayFab verification is correct, and there's indeed an issue with the data being sent, but I can't find any information about this kind of situation anywhere, and I don't know how to either reproduce the verification myself, or how to inspect the data to check for issues. I have reviewed my app's data on AppstoreConnect and have filled every form, document, and even its store page. I've also checked it's bundle identifier settings to make sure it had all the permissions necessary, which seems to be only GameCenter. I fetch the authentication items through this code try { Debug.Log("Fetching authentication items"); var fetchItemsResponse = await GKLocalPlayer.Local.FetchItems(); PlayFabGameCenterLogin(fetchItemsResponse); } catch (Exception ex) { Debug.Log("Error fetching authentication items: " + ex.Message); OnLoginFailure(); } Which is then sent to this method to start the login request static void PlayFabGameCenterLogin(GKIdentityVerificationResponse authenticationItems) { var request = new LoginWithGameCenterRequest(); request.CreateAccount = true; request.PlayerId = GKLocalPlayer.Local.GamePlayerId; request.InfoRequestParameters = new GetPlayerCombinedInfoRequestParams { GetUserAccountInfo = true }; if (authenticationItems != null) { request.PublicKeyUrl = authenticationItems.PublicKeyUrl; request.Salt = Convert.ToBase64String(authenticationItems.GetSalt()); request.Signature = Convert.ToBase64String(authenticationItems.GetSignature()); request.Timestamp = authenticationItems.Timestamp.ToString(); } else Debug.Log("Playfab Login with no authentication items"); // Login PlayFabClientAPI.LoginWithGameCenter(request, OnLoginSuccess, (e) => { I'm on Unity 2022.3.10f1 Apple.Core 3.1.3 Apple.GameKit 2.2.2 Xcode 16.2 I need information on what could be the cause of this, if it's a SDK issue, a lack of filling information somewhere, if it's some data compatibility issue (maybe data on the app that's not the same on the appstoreconnect or developer?), or if it's possible to verify the authentication data manually to investigate.

App Store Connect Build Upload Failing – Gateway Timeout (504) 🔄 I’m trying to upload a build to App Store Connect through Xcode, but the process keeps failing with a Gateway Timeout (504) error. It looks like Apple’s API or App Store Connect is receiving an invalid response from an upstream service. The server returned unexpected content. <!DOCTYPE html> <html lang="en"> <head> <style> body { font-family: "Helvetica Neue", "HelveticaNeue", Helvetica, Arial, sans-serif; font-size: 15px; font-weight: 200; line-height: 20px; color: #4c4c4c; text-align: center; } .section { margin-top: 50px; } </style> </head> <body> <div class="section"> <h1>&#63743;</h1> <h3>Gateway Timeout</h3> <p>Correlation Key: **********</p> </div> </body> </html>```

Hi, I'm trying to use the change url functionality to switch my Xcode Cloud setup from Gitlab.com to my self hosted Gitlab instance. The setup process completes successfully, however, Xcode Cloud does not create any web hooks in my repo and also is not able to fetch any branch/tag information from the Gitlab instance. There is also no error displayed on Xcode Cloud UI. I even tried to debug by looking at requests on my server to see if there are any clues, to no avail. The only clue seems to be that in my repositories page, I see the instance listed but the row is highlighted red (which I assume means there's an issue with the connection). The last accessed date is also empty. The call to the /repos-v3 endpoint from App Store Connect seems to indicate there's an authentication issue: { "primary_repos" : [ { "repo" : { "id" : "xxxxxxxxxxx", "http_clone_url" : "xxxxxxxxxxx", "owner_name" : "xxxxxxxxxxx", "repo_name" : "xxxxxxxxxxx-ios", "repo_id" : "7", "provider" : "gitlab-hosted", "ssh_clone_url" : "ssh://xxxxxxxxxxx", "scp_clone_url" : "git@xxxxxxxxxxx", "default_branch" : "master" }, "authorization_state" : "unauthorized" } ], "additional_repos" : [ ], "unauthorized_repos" : [ ], "revoked_repos" : [ ] } On my end, when I try to add the repository to Xcode Cloud, I see a few requests to my GitLab instance, all of which succeed with 200: {"time":"2025-03-11T21:10:26.217Z","severity":"INFO","duration_s":0.05674,"db_duration_s":0.00567,"view_duration_s":0.05107,"status":200,"method":"GET","path":"/api/v4/user",.... {"time":"2025-03-11T21:10:26.797Z","severity":"INFO","duration_s":0.16682,"db_duration_s":0.02024,"view_duration_s":0.14658,"status":200,"method":"GET","path":"/api/v4/projects/xxxxxx%2Fxxxxxx-ios",.... {"time":"2025-03-11T21:10:28.298Z","severity":"INFO","duration_s":0.06617,"db_duration_s":0.00835,"view_duration_s":0.05782,"status":200,"method":"GET","path":"/api/v4/user",.... {"time":"2025-03-11T21:10:28.867Z","severity":"INFO","duration_s":0.21071,"db_duration_s":0.03075,"view_duration_s":0.17996,"status":200,"method":"GET","path":"/api/v4/projects/xxxxxx%2Fxxxxxx-ios",.... {"time":"2025-03-11T21:10:30.621Z","severity":"INFO","duration_s":0.15613,"db_duration_s":0.01842,"view_duration_s":0.13771,"status":200,"method":"GET","path":"/api/v4/projects/7",.... {"time":"2025-03-11T21:10:31.239Z","severity":"INFO","duration_s":0.1672,"db_duration_s":0.01828,"view_duration_s":0.14892,"status":200,"method":"GET","path":"/api/v4/projects/7",..... At this point I'm sure this is some sort of a bug with Xcode Cloud since the requests do succeed but Xcode Cloud is unable to process the responses and identify the correct branches and tags, as well as set the web hook for the repo.

