Skip to content
Latchkey

fastlane "Invalid API Key" App Store Connect authentication in CI

fastlane authenticates to App Store Connect with a key id, an issuer id, and a .p8 private key. If any of these is wrong, expired, or the .p8 was corrupted in transit, App Store Connect rejects the request as an invalid key.

What this error means

fastlane upload or metadata steps fail with "Invalid API Key" / "Authentication credentials are missing or invalid" from App Store Connect.

fastlane
[!] Invalid API Key. Please make sure to pass a correct key_id, issuer_id and
key content. (Authentication credentials are missing or invalid.)

Common causes

Wrong key id or issuer id

The key_id or issuer_id passed to app_store_connect_api_key does not match the key in App Store Connect.

A malformed or truncated .p8 key

The base64-encoded .p8 was decoded incorrectly or lost its PEM headers, so the key content is invalid.

How to fix it

Pass a valid key id, issuer id, and key content

  1. Store the key id, issuer id, and base64 .p8 as CI secrets.
  2. Configure app_store_connect_api_key with those values.
  3. Confirm the key has the App Manager role and is not revoked.
Fastfile
app_store_connect_api_key(
  key_id: ENV["ASC_KEY_ID"],
  issuer_id: ENV["ASC_ISSUER_ID"],
  key_content: ENV["ASC_KEY_P8"],
  is_key_content_base64: true
)

Verify the .p8 round-trips correctly

Ensure the base64 you stored decodes to the original PEM, including the BEGIN/END PRIVATE KEY lines.

Terminal
echo "$ASC_KEY_P8" | base64 --decode | head -1
# expect: -----BEGIN PRIVATE KEY-----

How to prevent it

  • Store key_id, issuer_id, and the .p8 as separate CI secrets.
  • Use base64 for the .p8 and decode it consistently.
  • Grant the API key an adequate role and rotate it before expiry.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →