Hi, We run an app house where we're creating a new app through our store for clients every few weeks. We've been using the Apple ID login through fastlane to create new apps in our CI, however we find having to log in to multiple machines every few weeks very frustrating, as it requires 2fa, and always seems to happen right when the system admins are on leave. We've tried to use the API key instead however creating apps doesn't appear to be supported, as we get a 403 error stating we can't use create. This was with the App manager role. Is it at all possible to crate an app using the api key, turn off the timeout on the ID Login or, automate this so we don't need to log in every few weeks?

Issue Description I am experiencing persistent 401 Unauthorized errors when attempting to access the App Store Server API using JWT authentication. Despite following Apple's documentation and regenerating keys, I am unable to successfully authenticate. Implementation Details I'm implementing JWT authentication for the App Store Server API to retrieve transaction information from the following endpoint: https://api.storekit.itunes.apple.com/inApps/v1/transactions/{transactionID} My JWT generation code (in PHP/Laravel) follows Apple's documentation: php$kid = '6W6H649LJ4'; $header = [ "alg" => "ES256", "kid" => $kid, "typ" => "JWT" ]; $iss = 'b8d99de7-b43b-4cbb-aada-546ec784e249'; // App Store Connect API Key Issuer ID $bid = 'com.gitiho.learnCourse'; // Bundle ID $payload = [ "iss" => $iss, "iat" => time(), "exp" => time() + 3600, "aud" => "appstoreconnect-v1", "bid" => $bid ]; $pathFileAuthKeyP8 = "AuthKey_6W6H649LJ4.p8"; $contentFileAuthKey = \File::get(base_path($pathFileAuthKeyP8)); $alg = "ES256"; $jwt = \Firebase\JWT\JWT::encode($payload, $contentFileAuthKey, $alg, null, $header); Steps Taken to Troubleshoot Verified that the Issuer ID is correct and in UUID format Confirmed that the Key ID matches the private key filename Regenerated the key with proper App Store Server API permissions Ensured the private key file is properly formatted with correct headers and footers Verified that the JWT is being properly encoded using the ES256 algorithm Confirmed the bundle ID is correct for our application Checked that the API endpoint URL is correct Additional Information This implementation previously worked correctly We started experiencing 401 errors recently without changing our implementation We are using the Firebase JWT library for PHP to encode the JWT Request Could you please help identify what might be causing these authentication failures? Is there any recent change in the authentication requirements or endpoint URLs that might be affecting our integration? Thanks for support me.

We're using https://api.appstoreconnect.apple.com/v1/salesReports (https://developer.apple.com/documentation/appstoreconnectapi/get-v1-salesreports) to get the First-Time Downloads as can be seen in the App Store Connect per app. But from the API we only get data since March 2025 while in the App Store Connect data can be seen since November 2022. From the API response we read the Units for entries where 'Product Type Identifier' is 1 (https://developer.apple.com/help/app-store-connect/reference/product-type-identifiers/) per Apple Identifier. The results is for all apps as we expect, but for one app we only get data since March 2025. It is indeed the case that the app has been published in March, but the same id was in use since November 2022, under another vendor though (different vendorNumber, which we don't know). Is there any way to get the statistics from before March, like can be seen in the App Store Connect? Perhaps another way of calling salesReports or another API. We tried https://appstoreconnect.apple.com/analytics/api/v1/data/timeseries as that is the call happening in App Store Connect which over there is returning data prior to March 2025, but we couldn't get it to work nor find documentation about it. Or can we feed the old data so we would get it back from salesReports?

Hi all, I'm trying to integrate Apple’s DeviceCheck API into my Flutter iOS app. I already have everything set up on the backend — the Apple private key, key ID, team ID, and DeviceCheck capability. The backend is generating and signing the JWT correctly and making requests to Apple. However, I’m currently stuck on the frontend (Flutter): 👉 How can I generate the device_token required by the DeviceCheck API (via DCDevice.generateToken) in a Flutter iOS app? I understand that DCDevice.generateToken() must be called from native Swift code. I previously attempted to use a MethodChannel to bridge this in Swift, but would prefer not to write or maintain native Swift code if possible. I've looked for a prebuilt Flutter package to handle this, but nothing exists or is up-to-date on pub.dev. Main Question: Is there any Apple-supported way to generate the device_token for DeviceCheck from a Flutter app without writing Swift code manually? If not, is DCDevice.generateToken() the only possible approach, and must I implement this via Swift and Flutter platform channels? Thanks!