I am using the App Store Connect API to update app information. When I send data for the Thai (th) locale, the update is successful. However, when I send data for English - United States (en-US), I receive a 409 error (STATE_ERROR). Example Data (translations list) ✅ Success: th (Thai) ["th", "แอพซื้อขายหุ้นสาธิตนี้เป็นแอพที่ให้คุณฝึกซื้อขายหุ้นโดยไม่ต้องใช้เงินจริง", "เราได้ปรับปรุงฟังก์ชันการทำงานและแก้ไขข้อบกพร่องเพื่อให้ใช้งานได้สะดวกยิ่งขึ้น"] ❌ Failure (409 error): en-US (English - United States) ["en-US", "This stock demo trading app is an app that allows you to practice stock trading without using real money.", "We have enhanced functionality and fixed bugs to make it even more comfortable to use."] Error Details The error occurs when executing the http.patch() request in the _updateAppStoreConnectInfo function. Error log: { "errors": [ { "id": "899835a1-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "status": "409", "code": "STATE_ERROR", "title": "The request cannot be fulfilled because of the state of another resource.", "detail": "Attribute 'whatsNew' cannot be edited at this time" } ] } What I Have Tried The request succeeds for th, but fails for en-US. Both requests have the same format. According to Apple’s official documentation (https://developer.apple.com/documentation) a 409 error occurs when there is an issue with the request data, but I am unsure what is incorrect. I tested 32 languages, and some worked while others did not. In this inquiry, I picked th (Thai) and en-US (English - United States) as examples. Questions Why does the en-US request return a 409 error while the th request succeeds? What could be causing the error message “Attribute ‘whatsNew’ cannot be edited at this time”? Is there a way to resolve this issue? Any help would be greatly appreciated. Thank you!

Hi, We are exporting data from the Apple Store to BigQuery using the following APIs: https://developer.apple.com/documentation/appstoreconnectapi/get-v1-salesreports https://developer.apple.com/documentation/appstoreconnectapi/downloading-analytics-reports We have identified a discrepancy in the uninstallation data. While the installation figures match the data from the Apple Store, the uninstallation values obtained through the APIs do not match those reported on App Store Connect. The difference is significant, and we cannot find a clear explanation in the documentation. Could you guide us on how to obtain accurate uninstallation data or indicate if there are any known limitations in the APIs used? Thanks

What App Store Connect API endpoint(s) do I need to use to get the release dates of an app's various app versions? On App Store Connect itself, I can navigate to a given app and select "History", on the left side under General. See screenshot: In the screenshot, you can clearly see that version 1.9 became Ready for Distribution on Nov 12, 2024 at 3:28 AM, and that version 1.10 became Ready for Distribution on February 18, 2025 at 8:10 AM. However, I haven't been able to find to get any of these detailed status history via the App Store Connect API. Specifically I'm looking for release, or "go live", dates for the various versions of a given app. I'd have expected one of these API endpoints, or some combination thereof, to include this information in some way, but I'm just not finding it: GET https://api.appstoreconnect.apple.com/v1/apps/{id}/appStoreVersions GET https://api.appstoreconnect.apple.com/v1/appStoreVersions/{id} GET https://api.appstoreconnect.apple.com/v1/apps/{id}/builds GET https://api.appstoreconnect.apple.com/v1/apps/{id}/reviewSubmissions I've submitted FB16730940 and also via TSI.

