App Store Connect JWT Decoder

Decode App Store Connect API tokens in your browser to debug 401 errors — the token never leaves your device.

Developer Utilities100% freeNo sign-up required

Decoded 100% in your browser — the token never leaves this page. The signature is not verified.

Paste a token above to decode its header and payload.

A 401 NOT_AUTHORIZED from the App Store Connect API tells you almost nothing — the actual problem is buried inside the JWT you generated. This decoder splits the token into its header and payload and checks the claims Apple requires: the header must declare alg ES256 with a kid (your key ID) and typ JWT, and the payload needs iss (your issuer ID), iat, exp, and aud set to appstoreconnect-v1. The most frequent failure, an expiry more than 20 minutes out, is flagged automatically.

Everything happens client-side. Your token is decoded with JavaScript in this page and is never transmitted, logged, or stored anywhere — which matters, because a valid ASC token grants real access to your account. As a rule, never paste live credentials into online tools that send data to a server; this one deliberately doesn’t.

How to debug an App Store Connect API token

  1. 1

    Generate your token as usual, then paste the full JWT (the three dot-separated base64url segments) above.

  2. 2

    Check the decoded header: alg must be ES256 — Apple rejects HS256 and RS256 — and kid must exactly match the key ID from App Store Connect → Users and Access → Integrations.

  3. 3

    Check the payload: iss must be your issuer ID (a UUID, not your team ID), and aud must be the string appstoreconnect-v1.

  4. 4

    Look at the expiry check: exp may be at most 20 minutes after iat. Tokens signed with a longer lifetime are rejected even though they are otherwise valid.

  5. 5

    If every claim looks right but requests still fail, verify you are signing with the .p8 private key that belongs to that kid, and that the key’s role has permission for the endpoint you are calling.

Anatomy of an App Store Connect API token

ASC API tokens are JWTs signed with ES256 — ECDSA over the P-256 curve — using the .p8 private key you download (exactly once) when creating an API key. The header carries three fields: alg ("ES256"), kid (the 10-character key identifier), and typ ("JWT"). The payload carries iss (the issuer ID shown at the top of the Integrations page), iat (issued-at, as a Unix timestamp), exp (expiry), and aud ("appstoreconnect-v1"). Individual keys additionally include a sub claim, and tokens can optionally carry a scope array restricting them to specific requests.

Apple enforces a hard ceiling on token lifetime: exp can be at most 20 minutes after the token is issued. This is why you cannot mint one long-lived token and cache it for a day — production integrations regenerate tokens continuously, typically with a small safety margin so a token never expires mid-request.

Why decoding beats guessing when auth fails

The classic 401 NOT_AUTHORIZED has a short list of causes, and each one is visible in the decoded token: a kid that doesn’t match any active key (or matches a revoked one), iss set to the team ID instead of the issuer UUID, aud misspelled or versioned wrong, exp beyond the 20-minute window, or iat in the future because the signing machine’s clock is skewed. Thirty seconds of reading decoded claims replaces an hour of regenerating keys at random.

One thing this tool intentionally does not do is verify the signature — that would require key material, and your .p8 private key should never be pasted anywhere. A decoded token with perfect claims can still fail if it was signed with the wrong .p8 file, so if the claims check out, the key is the next suspect. Remember that anyone holding a validly signed token can act on your account until it expires, so treat tokens as secrets even though they only live 20 minutes.

Frequently asked questions

Is it safe to paste my App Store Connect token here?

The token is decoded entirely in your browser with client-side JavaScript — it is never sent to a server, logged, or stored. That said, an unexpired token is a live credential: the safest practice is to debug with a token you have already let expire, since decoding works the same either way.

Why does Apple reject my token with 401 NOT_AUTHORIZED?

The usual suspects, in order: exp more than 20 minutes after issue, iss set to your team ID instead of the issuer ID (a UUID), a kid that doesn’t match an active API key, aud not exactly appstoreconnect-v1, or a signature made with the wrong .p8 private key. Decoding the token exposes the first four immediately.

What algorithm do App Store Connect API tokens use?

ES256 — ECDSA with the P-256 curve and SHA-256. Many JWT libraries default to HS256, which Apple rejects, so you usually need to pass the algorithm explicitly and load the .p8 file as an EC private key.

Why is the token lifetime limited to 20 minutes?

Apple enforces the 20-minute maximum to limit the damage window if a token leaks. Your integration should generate a fresh token per session or per batch of requests rather than caching one long-term; most ASC client libraries handle this rotation automatically.

Does this tool verify the token’s signature?

No — signature verification would require the private key, which you should never paste into any web page. The decoder validates structure and claims only. If every claim is correct but Apple still returns 401, the signature (wrong .p8 file for that kid) is the most likely remaining cause.

Where do I find my issuer ID and key ID?

In App Store Connect go to Users and Access → Integrations → App Store Connect API. The issuer ID (a UUID) is shown at the top of the page and is shared by all keys; each key row shows its own 10-character key ID, which goes in the JWT header’s kid field.

Skip the JWT plumbing entirely

Appalize handles App Store Connect authentication for you — connect once and manage metadata, releases, pricing, and analytics through the dashboard, or automate it all via the Appalize MCP and API.

Automate App Store Connect free

Related free tools