Unable to Authenticate with App Store Server API in Production (401 Error)

Our application is currently under review, and we are still facing issues because we receive a 401 Unauthorized response from the App Store Connect API when using the production environment.

Our app integrates with Chargebee for subscription management, and in production, Chargebee is unable to authenticate with the App Store Server API. This results in a 401 Unauthorized error, preventing the user’s subscription from being synced correctly into our system. Interestingly, the same configuration works in the sandbox environment, but fails in production.

We’ve tried authenticating using JWTs generated from multiple keys (including App Store Connect API / Team Keys with both Admin and App Manager access, and also In-App Purchase keys), all with the same result — sandbox access works, production does not.

Here is our example code for testing with JWT token:

const jwt = require('jsonwebtoken');
const fs = require('fs');
const https = require('https');

const config = {
  keyId: '<key_id>',
  issuerId: 'issuer_id',
  bundleId: 'bundle_id',
  privateKey: fs.readFileSync('path_to_key')
};

const { keyId, issuerId, bundleId, privateKey } = config;

const now = Math.floor(Date.now() / 1000);
const jwtToken = jwt.sign(
  {
    iss: issuerId,
    iat: now,
    exp: now + 60 * 10, // 10 minutes is fine for test
    aud: 'appstoreconnect-v1',
    bid: bundleId
  },
  privateKey,
  {
    algorithm: 'ES256',
    header: {
      alg: 'ES256',
      kid: keyId,
      typ: 'JWT'
    }
  }
);

console.log('Generated JWT:\n', jwtToken);

// prod
const originalTransactionId = '<prod_transaction_id>';
const hostname = 'api.storekit.itunes.apple.com';

// sandbox
// const originalTransactionId = '<sandbox_transaction_id>';
// const hostname = 'api.storekit-sandbox.itunes.apple.com'

const options = {
  hostname,
  port: 443,
  path: `/inApps/v1/history/${originalTransactionId}`,
  method: 'GET',
  headers: {
    Authorization: `Bearer ${jwtToken}`,
    'Content-Type': 'application/json',
  },
};

const callAppStoreConnectApi = async () => {
  const req = https.request(options, (res) => {
    console.log(`\nStatus Code: ${res.statusCode}`);

    let data = '';
    res.on('data', (chunk) => {
      data += chunk;
    });

    res.on('end', () => {
      console.log('Response Body:\n', data || '[Empty]');
    });
  });

  req.on('error', (e) => {
    console.error('Request Error:', e);
  });

  req.end();
};

callAppStoreConnectApi();

With this code, we were able to authenticate successfully in the sandbox environment, but not in production.

I read in this discussion: https://developer.apple.com/forums/thread/711801 that the issue was resolved once the app was published to the App Store, but I haven’t found any official documentation confirming this.

Does anyone know what the issue could be?

I see the same issue with code based on the Swift App Store Server Library sample - works using sandbox, fails with errorCode 401 using production:

import AppStoreServerLibrary

let issuerId = "99b16628-15e4-4668-972b-eeff55eeff55"
let keyId = "ABCDEFGHIJ"
let bundleId = "com.example"
let encodedKey = try! String(contentsOfFile: "/path/to/key/SubscriptionKey_ABCDEFGHIJ.p8")
let environment = AppStoreEnvironment.sandbox

// try! used for example purposes only
let client = try! AppStoreServerAPIClient(signingKey: encodedKey, keyId: keyId, issuerId: issuerId, bundleId: bundleId, environment: environment)

let response = await client.requestTestNotification()
switch response {
case .success(let response):
    print(response.testNotificationToken)
case .failure(let errorCode, let rawApiError, let apiError, let errorMessage, let causedBy):
    print(errorCode)
    print(rawApiError)
    print(apiError)
    print(errorMessage)
    print(causedBy)
}

I have verified that this works for me now, after the app has been published on the App Store.

Does this mean that the review passed despite the 401 error?

Unable to Authenticate with App Store Server API in Production (401 Error)
 
 
Q