I'm querying the Finance Report api to get a January report for my app, yet no data is present. It's now March 3rd, and executing the following query results in a 404. url_financial = ( "https://api.appstoreconnect.apple.com/v1/financeReports" "?filter[regionCode]=ZZ" "&filter[reportDate]=2025-05" "&filter[reportType]=FINANCE_DETAIL" "&filter[vendorNumber]=redacted" ) If I change the report date to 2024-04, I get December, yet January is still unavailable. I understand that Apple's fiscal calendar does not follow the Gregorian calendar, however I'd expect that in March I could query the next period after December. Is this normal?

Hey there, I'm building a service that requires receiving accurate sales/proceeds data along with the campaign name. From reading the documentation it looks to be fairly understandable, but in practice it is not. I have been testing this for almost a week, and I never got "Detailed Report" for "App Store Purchases Detailed" analytics report. The same report for "App Downloads Detailed" is arriving normally, but not to for the purchases. I tested for two different apps where I have around 200 daily installs and 30 purchases on each. I would love to get any thoughts on this from an Apple engineer!

Hey there, I'm building a service that requires receiving accurate app downloads and sales/proceeds data along with the campaign name. From reading the documentation it looks to be fairly understandable, but in practice it is not that straightforward. For example, I received the first one-time-snapshot detailed report for the App Store Purchases, and it contains partial data for several days. Shouldn't that be a full report of everything in analytics for like last year or so? Should I expect it to be updated and extended in the coming days? For the ongoing detailed report, I have not received anything yet, but I'm afraid it might have partial data as well. I will report here as well.

Hi am new to App Store Connect api calls. First tried all apps url and it works(let url = URL(string: "https://api.appstoreconnect.apple.com/v1/apps")! ) But I want to get screenshots for an app. and it gives an error. JWT Payload: { aud = "appstoreconnect-v1"; exp = "761634503.157082"; iat = "761633363.157082"; iss = "69a6de6e-6715-47e3-e053-5b8c7c11a4d1"; scope = ( "GET /v1/apps/{appId}/appScreenshotSets", "GET /v1/apps" ); } let url = URL(string: "https://api.appstoreconnect.apple.com/v1/apps/\(appId)/appScreenshotSets")! HTTP Status Code: 400 ["errors": <__NSSingleObjectArrayI 0x600000010320>( { code = "ENTITY_INVALID"; detail = "Invalid scope GET /v1/apps/{appId}/appScreenshotSets"; id = T6VMMMF3V4NGO7Z3AO4AHOU2QI; links = ""; status = 400; title = "JSON processing failed"; } ) ]

Hello all, In the App Store Connect API: Apps have /v1/appPriceSchedules/{id}/baseTerritory. IAPs have /v1/inAppPurchasePriceSchedules/{id}/baseTerritory. ...but: Auto-renewing subscriptions don't have a corresponding endpoint for getting the base territory However, the App Store Connect website does indeed require you to set a base territory when creating new auto-renewable subscriptions. Why's that? More importantly, what's the best way of determining what to use for a base territory? Thank you!!

Hi all, I am facing an issue with the api.appstoreconnect.apple.com/v1/analyticsReportRequests endpoint. I always get a 401 error when making POST requests to it. The JWT is generated with a team key having Admin access and it works when I make GET requests, so calling api.appstoreconnect.apple.com/v1/apps is successful for example. The body of the POST request is "data": { "type": "analyticsReportRequests", "attributes": { "accessType": "ONGOING" }, "relationships": { "app": { "data": { "type": "apps", "id": "my_app_id" } } } } } Anyone else with the same problem or with some idea on what I might be doing wrong. Many thanks in advance Symeon