We are currently pulling data via the API to look various metrics, including reviews and ratings. However, I noticed the ratings only come in with associated reviews - it doesn't appear there is public access to the API for pulling all historic ratings (without associated reviews). Is this correct? Does anyone know a workaround or way to access the ratings data via API or other method?

We are currently experiencing an issue accessing crash data via the App Store Connect Analytics API for several of our mobile apps. Summary of Issue: For certain app IDs, crash data is clearly visible within the App Store Connect UI under the "App Crashes" report. However, when attempting to retrieve this same data via the official Analytics API, no crash data is returned. Our integration makes the following API calls: GET /v1/analyticsReportRequests/<report_id>/reports?filter[category]=APP_USAGE GET /v1/analyticsReports/<instance_id>/instances GET /v1/analyticsReports/<instance_id>/segment (to retrieve download URL) This process works as expected for some apps, where the “App Crashes” report is available and the segment URL is returned. However, for other apps, while the crash data appears in the UI, the API does not return the “App Crashes” report or any segment URL to download the data. We’ve confirmed the report IDs and used the correct authentication headers in our requests. Question Can anyone please advise why crash data for certain apps is not available via the API, even though it is accessible via the UI? Is this a known limitation or a possible configuration issue on our account?

Hi Apple Developer Support, I’m working on a Node.js script to fetch all apps listed under the Education category and Reference subcategory from the US App Store, where the app name includes "exam prep". My goal is to list these apps in descending order of their earned revenue (including both paid apps and those with subscriptions). To proceed, I’m looking for guidance or code-level support on: Accessing App Store metadata programmatically via Apple-approved APIs. Filtering apps by category, subcategory, and keywords in the app name. Sorting the result set by revenue (paid and subscription earnings). Is there any recommended API or service (official or via App Store Connect) that I should be using to achieve this? Appreciate any direction, documentation, or sample code that can help. Thanks in advance!

Good day. The Infrastructure Security team my company is concerned about potential information security incidents in https://appstoreconnect.apple.com/. We intend to: Collect logs of any activities within our organization (for example, someone adding a new user with administrative privileges or publishing a new application from a corporate account). Automatically deliver these logs to our SIEM (e.g., Splunk), so that alerts can be generated and potential security incidents can be addressed, such as breaches of internal policies by an employee or a compromise of a corporate account associated with https://appstoreconnect.apple.com/. Could you please advise on how this can be implemented?

Refer to the attached screenshots I am trying to push an update for an existing iOS app that I developed a few years ago (App ID: 1465985188) but I am getting this error: A required agreement is missing or has expired. This request requires an in-effect agreement that has not been signed or has expired. (ID: O4YFH7VPB2LECAUAVXR6G4WRFQ) (403) I checked my agreements page and there is no clear indication of any missing agreements left to sign or what not. I have tried different builds of this project to no avail. I am stuck in a rut and I have been already waiting two weeks for customer support to acknowledge my issue and get back to me. My membership is due in a couple months, and honestly, if this is not resolved by end of this month I am not gonna renew. Attaching screenshots of all the agreements, and as you can see all the agreements are signed.

When calling modifypromo, I keep getting this error: error: HTTP status code 409, body { "errors" : [ { "id" : "7aeb5c20-576d-4500-ad65-525d298d2093", "status" : "409", "code" : "STATE_ERROR", "title" : "The request cannot be fulfilled because of the state of another resource.", "detail" : "Cannot invoke "com.apple.its.pricing.api.model.Country.countryCodeISO2A()" because the return value of "com.apple.its.pricing.api.model.offers.AdHocOfferProduct.country()" is null" } ] } My request is: Where id is the encrypted values needed { "data": { "attributes": {}, "relationships": { "prices": { "data": [ { "id": "id", "type": "subscriptionPromotionalOfferPrices" } ] } }, "type": "subscriptionPromotionalOffers", "id": "id" }, "included": [ { "attributes": {}, "id": "subscriptionPromotionalOfferPrices", "relationships": { "subscriptionPricePoint": { "data": { "id": "id", "type": "subscriptionPricePoints" } }, "territory": { "data": { "id": "USA", "type": "territories" } } } } ] }

