App Store Connect API key and vendor access setup for revenue reports
Apple App Store Connect source access lets Netice read selected Apple revenue report families. It is separate from destination access, separate from BigQuery or Snowflake write permissions, and separate from object storage. Netice encrypts customer secret material, uses secret management for credentials, and keeps Apple source setup separate from customer-owned destination setup.
Apple source access controls what Netice can read from App Store Connect. It does not control where Netice writes the output. BigQuery, Snowflake, GCS and S3 destination access are configured separately.
What Apple source access means in Netice
A valid Apple source connection can allow a task to fetch selected Apple reporting inputs, but it does not grant permission to write to a customer-owned warehouse or storage destination. Source access and destination access are two separate parts of the setup.
This distinction matters because Netice app revenue workflows separate Daily App Sales, Finance Unified, and Raw Reports. Daily App Sales uses Apple Sales and Trends style /salesReports. Finance Unified uses Apple /financeReports where configured. Raw Reports preserve provider-native Apple report artifacts where supported.
The goal of setup is not just “connect Apple.” The goal is to connect the correct Apple report family for the task, keep Apple source access separate from destination access, and handle customer credentials through encrypted secret management rather than displaying raw values after setup.
| Apple source context | Netice source mode | Apple report family | Output family |
|---|---|---|---|
| Daily App Sales | google_apple_app_sales |
Sales and Trends style /salesReports, including Summary Sales and subscription events where available. |
Daily enriched analytics such as app_sales_daily or destination-specific equivalents. |
| Platform Finance | finance_unified |
App Store Connect /financeReports. |
Monthly platform finance output such as finance_unified where configured. |
| Raw Reports | apple_app_store_raw_reports |
Provider-native Apple report families selected through raw mode. | Raw provider-native artifacts and safe status metadata. |
The core boundary: Apple source access is not destination access
An App Store Connect API key lets Netice read selected Apple source reports when the credential and vendor scope are valid. It does not let Netice write to BigQuery, GCS, S3, or Snowflake. Destination access must be configured separately.
The reverse is also true. A valid BigQuery, S3, GCS, or Snowflake destination connection does not prove that Apple Sales and Trends, Apple financeReports, raw Apple report families, vendor numbers, or app resource context are correctly configured on the source side.
App Store Connect API key fields
Apple source setup uses an App Store Connect API credential bundle. The setup categories are issuer ID, key ID, private key, and vendor/reporting context. Netice encrypts customer secret material and stores it through its secret-management layer, so the product can validate and reuse access without showing raw credential values back after setup.
Apple private-key material is sensitive credential material. The setup UI handles secure entry and validation; this page describes only the credential categories, report-family coverage, and source/destination boundary. Public examples stay synthetic and do not include private-key blocks, PEM snippets, JWT examples, or realistic-looking key material.
| Credential category | Role in setup | How Netice handles it |
|---|---|---|
| Issuer ID | Part of the App Store Connect API credential bundle. | Shown as a setup category, not as a public example value. |
| Key ID | Identifies the API key in the credential bundle. | Shown as a setup category, not as a public example value. |
| Private key | Used as sensitive signing material for App Store Connect API access. | Encrypted and secret-managed; not displayed back after saving. |
| Vendor/reporting context | Identifies the reporting scope for the selected report family. | Shown as reporting scope with synthetic labels in examples. |
Daily Sales and Trends vs financeReports vendor scope
Apple report-family coverage is not automatically universal. Daily Sales and Trends reporting and monthly financeReports are different source families. Sales and Trends vendor coverage does not prove Apple financeReports coverage. For Finance Unified, the relevant scope is Payments and Financial Reports vendor coverage.
This is one of the most common setup mistakes. A team can have working daily app-sales access and still lack the financeReports access needed for Finance Unified. A team can also have financeReports access and still need a separate destination connection before Netice can write the output to BigQuery, Snowflake, GCS, or S3.
| Workflow | Apple report family | Vendor/access concept | Important boundary |
|---|---|---|---|
| Daily App Sales | Sales and Trends / /salesReports |
Apple vendor scope for daily sales-style reporting. | Does not prove financeReports access. |
| Finance Unified | Apple /financeReports |
Payments and Financial Reports vendor coverage. | Does not replace destination setup. |
| Raw Reports | Selected raw Apple report families | Report-family-specific setup such as region or app-specific context where required. | Not every raw family is enabled by default. |
Daily App Sales: Sales and Trends source access
Daily Apple app-sales analytics uses the Daily App Sales source mode google_apple_app_sales with Apple App Store selected as a provider. The Apple source family is Sales and Trends style /salesReports, not /financeReports.
In Daily App Sales output, Apple Summary Sales rows can be labeled with source = 'APPLE_APP_STORE', platform = 'IOS', source_kind = 'SALES', and source_report = 'ASC_SUMMARY_SALES'. Apple subscription event rows can use source_report = 'ASC_SUBSCRIPTION_EVENT'. These daily rows are operational analytics; they are not final payout, settlement, accounting close, tax advice, audit, GAAP, IFRS, ASC 606, or bank reconciliation.
| Daily Apple field | Example value | Meaning |
|---|---|---|
source |
APPLE_APP_STORE |
Provider/source category. |
platform |
IOS |
Apple App Store platform context. |
source_kind |
SALES |
Daily app-sales analytics, not finance. |
source_report |
ASC_SUMMARY_SALES |
Apple Summary Sales style source rows. |
source_report |
ASC_SUBSCRIPTION_EVENT |
Apple subscription event source rows where available. |
Finance Unified: Apple financeReports source access
Apple financeReports belong to Finance Unified, not Daily App Sales. Finance Unified uses finance_unified as the source mode and source_kind = 'FINANCE'. Apple finance source reports can be normalized with labels such as APPLE_FINANCE_DETAIL and APPLE_FINANCIAL where supported by the selected report type.