Hello! I'm using the App Store Connect API to get some pricing information for my apps and in-app purchases. If I'm understand correctly, I first need to get the base territory and then get pricing schedules for that territory, and the process looks to be the same across both App information and In-App Purchase information, even though those each use different API endpoints. My question is about Base Territory. I thought that was a thing that's the same across an entire App Store Connect team, but I see these two APIs: (1) Read the base territory for an app's price schedule and (2) Read the selected base territory for an in-app purchase price schedule The fact that both of these exist implies that IAPs can have a different base territory than the app itself, and that different apps can have different base territories, or even that different IAPs in the same app could have different base territories. Is that actually true? Or, do both APIs exist for convenience - so that if you're dealing with an IAP you can use that API instead of the app API, for example? The reason I'm asking is that I'd like to be as efficient as possible with API calls. Right now, in order to get prices for all apps in my account and all IAPs, I believe I need to call: To fetch all pricing information: /v1/apps - Get list of all apps For each app: /v1/appPriceSchedules/{appId}/baseTerritory - Get base territory /v1/appPriceSchedules/{appId}/manualPrices?filter[territory]={territoryId} - Get prices for base territory /v1/apps/{appId}/inAppPurchasesV2?include=iapPriceSchedule - Get IAPs /v1/apps/{appId}/subscriptionGroups?include=subscriptions - Get auto-renewable subscriptions For each IAP: If type is NOT non-renewing subscription: /v1/inAppPurchasePriceSchedules/{iapId}/baseTerritory - Get base territory /v1/inAppPurchasePriceSchedules/{iapId}/manualPrices?filter[territory]={territoryId} - Get prices If type IS non-renewing subscription OR auto-renewable subscription: /v1/subscriptions/{iapId}/prices?filter[territory]={territoryId} - Get subscription prices This is getting what we want, but hat's a LOT of API calls. Are there steps here we can shortcut or cut out? I'm looking for the current, manually-set prices for everything. Thanks very much!

Hello! I'm using the App Store Connect API and am trying to find out if there is a way to get historical pricing for apps, in-app purchases, and/or subscriptions? I see https://developer.apple.com/documentation/appstoreconnectapi/get-v1-apppriceschedules-_id_, as well as similar APIs for in-app purchases and subscriptions, but those don't appear to return (or give a way to return) anything historical. Thanks!

Hello, I want to update the prices in all territories of an auto-renewable subscription at once (in a single request). I know it's possible to do it territory by territory using the Create a Subscription Price Change API endpoint, but this means I need to call this API for every territory. And I have a lot of subscriptions I need to update. There is an another API endpoint that seems to allow to Modify an Auto-Renewable Subscription. For the countries where I want to change the price, I fetch the subscription price points using the List All Price Points for a Subscription API endpoint. When I call this API endpoint with the following body (that is the expected body content for this endpoint): { "data": { "type": "subscriptions", "relationships": { "prices": { "data": [ { "id": "eyJzIjoiNjc0MDAyMTQ5NiIsInQiOiJDQU4iLCJwIjoiMTAwMDEifQ", "type": "subscriptionPrices" }, { "type": "subscriptionPrices", "id": "eyJzIjoiNjc0MDAyMTQ5NiIsInQiOiJVU0EiLCJwIjoiMTAwMDEifQ" } ] } }, "id": "6740021496" }, "included": [ { "relationships": { "subscriptionPricePoint": { "data": { "id": "eyJzIjoiNjc0MDAyMTQ5NiIsInQiOiJDQU4iLCJwIjoiMTAwMDEifQ", "type": "subscriptionPricePoints" } }, "territory": { "data": { "type": "territories", "id": "CAN" } }, "subscription": { "data": { "id": "6740021496", "type": "subscriptions" } } }, "id": "eyJzIjoiNjc0MDAyMTQ5NiIsInQiOiJDQU4iLCJwIjoiMTAwMDEifQ", "attributes": { "preserveCurrentPrice": true }, "type": "subscriptionPrices" }, { "attributes": { "preserveCurrentPrice": true }, "id": "eyJzIjoiNjc0MDAyMTQ5NiIsInQiOiJVU0EiLCJwIjoiMTAwMDEifQ", "type": "subscriptionPrices", "relationships": { "subscription": { "data": { "type": "subscriptions", "id": "6740021496" } }, "subscriptionPricePoint": { "data": { "type": "subscriptionPricePoints", "id": "eyJzIjoiNjc0MDAyMTQ5NiIsInQiOiJVU0EiLCJwIjoiMTAwMDEifQ" } }, "territory": { "data": { "type": "territories", "id": "USA" } } } } ] } I receive a 409 error: { "errors" : [ { "id" : "5b6a4b62-686c-4a65-87ba-e16131db517b", "status" : "409", "code" : "ENTITY_ERROR", "title" : "There is a problem with the request entity", "detail" : "User is not allowed to edit.", "source" : { "pointer" : "subscriptionPrices" } } ] } I made sure my bearer authorisation token is correct and still valid (not expired). the p8 key has Admin rights Can this PATCH endpoint be used for what I want to do? If yes, is there anything special to do to use this PATCH endpoint? Thanks, Axel