Hello Apple Developer Team, I've followed the AppStoreConnect API documentation and created the following: I've created a API Key in App store > Integrations > Teams key, gave the role as admin. Created a valid JWT token When fetching the GET v1/apps, I can see the list of apps. Also I was able to make GET v1/users as well successfully. I've the valid bundle Id and capabilities enabled in the developer portal. Facing an issue while creating an app in App Store using AppStoreConnect API using POST call: This is my ruby script: response = api_request( method: :post, path: "/v1/apps", token: token, body: { data: { type: 'apps', attributes: { name: APP_NAME, primaryLocale: LOCALE, sku: "SKU#{Time.now.to_i}", bundleId: BUNDLE_ID, platform: 'IOS' } } } ) It gives me below error: { "errors": [ { "id": "09b465fc-316f-47b4-9bc3-9c340cb966aa", "status": "403", "code": "FORBIDDEN_ERROR", "title": "The given operation is not allowed", "detail": "The resource 'apps' does not allow 'CREATE'. Allowed operations are: GET_COLLECTION, GET_INSTANCE, UPDATE" } ] } Did anyone was able to successfully create the app in App Store via AppStoreConnect API? Could you please help me identify the root cause for the above issue and provide some inputs so that I could work on resolving them and move forward in the deployment process. Appreciate your help in reviewing this. Thank you, Santosh

Hello! Any clues or guidance, please? I have already spent several days fighting with secret knowledge of App Store API connect and got to this point. But this one seems like I am stuck. I call https://api.appstoreconnect.apple.com/v1/analyticsReports/r14-[my-specific-id]/instances and get empty data { "data" : [ ], "links" : { "self" : "https://api.appstoreconnect.apple.com/v1/analyticsReports/r14-[my-specific-id]/instances" }, "meta" : { "paging" : { "total" : 0, "limit" : 50 } } } r14-[my-specific-id] is the id I got from calling https://api.appstoreconnect.apple.com/v1/analyticsReportRequests/[another-specific]/reports. r14-[my-specific-id] is "App Store Discovery and Engagement Standard" according to the response from /reports endpoint. Yes, I know, that it is a valid case for DETAILED reports to get empty data due to Apple Privacy thresholds. But the report I am trying to download is STANDARD (at least, it is what the name the report ("App Store Discovery and Engagement Standard") states in /reports end point response). Basic hygiene checks: I do have numbers in App Store UI in Analytics tab for this report Out of all reports returned by /reports the greatest majority of reports return empty data but SOME reports return data properly (unfortunately, not the ones I need) Enough time has passed: I have submitted request for ONGOING report 3 calendar days ago, it got executed within 24 hours, and it is already 2 full calendar days passed since execution of my request, meaning 8am P.T. has passed two times since ONGOING equest was fulfilled Any suggestions, ideas, clues, please? (Apple, why getting simple data can become such a quest?)

In the Apple Summary Sales Report using App Store Connect API, you can get a daily count of downloads and re-downloads by using the 1F and 3F values in the Product Type Identifier column. You can then cross check the download numbers against the downloads reported in the Analytics section of App Store Connect. When looking at a month of data, the first time download numbers seem to line up exactly ("1F" in the API versus "First-Time Downloads" in Appstore Store Connect). There is a discrepancy though between reported re-downloads. The total units for "3F" does not line up with the "Redownloads" numbers reported in the Analytics section of App Store Connect. The "3F" redownloads from the API appear to be 60% higher for a month compared to the App Store Connect reporting interface. What could be going on here? Is there some type of de-duplication process run on the App Store Connect web report data that is not run on the data coming out of the App Store Connect API? Any insight would be greatly appreciated.

