I’m experiencing an issue while attempting to authenticate API calls to the App Store Connect API using a JWT token. I have App Manager permissions on my apple developer account. Despite following the official documentation and successfully verifying the JWT signature locally, I consistently receive the following response from the API:
{ "errors": [{ "status": "401", "code": "NOT_AUTHORIZED", "title": "Authentication credentials are missing or invalid.", "detail": "Provide a properly configured and signed bearer token, and make sure that it has not expired." }] }
import jwt import time from cryptography.hazmat.primitives import serialization from cryptography.hazmat.backends import default_backend from jwt.exceptions import InvalidSignatureError
Replace with your own credentials
KEY_ID = "<YOUR_KEY_ID>"
ISSUER_ID = "<YOUR_ISSUER_ID>"
PRIVATE_KEY_PATH = "AuthKey_<YOUR_KEY_ID>.p8"
def generate_token(): """Generate a JWT for App Store Connect API authentication.""" with open(PRIVATE_KEY_PATH, "r") as f: private_key = f.read()
header = {
"alg": "ES256",
"kid": KEY_ID,
"typ": "JWT"
}
now = int(time.time())
payload = {
"iss": ISSUER_ID,
"iat": now,
"exp": now + 1200, # Token valid for 20 minutes
"aud": "appstoreconnect-v1"
}
token = jwt.encode(payload, private_key, algorithm="ES256", headers=header)
return token
def verify_token_signature(token): """Verify JWT signature locally using the public key derived from the .p8 private key.""" with open(PRIVATE_KEY_PATH, "rb") as key_file: private_key = serialization.load_pem_private_key( key_file.read(), password=None, backend=default_backend() )
# Derive public key from private key
public_key = private_key.public_key()
pem_public_key = public_key.public_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PublicFormat.SubjectPublicKeyInfo
)
try:
decoded = jwt.decode(
token,
pem_public_key,
algorithms=["ES256"],
audience="appstoreconnect-v1"
)
print("✅ JWT signature verified successfully.")
print("Decoded payload:", decoded)
except InvalidSignatureError:
print("❌ JWT signature is invalid.")
except Exception as e:
print(f"❌ JWT verification failed: {e}")
if name == "main": token = generate_token() print("Generated JWT:", token) verify_token_signature(token)
Why might a JWT that is valid locally still fail authentication with a 401 NOT_AUTHORIZED error from the App Store Connect API? Are there any specific permission scopes required for API access beyond App Manager account access from Apple Store connect? Are there any known issues or additional configuration steps required for API key access? Is there a way to validate API access status for a specific key or account? Could you please share the correct example of JWT generation in Python for reference?