App Store Connect API Key Setup
Overview
Section titled “Overview”To use automatic code signing in RunnerHub, you need to configure an Apple App Store Connect API key at the workspace level. This key grants RunnerHub permission to create certificates and manage provisioning profiles on your behalf.
Prerequisites
Section titled “Prerequisites”- Apple Developer account with admin or app manager access
- Access to App Store Connect
Step 1: Create an API Key in Apple Developer
Section titled “Step 1: Create an API Key in Apple Developer”- Go to App Store Connect
- Click Users and Access in the sidebar
- Click the Keys tab
- Click Generate a key (or the + button)
- Enter a key name (e.g., “RunnerHub Signing”)
- For Access Level, select Developer or App Manager
- Developer: Can create and manage certificates
- App Manager: Can manage both certificates and apps (recommended)
- Click Generate
Apple will display your new key with three pieces of information:
- Key ID (e.g.,
ABC123D45E) - Issuer ID (e.g.,
12a3bc45-d6e7-89fa-bcde-f1g2h3i4j5k6) - Private Key (.p8 file) — Download this immediately; it’s only shown once
Step 2: Add API Key to RunnerHub
Section titled “Step 2: Add API Key to RunnerHub”-
In the RunnerHub dashboard, go to Workspace Settings
-
Click the Apple Signing tab
-
Click Add API Key
-
Fill in the form:
- Issuer ID: Paste the Issuer ID from App Store Connect
- Key ID: Paste the Key ID from App Store Connect
- Team ID: Your Apple Team ID (available in App Store Connect under Account > Membership)
- Private Key (.p8): Open the downloaded
.p8file in a text editor and paste the entire contents
-
Click Save
RunnerHub will:
- Encrypt your private key using industry-standard encryption
- Validate that the key has access to your Apple account
- Generate or fetch an existing Apple Distribution certificate
- Store the certificate securely
Finding Your Team ID
Section titled “Finding Your Team ID”Your Apple Team ID is an 10-character alphanumeric code (e.g., ABC123D45E). To find it:
- Go to App Store Connect
- Click Account in the top right
- Click Membership
- Look for Team ID in the table
Security & Best Practices
Section titled “Security & Best Practices”RunnerHub encrypts the .p8 file immediately upon upload. The private key is:
- Encrypted at rest
- Never logged or exposed
- Only decrypted in memory during job execution
- Deleted from memory after the job completes
API Key Permissions
Section titled “API Key Permissions”The API key you create needs Developer or App Manager access to:
- Create and manage certificates
- Fetch provisioning profiles
- Access team information
The key does not need access to:
- Financial data
- Sales reports
- App reviews
Revoking a Key
Section titled “Revoking a Key”If you suspect your API key has been compromised:
- Go to App Store Connect
- Click Users and Access > Keys
- Find the key and click the X to revoke it
- In RunnerHub, go to Workspace Settings > Apple Signing
- Click Remove API Key
The revoked key will no longer work. You’ll need to create a new key and reconfigure RunnerHub.
Multiple Teams
Section titled “Multiple Teams”If you manage multiple Apple teams, you’ll need separate API keys for each team. Create a separate API key for each team in their respective Apple accounts, then add each key to the corresponding RunnerHub workspace.
Troubleshooting
Section titled “Troubleshooting”“Invalid API key credentials”
- Verify that Issuer ID, Key ID, and Team ID are copied correctly with no extra spaces
- Ensure the .p8 file content is complete (should start with
-----BEGIN PRIVATE KEY-----) - Check that the key has not been revoked in App Store Connect
“Key does not have permission to create certificates”
- Verify the key has Developer or App Manager access
- If it has different access levels, revoke and create a new key with the correct role
“Team not found”
- Double-check your Team ID—it’s a 10-character alphanumeric code
- Verify the Team ID matches the Apple account that issued the API key
See Code Signing Troubleshooting for more help.