Connect & Integrate App Store Connect
Last updated: May 15, 2026
Introduction
This guide covers using YeshID's App Store Connect integration to connect your Apple Developer team.
Once connected, YeshID imports:
App Store Connect team users (including their assigned roles)
Apps on your team
TestFlight beta groups and beta testers
Code-signing certificates
Bundle IDs, registered devices, and provisioning profiles
The access graph connecting users and beta testers to apps, plus profiles to certificates and devices
YeshID can also (when enabled):
Invite a user (Create User action)
Change a user's roles (Update User action)
Remove a user from the team or cancel a pending invitation (Remove User action)
Prerequisites
A paid Apple Developer Program membership.
You must sign in to App Store Connect as the Account Holder or as an Admin. Only those two roles can generate Team Keys.
Steps
Sign in to App Store Connect Go to https://appstoreconnect.apple.com and make sure you are in the correct team.
Open the Team Keys page Click Users and Access, then the Integrations tab, then Team Keys in the left sidebar.
Generate a new API key Click the + (Generate API Key) button. Fill in:
Name — something memorable, e.g.
YeshID Provisioning.Access — the Apple role this key will act as.
Developer is enough to import users, apps, beta groups, beta testers, certificates, devices, profiles, and bundle IDs.
Admin is required to invite, update, or remove users.
Account Holder cannot be assigned to a key.
Download the private key file Immediately click Download API Key and save the
AuthKey_<KEYID>.p8file. Apple only lets you download this file once. If you miss this step you have to revoke the key and generate a new one.Copy your Issuer ID and Key ID You will paste these into YeshID:
Issuer ID — a UUID shown near the top of the Team Keys page, above the keys list. Click Copy next to it.
Key ID — the 10-character ID in the Key ID column on the row for the key you just generated.
Connect the integration in YeshID In YeshID, open the App Store Connect integration and enter:
Key ID — the 10-character value from step 5.
Issuer ID — the UUID from step 5.
Private Key (.p8) — paste the entire contents of the downloaded
.p8file, including the-----BEGIN PRIVATE KEY-----and-----END PRIVATE KEY-----lines.
Save the integration. YeshID will sign a test token and call App Store Connect to validate the credentials.
(Optional) Enable Create User If you want YeshID to invite new users into App Store Connect, set the Allow team-wide app visibility on invite option to yes. See the FAQ below for the trade-off.
Run a sync Start a sync in YeshID. The first sync imports users, apps, beta groups, beta testers, certificates, devices, bundle IDs, and provisioning profiles.
FAQ
I lost the .p8 file — what do I do?
Apple does not let you re-download a private key. Go back to Users and Access → Integrations → Team Keys, revoke the old key, and generate a new one. You will need to update the Key ID and Private Key (.p8) fields in YeshID with the new key's values.
I get an error that the private key must be PEM-encoded.
Open the .p8 file in a plain text editor (TextEdit, Notepad, cat on macOS/Linux) and re-paste the entire contents — including the -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY----- lines. YeshID tolerates the most common copy-paste issues (collapsed newlines, smart-substituted dashes, stray invisible characters) but cannot recover from a partially pasted file.
I get a 401 or 403 on a specific action.
The key's assigned Apple role does not have the permission that action needs. Edit the key in App Store Connect and raise the access (for example, Developer → Admin to enable user management) and the action will start working on the next sync.
Create User refuses to send the invite.
App Store Connect requires every new invitation to either grant visibility to every app on the team or specify a list of apps. YeshID does not yet model the per-app list, so the only working shape is team-wide visibility. The integration ships with this disabled to keep new accounts least-privilege. To enable invitations, set Allow team-wide app visibility on invite to yes on the integration. Newly invited users will be able to see every app on your team — you can trim visibility per user in App Store Connect afterwards if needed.
Why can't the integration assign the Account Holder role?
Apple does not allow Account Holder to be set through the API. It is the person who completed program enrollment, and it can only be transferred through Apple's own process.
Why is the Issuer ID a UUID for me but the docs talk about Individual Keys?
This integration is built for Team Keys, which use an Issuer ID (UUID). Apple also supports Individual Keys generated from a user profile — those use a different auth shape and are not supported here. Always generate the key from Users and Access → Integrations → Team Keys, not from a personal user profile.
Where do I see the certificate-to-app linkage in the imported graph?
Certificates are connected to apps through provisioning profiles and bundle IDs. After a sync, you can traverse:
Profile → For App → App(the apps this profile is allowed to sign)Profile → Signed By → Certificate(the certs this profile uses)Profile → Authorizes → Device(development profiles only; the registered devices this profile allows)
A certificate that doesn't appear in any active provisioning profile will still be inventoried — it just won't have outbound edges to apps.
Can I limit what the key can do beyond the Apple role?
Yes. When generating the key in App Store Connect, choose the most restrictive role that covers the actions you want YeshID to perform. Read-only imports work with Developer; user management requires Admin. There is no need to grant Account Holder — and Apple won't let you.