What you'll need before starting
- An Apple Developer account (paid, $99/year)
- Admin or Account Holder role in App Store Connect
- An app already created in App Store Connect
Step 1: Create an API Key in App Store Connect
- Go to App Store Connect → Users and Access → Integrations → App Store Connect API
- Click the + button to generate a new API key
- Give it a name (e.g. "ReviewTower")
- Set the role to Customer Support — this grants read access to reviews and the ability to reply, without broader permissions
- Click Generate
Step 2: Download your credentials
Apple will show you three pieces of information you'll need. Download the .p8 private key file immediately — Apple only lets you download it once.
- Issuer ID — Found at the top of the API Keys page (a UUID)
- Key ID — An 10-character alphanumeric string shown next to each key
- Private Key (.p8 file) — Download this now. You cannot re-download it later.
Lost your .p8 file? You'll need to revoke the key and create a new one. Apple does not allow re-downloading.
Step 3: Finding your Apple ID for each app
Each app has an Apple ID (a numeric identifier, like 1234567890). You'll need this to pull reviews for specific apps.
Find it under App Store Connect → Your App → App Information → Apple ID.
You can also find it in the App Store URL: apps.apple.com/app/id1234567890
Step 4: How the authentication works
The App Store Connect API uses JWT (JSON Web Tokens) for authentication. Every API request requires a signed token generated from your credentials. The token structure is:
- Header: Algorithm (ES256) + Key ID
- Payload: Issuer ID, expiration (max 20 minutes), and audience
- Signature: Signed with your .p8 private key using ES256
Most review management tools (including ReviewTower) handle this token generation for you — you just paste in your Issuer ID, Key ID, and the contents of the .p8 file.
Step 5: Connect to ReviewTower
- In ReviewTower, go to Settings → App Store credentials
- Paste your Issuer ID
- Paste your Key ID
- Open your
.p8file in a text editor and paste the full contents (including the-----BEGIN PRIVATE KEY-----header and footer) - Click Connect
ReviewTower will verify the credentials and immediately start syncing your reviews. The first sync pulls up to 500 recent reviews per app.
Troubleshooting common errors
401 Unauthorized
Usually means your Key ID or Issuer ID is wrong, or the .p8 file is malformed. Double-check that you copied the entire .p8 file contents, including the header and footer lines.
403 Forbidden
Your API key role may be too restricted. For reading and replying to reviews, the Customer Support or Developer role is required.
Key not found
The API key may have been revoked in App Store Connect. Check under Users and Access → Integrations that the key is still active.
What the API can and can't do
Can do:
- Read reviews for all your apps (including the reviewer's nickname, rating, body, country)
- Post developer replies to reviews
- Update or delete your existing replies
Cannot do:
- Flag or report reviews for removal (must be done manually via App Store Connect)
- Access private sales or financial data (separate API scope)
- Retrieve historical reviews older than what Apple's API returns (typically the most recent 500)
Keeping your credentials secure
Your .p8 private key gives API access to your entire App Store Connect account (scoped to the permissions you set). Treat it like a password:
- Never commit it to a Git repository
- Store it encrypted at rest (ReviewTower does this by default)
- Revoke and rotate keys if you suspect they've been compromised