Authorization
App Store Connect
Prerequisites
App Store Connect API requests are authenticated with a short-lived JSON Web Token (JWT) signed with the ES256 algorithm. The token is generated from an API key (a .p8 private key, a Key ID, and an Issuer ID) that an Account Holder or Admin creates in App Store Connect. Nexla sends the JWT in the Authorization: Bearer <token> header on every request.
Generate an App Store Connect API Key
-
Sign in to App Store Connect with an Account Holder or Admin user.
-
From the navigation, open Users and Access, then select the Integrations tab.
-
In the App Store Connect API section, select the Team Keys sub-tab. (Use Individual Keys instead if you want a key scoped to a single user account.)
-
Click the + (plus) button next to Active to begin creating a new key.
-
In the Generate API Key dialog, enter a descriptive Name for the key (for example,
Nexla Integration), and select the role that grants the access level your integration requires:-
Admin: Full read/write access across resources, comparable to the Admin user role. Required for managing users, certificates, bundle IDs, and most write endpoints.
-
App Manager, Developer, Marketing, Sales, Customer Support, Finance: Scoped roles that restrict the key to the resources accessible to that role. Use the most restrictive role that still grants the endpoints your integration will call.
-
-
Click Generate. App Store Connect creates the key and returns to the key list.
-
Note the Issuer ID shown above the key table — this value is the same for every key on your team and is required when generating each JWT.
-
Note the new key's Key ID in the table (a 10-character identifier).
-
Click Download API Key next to the new key to download the private key file (
AuthKey_<KeyID>.p8).ImportantThe
.p8private key file can be downloaded only once. Store it in a secure secret manager immediately after download — Apple does not allow re-downloading the same key. If the file is lost, the key must be revoked and a new one generated. -
Save the Issuer ID, Key ID, and the contents of the
.p8file. These three values are required to generate JWTs for the API.
For complete details on team and individual API keys, see the Apple developer guide: Creating API keys.
Generate the JWT Bearer Token
Nexla expects an already-signed JWT in the credential field, so the token is generated outside of Nexla and pasted in. JWTs for App Store Connect must follow Apple's exact structure:
-
Header:
alg:ES256kid: Your Key ID (from the previous section)typ:JWT
-
Payload:
iss: Your Issuer ID (from the previous section)iat: The current time as a UNIX timestampexp: Expiration time, no more than 20 minutes afteriat(a UNIX timestamp)aud:appstoreconnect-v1scope(optional): A list of HTTP method and URL paths the token is restricted to (for example,GET /v1/apps). Omit to grant the role's full access.
-
Signing: Sign the token with the ES256 (ECDSA using P-256 and SHA-256) algorithm, using the contents of your
.p8private key.
Use a library or short script in your secret manager or CI environment to generate a fresh JWT before each credential refresh. App Store Connect rejects tokens older than 20 minutes, so long-running Nexla flows should periodically regenerate and update the credential value, or use an external token-refresh process.
Many Apple-maintained and third-party libraries can generate this token, including the official App Store Connect API sample code and language-specific JWT libraries such as PyJWT (Python), jsonwebtoken (Node.js), and JJWT (Java). For details on the exact token structure, see Generating tokens for API requests.
The .p8 private key, Key ID, and Issuer ID together grant API access at the role level assigned to the key. Store them in a secure secret manager, never commit them to source control, and revoke a compromised key immediately from Users and Access > Integrations in App Store Connect.
Create an App Store Connect Credential
- To create a new App Store Connect credential, after selecting the data source/destination type, click the Add Credential tile to open the Add New Credential overlay.
Credential Name & Description
-
Enter a name for the credential in the Credential Name field and a short, meaningful description in the Credential Description field.
Resource descriptions are recommended but are not required. They should be used to provide information about the resource purpose, data freshness, etc. that can help the owner and other users efficiently understand and utilize the resource.
JWT Bearer Token
-
Generate a fresh ES256-signed JWT using your App Store Connect Key ID, Issuer ID, and
.p8private key, following the structure described under Generate the JWT Bearer Token above. The token must have an expiration no more than 20 minutes after the issue time, andaudset toappstoreconnect-v1. -
Paste the full JWT (the three base64url-encoded segments joined by periods) into the JWT Bearer Token field. Nexla sends this value verbatim in the
Authorizationheader asBearer <jwt>on every App Store Connect API call.Because each JWT is valid for at most 20 minutes, this credential is best suited to environments where the JWT is rotated by an external process — for example, a scheduled job in your secret manager that regenerates the token and updates the Nexla credential via the Nexla API. For long-running flows, consider generating a token with the longest allowed lifetime (20 minutes) immediately before activation, and rotating it on a recurring schedule.
Save the Credential
-
Once all of the relevant steps in the above sections have been completed, click the Save button at the bottom of the overlay to save the configured credential.
-
The newly added credential will now appear in a tile on the Authenticate screen during data source/destination creation and can be selected for use with a new data source or destination.