An App Store Connect API key lets the LingCode agent upload builds, manage TestFlight, and check provisioning data without re-entering your Apple ID password every time. Generate it once, register it once, forget about it.
Every interaction with App Store Connect β uploading a build, listing your apps, inviting a TestFlight tester β eventually has to authenticate. Apple's old answer was your Apple ID password, two-factor codes, and a session that expired faster than was useful for automation. The new answer, available since 2019, is the App Store Connect API: every call signs a short-lived JWT with a private key Apple gave you, scoped to a role you picked, revocable at any time.
For the LingCode agent to upload builds on your behalf, it needs that private key. There's no way around generating it β Apple deliberately doesn't allow programmatic key creation, because the key is the credential. Once you've generated it once, though, you've done the hard part forever. The key lives in your macOS Keychain, and any agent-driven flow that touches App Store Connect β TestFlight uploads, App Store metadata, whatever ships next β uses it transparently.
This tutorial walks the one-time setup: which role to pick (smaller blast radius matters), how to download the .p8 file (you only get one chance), and how to register the three values with LingCode. The TestFlight tutorial is the natural next step.
.p8 file (one-shot β don't lose it).p8 with LingCodeSign in to appstoreconnect.apple.com. Click Users and Access in the top nav, then Integrations in the sidebar, then App Store Connect API, then the Team Keys tab.
Yes, it's four clicks deep. Apple buries this β bookmark the final URL once you reach it.
Click Generate API Key. Give it a recognizable name (e.g., "LingCode TestFlight") and pick a role.
For "ship to TestFlight from chat," App Manager is the right floor: enough to upload and manage TestFlight, not enough to delete apps or change team membership. Don't use Admin or Account Holder roles for a key the agent will hold β keep the blast radius small.
Click Generate and Apple creates the key.
Apple shows a Download API Key button next to the new key. Click it now. The download is a one-time event β once you navigate away, Apple will not let you download this .p8 again. You'll have to revoke and regenerate.
The file is named AuthKey_<KeyID>.p8. Drop it somewhere stable for the next step (Downloads is fine β you can delete it after registering).
You need three pieces of info to register the key:
69a6de70-...). One per team.ABC1234DEF). One per key..p8 file β the file you downloaded in Step 3.Open the AI chat panel in LingCode and say:
Save my App Store Connect API key. Issuer ID: <value>. Key ID: <value>. The .p8 is at /Users/<you>/Downloads/AuthKey_<keyid>.p8.
The agent calls the internal set_asc_api_key tool. The contents of the .p8 (not the file path) plus the two IDs land in your macOS Keychain under the service LingCode. You can delete the file from Downloads now if you want β LingCode has its own copy.
In chat: Is my ASC API key set up?
The agent checks Keychain and reports either: "Yes, Issuer ID ends in ...abc, Key ID ABC1234DEF" or "No, no ASC key configured." It doesn't print the full Issuer ID or the .p8 contents β just enough to confirm you registered the right one.
If the person whose role created the key leaves the team, or if you suspect the key leaked, revoke it. In App Store Connect β Team Keys, click Revoke next to the key. Apple invalidates it immediately; future API calls will fail.
Generate a fresh key and re-register with LingCode via the same chat command. The old Keychain entry overwrites cleanly.