notarytool "Invalid credentials" submitting to notarization in CI
xcrun notarytool could not authenticate the notarization request. The Apple Notary Service accepts either an App Store Connect API key (key id, issuer, .p8) or an Apple ID with team id and an app-specific password; a mismatch in any field returns Invalid credentials.
What this error means
notarytool submit or notarytool store-credentials fails with "Error: HTTP status code: 401. Invalid credentials. Username or password is incorrect" or "Invalid API key". The .dmg or .pkg never enters the notarization queue.
Error: HTTP status code: 401. Invalid credentials. Username or password is incorrect.
Use the developer ID and a valid app-specific password, or an App Store Connect API key.Common causes
A plain Apple ID password instead of an app-specific one
notarytool rejects the account password. Apple ID auth requires an app-specific password generated at appleid.apple.com, plus the team id.
A wrong or revoked API key trio
The key id, issuer id, or .p8 do not match an active App Store Connect API key with notarization access.
How to fix it
Store working credentials in a keychain profile
- Generate an app-specific password or an App Store Connect API key.
- Store it once with notarytool store-credentials.
- Reference the profile on submit so the secret is not on the command line.
xcrun notarytool store-credentials ci-profile \
--apple-id "$APPLE_ID" --team-id "$TEAM_ID" --password "$APP_SPECIFIC_PASSWORD"
xcrun notarytool submit App.dmg --keychain-profile ci-profile --waitSubmit with an API key instead
Pass the key trio directly when you prefer API key auth over an Apple ID password.
xcrun notarytool submit App.dmg \
--key AuthKey_$KEY_ID.p8 --key-id "$KEY_ID" --issuer "$ISSUER_ID" --waitHow to prevent it
- Use an app-specific password or API key, never the raw Apple ID password.
- Keep credentials in CI secrets and load them at runtime.
- Verify the key has notarization access before relying on it in a release job.