It looks like the capability identifier, merchantIds, can now officially be interacted with using the /v1/merchantIds endpoint. Curious if /v1/appGroups or /v1/cloudContainers will be added to the official API too. Fastlane currently supports these endpoints with the cookies authentication system. Unlike many endpoints, these ones are specifically required to ensure that apps with certain entitlements have correct remote settings otherwise the xcodebuild will fail. Appreciate any input here, thanks!

The endpoint /v1/betaAppReviewSubmissions supports post and get requests for creating and querying beta app store review submissions but I would like to be able to withdraw submissions by making a delete request like you can on the website and when using cookies authentication to the same endpoint with tools such as with Fastlane. Is this API intentionally missing in the official API or is it something that could be added?

Hello Apple Developer Community, I recently encountered a serious security issue involving a third-party app development company that requested full JSON API key access to my Apple Developer account. After conducting research, I realized that granting this access would allow permanent backend control over my app—even after our contract ended. Key Issue: • Third-party developers extract JSON API keys from client accounts. • These keys allow unrestricted backend access, even after being removed from the account. • With this access, they can: • Modify apps remotely • Interfere with financial settings • Restrict client access while maintaining their own backend control Why This Matters: • This could be happening at scale, affecting many developers unknowingly. • It’s a major security risk—developers could be losing control of their apps without realizing it. • Apple’s policies do not explicitly warn against this kind of practice, which leaves developers vulnerable. I Need Guidance: • Is there an official Apple security team I can report this to? • How can developers safeguard themselves from these kinds of exploits? • Does Apple have a protocol for auditing third-party developer activity within client accounts? I have full documented evidence of this practice, including chat logs, emails, and technical breakdowns. This is a serious issue that needs the right eyes on it. Please advise on the next steps Apple recommends for reporting and addressing this vulnerability. Kindly find my evidence below. https://drive.google.com/drive/folders/1uZnAvJE48OazvSgMYr6-wSB1Ss5rF5r4

We use Bitrise for our build pipelines and the step for building and signing the iOS app fails when calling the v1/devices endpoint. Specifically, the next endpoint from the App Store API returns this error when getting the next page of devices. PARAMETER_ERROR.INVALID: A parameter has an invalid value: 'XXXXXXXXXXXXX' is not a valid cursor for this request I am able to recreate this in Postman. The first query without a cursor works just fine. https://api.appstoreconnect.apple.com/v1/devices?filter%5Bplatform%5D=IOS&amp;filter%5Bstatus%5D=ENABLED&amp;limit=20 { data: [ ... ], "links": { "self": "https://api.appstoreconnect.apple.com/v1/devices?filter%5Bstatus%5D=ENABLED&amp;filter%5Bplatform%5D=IOS&amp;limit=20", "next": "https://api.appstoreconnect.apple.com/v1/devices?filter%5Bstatus%5D=ENABLED&amp;filter%5Bplatform%5D=IOS&amp;cursor=XXXXXXXXXXXX&amp;limit=20" }, "meta": { "paging": { "total": 90, "limit": 20 } } } However when I try to get the next page of devices with the next URL from the App Store API I get the same error as before. { "errors": [ { "id": "...", "status": "400", "code": "PARAMETER_ERROR.INVALID", "title": "A parameter has an invalid value", "detail": "'XXXXXX' is not a valid cursor for this request", "source": { "parameter": "cursor" } } ] } Recently I refreshed the certificates and provisioning profiles and removed outdated device listings, so this might play a role in what is happening.

Our test application has the status "Approved" on the test build list view. However, when adding testers to the test build, the process failed with the error message "An error has occurred. Try again later." **Here is the API request: ** https://appstoreconnect.apple.com/iris/v1/builds/d9bc89fa-e94d-4a33-a39c-20550c0673ec/relationships/individualTesters Here is the response: { "errors" : [ { "id" : "5b833be8-18d1-4ce9-b47d-7a315ef49a50", "status" : "409", "code" : "STATE_ERROR", "title" : "The request cannot be fulfilled because of the state of another resource.", "detail" : "Tester(s) cannot be assigned" } ] } Does anyone experience the same issue? Any insight on the root cause? I am wondering if this could be fixed by itself. Any input and help is appreciated.

