AgentSkillsCN

app-store-connect-api

Apple App Store Connect API 集成实施指南。适用于以下场景:(1) 构建 API 客户端以管理证书、配置文件、Bundle ID 或设备;(2) 为 App Store Connect 实施 JWT 认证;(3) 理解 API 请求与响应模式,以及错误处理机制;(4) 处理 TestFlight 构建、Beta 测试组或应用提交流程;(5) 通过 OpenAPI 规范探索可用的端点、数据模型或功能特性。同时附带脚本,用于获取并分析 Apple 官方的 OpenAPI 规范。

SKILL.md
--- frontmatter
name: app-store-connect-api
description: >
  Guide for implementing Apple App Store Connect API integrations. Use when:
  (1) Building API clients to manage certificates, provisioning profiles, bundle IDs, or devices,
  (2) Implementing JWT authentication for App Store Connect,
  (3) Understanding API request/response patterns and error handling,
  (4) Working with TestFlight builds, beta groups, or app submissions,
  (5) Discovering available endpoints, schemas, or capabilities via the OpenAPI spec.
  Includes scripts for fetching and analyzing Apple's official OpenAPI specification.

App Store Connect API Development

Quick Reference

Base URL: https://api.appstoreconnect.apple.com/
Auth: JWT with ES256 signature (max 20 min lifetime)
Format: JSON:API specification

Authentication

Generate JWT with these claims:

json
{
  "iss": "ISSUER_ID",      // From App Store Connect
  "iat": <unix_timestamp>,
  "exp": <iat + 1200>,     // Max 20 minutes
  "aud": "appstoreconnect-v1"
}

Header: { "alg": "ES256", "kid": "KEY_ID", "typ": "JWT" }

For code examples in C#, Python, Node.js, Go → see references/authentication.md

Request/Response Format

All resources follow JSON:API structure:

json
// Response
{
  "data": { "type": "bundleIds", "id": "ABC123", "attributes": {...} },
  "included": [...],  // Related resources when using ?include=
  "links": { "self": "...", "next": "..." }
}

// Create/Update Request
{
  "data": {
    "type": "bundleIds",
    "attributes": { "name": "My App", "identifier": "com.example.app", "platform": "IOS" },
    "relationships": { ... }
  }
}

Common query parameters:

  • filter[field]=value - Filter results
  • sort=field / sort=-field - Sort ascending/descending
  • limit=50 - Pagination (follow links.next)
  • include=relatedResource - Include related data
  • fields[type]=field1,field2 - Sparse fieldsets

For full patterns → see references/patterns.md

Core Resources

ResourceEndpointKey Operations
Certificates/v1/certificatesList, Create (CSR), Delete
Bundle IDs/v1/bundleIdsList, Create, Update name, Delete
Capabilities/v1/bundleIdCapabilitiesEnable, Update, Disable
Devices/v1/devicesList, Register, Update status
Profiles/v1/profilesList, Create, Delete
Apps/v1/appsList, Get, Update
Builds/v1/buildsList, Get, Update (expire)

For detailed schemas and request formats → see references/resources.md

Common Enums

Platform: IOS, MAC_OS, UNIVERSAL

CertificateType: IOS_DEVELOPMENT, IOS_DISTRIBUTION, MAC_APP_DEVELOPMENT, MAC_APP_DISTRIBUTION, DEVELOPER_ID_APPLICATION

ProfileType: IOS_APP_DEVELOPMENT, IOS_APP_STORE, IOS_APP_ADHOC, MAC_APP_DEVELOPMENT, MAC_APP_STORE

CapabilityType: PUSH_NOTIFICATIONS, ICLOUD, GAME_CENTER, IN_APP_PURCHASE, APP_GROUPS, APPLE_PAY, ASSOCIATED_DOMAINS, HEALTHKIT, HOMEKIT, SIRIKIT

Discovering Endpoints & Schemas

Use the OpenAPI spec analyzer script to explore the full API:

powershell
# Download spec and show summary
./scripts/fetch_openapi_spec.ps1

# List all 192 resource categories
./scripts/fetch_openapi_spec.ps1 -ListResources

# Show endpoints for a resource
./scripts/fetch_openapi_spec.ps1 -Resource BundleIdCapabilities

# Show schema details
./scripts/fetch_openapi_spec.ps1 -Schema BundleIdCreateRequest

# Search endpoints and schemas
./scripts/fetch_openapi_spec.ps1 -Search testflight

The script caches the spec at ~/.cache/asc-openapi/openapi.oas.json. Use -Refresh to re-download.

Error Handling

All errors return:

json
{
  "errors": [{
    "status": "400",
    "code": "PARAMETER_ERROR.INVALID",
    "title": "...",
    "detail": "..."
  }]
}

Common codes:

  • PARAMETER_ERROR.INVALID / PARAMETER_ERROR.MISSING - Bad request
  • NOT_FOUND - Resource doesn't exist
  • FORBIDDEN - Insufficient API key permissions
  • AUTHENTICATION_ERROR - JWT issues (expired, bad signature)
  • 429 - Rate limited (check Retry-After header)

Implementation Tips

  1. Token caching: Generate one token and reuse for ~15 min (leave buffer before 20 min expiry)

  2. Pagination: Always follow links.next until exhausted; don't assume result counts

  3. Relationship endpoints: Use /v1/bundleIds/{id}/bundleIdCapabilities not filter params (some relationships don't support filtering)

  4. Wildcard bundle IDs: End with .* (e.g., com.example.*); have limited capability support

  5. Profile devices: Development profiles require explicit device list; App Store profiles don't include devices

  6. Certificate CSR: Generate locally with openssl or programmatically; submit base64-encoded content

Official Resources