I am using the App Store Connect API to update app information. When I send data for the Thai (th) locale, the update is successful. However, when I send data for English - United States (en-US), I receive a 409 error (STATE_ERROR). PATCH request URL (for updating whatsNew) is "https://api.appstoreconnect.apple.com/v1/appStoreVersionLocalizations/{localizationId" Example Data (translations list) ✅ Success: th (Thai) ["th", "แอพซื้อขายหุ้นสาธิตนี้เป็นแอพที่ให้คุณฝึกซื้อขายหุ้นโดยไม่ต้องใช้เงินจริง", "เราได้ปรับปรุงฟังก์ชันการทำงานและแก้ไขข้อบกพร่องเพื่อให้ใช้งานได้สะดวกยิ่งขึ้น"] ❌ Failure (409 error): en-US (English - United States) ["en-US", "This stock demo trading app is an app that allows you to practice stock trading without using real money.", "We have enhanced functionality and fixed bugs to make it even more comfortable to use."] Error Details The error occurs when executing the http.patch() request in the _updateAppStoreConnectInfo function. Error log: { "errors": [ { "id": "899835a1-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "status": "409", "code": "STATE_ERROR", "title": "The request cannot be fulfilled because of the state of another resource.", "detail": "Attribute 'whatsNew' cannot be edited at this time" } ] } What I Have Tried The request succeeds for th, but fails for en-US. Both requests have the same format. According to Apple’s official documentation (https://developer.apple.com/documentation) a 409 error occurs when there is an issue with the request data, but I am unsure what is incorrect. I tested 32 languages, and some worked while others did not. In this inquiry, I picked th (Thai) and en-US (English - United States) as examples. Questions Why does the en-US request return a 409 error while the th request succeeds? What could be causing the error message “Attribute ‘whatsNew’ cannot be edited at this time”? Is there a way to resolve this issue? Any help would be greatly appreciated. Thank you!

I have a Unity application in which I'm implementing a GameCenter login with PlayFab. I fetch the items and use them in the PlayFab request, which returns me the error 'Authentication failed. Signature does not match the authentication request data'. I've reproduced the request using Insomnia with the same results. I have this exact same flow implemented in another application, which works normally. I'm positive that the PlayFab verification is correct, and there's indeed an issue with the data being sent, but I can't find any information about this kind of situation anywhere, and I don't know how to either reproduce the verification myself, or how to inspect the data to check for issues. I have reviewed my app's data on AppstoreConnect and have filled every form, document, and even its store page. I've also checked it's bundle identifier settings to make sure it had all the permissions necessary, which seems to be only GameCenter. I fetch the authentication items through this code try { Debug.Log("Fetching authentication items"); var fetchItemsResponse = await GKLocalPlayer.Local.FetchItems(); PlayFabGameCenterLogin(fetchItemsResponse); } catch (Exception ex) { Debug.Log("Error fetching authentication items: " + ex.Message); OnLoginFailure(); } Which is then sent to this method to start the login request static void PlayFabGameCenterLogin(GKIdentityVerificationResponse authenticationItems) { var request = new LoginWithGameCenterRequest(); request.CreateAccount = true; request.PlayerId = GKLocalPlayer.Local.GamePlayerId; request.InfoRequestParameters = new GetPlayerCombinedInfoRequestParams { GetUserAccountInfo = true }; if (authenticationItems != null) { request.PublicKeyUrl = authenticationItems.PublicKeyUrl; request.Salt = Convert.ToBase64String(authenticationItems.GetSalt()); request.Signature = Convert.ToBase64String(authenticationItems.GetSignature()); request.Timestamp = authenticationItems.Timestamp.ToString(); } else Debug.Log("Playfab Login with no authentication items"); // Login PlayFabClientAPI.LoginWithGameCenter(request, OnLoginSuccess, (e) => { I'm on Unity 2022.3.10f1 Apple.Core 3.1.3 Apple.GameKit 2.2.2 Xcode 16.2 I need information on what could be the cause of this, if it's a SDK issue, a lack of filling information somewhere, if it's some data compatibility issue (maybe data on the app that's not the same on the appstoreconnect or developer?), or if it's possible to verify the authentication data manually to investigate.