For Apple finance workflows, Netice keeps finance report type and region scope separate from Daily App Sales. Apple Finance Detail and Financial report contexts belong to the finance layer. Scope labels such as Z1 and ZZ are Apple report-scope concepts, not customer identifiers.
| Finance concept | Finance label or scope | Boundary |
|---|---|---|
| Source mode | finance_unified |
Monthly platform finance workflow. |
| Apple API family | /financeReports |
Not Sales and Trends /salesReports. |
| Source kind | FINANCE |
Not daily SALES. |
| Finance report labels | APPLE_FINANCE_DETAIL, APPLE_FINANCIAL |
Separate from ASC_SUMMARY_SALES. |
| Finance vendor coverage | Payments and Financial Reports vendor scope | Not proven by daily Sales and Trends coverage. |
Raw Apple report family setup
Raw Apple reports use a separate source mode: apple_app_store_raw_reports. Raw mode preserves provider-native report artifacts. It does not normalize those artifacts into the Daily App Sales schema or the Finance Unified schema by default.
Raw report setup can cover core Apple daily Sales and Trends and subscription-style report families where supported. Some raw finance or app-specific raw families can require extra setup, such as finance region scope or app-specific report context. Netice keeps those identifiers out of public examples and status summaries.
| Raw family type | Setup implication | Boundary |
|---|---|---|
| Recommended Apple raw bundle | Core raw report families where supported. | Availability depends on selected raw families and source access. |
| Raw finance families | Can require finance region scope. | Finance region scope stays private to the customer setup. |
| App-specific raw families | Can require app-specific report context. | App-specific identifiers and content stay private. |
| Destination output | Raw output is separate from Daily App Sales and Finance Unified. | Raw files remain separate from normalized daily or finance outputs. |
Saved Apple connections
Saved Apple connections reduce repeated credential handling for recurring tasks. A saved Apple source connection can be selected in task setup instead of entering the App Store Connect credential bundle again. Netice encrypts customer secret material, stores it through secret management, and shows safe connection metadata rather than raw credential values after saving.
Saved access is useful, but it does not remove report-family requirements. A saved Apple connection may be valid for daily Sales and Trends but not financeReports, depending on vendor coverage and permissions. It also does not provide destination access. BigQuery, GCS, S3 and Snowflake still require destination setup.
| Saved connection behavior | Customer-facing explanation | Boundary |
|---|---|---|
| Reusable Apple source access | Saved Apple access can be selected for recurring tasks. | Report-family access still depends on Apple permissions and vendor coverage. |
| Workspace scope | Saved access is scoped to the workspace/client context. | Saved access remains scoped to the relevant workspace. |
| Write-only credentials | Credential values are encrypted, secret-managed and not shown back after saving. | Raw private-key values are not recoverable from the interface. |
| Rotation | Apple credential rotation uses a replacement credential bundle. | A complete replacement bundle is the safer rotation pattern. |
| Delete behavior | Delete can be blocked while tasks still reference the connection. | Provider-side revocation remains the customer’s responsibility in App Store Connect. |
Source access vs destination access
The Apple setup flow separates source access from destination access. App Store Connect API credentials allow source reads. Destination credentials allow warehouse or storage writes.
| Access type | What it authorizes | What it does not authorize |
|---|---|---|
| Apple source access | Reading selected App Store Connect report families. | Writing to BigQuery, GCS, S3 or Snowflake. |
| BigQuery / GCS destination access | Writing to customer-owned Google Cloud targets. | Reading App Store Connect reports. |
| AWS S3 destination access | Writing files or raw report artifacts to S3. | Reading App Store Connect reports. |
| Snowflake destination access | Writing warehouse output to Snowflake. | Reading App Store Connect reports. |
This boundary makes support and troubleshooting cleaner: a destination write failure should be handled separately from Apple source credentials unless diagnostics show that the Apple source side is the failing side.
Common setup states
Apple setup can fail for multiple reasons. The correct response depends on whether the problem is missing source credential categories, Apple credential validation, vendor/report access, report availability, raw family setup, destination access or saved-connection state.
| Setup state | Meaning | Customer-safe response |
|---|---|---|
| Missing credential category | A required Apple source credential category or vendor context is absent. | Ask the user to complete the missing category in the secure setup flow. |
| Apple credential validation failure | The credential material cannot be validated for App Store Connect access. | Show a bounded credential validation message without key material or stack traces. |
| Vendor/report access failure | The selected vendor/report family is not accessible with the provided Apple source access. | Identify the report-family access problem without exposing vendor numbers. |
| Report not ready | Apple accepted access but the requested report window is not available yet. | Show provider availability status without raw response bodies or source file names. |
| Raw family setup required | Selected raw family needs extra setup such as region scope or app-specific report context. | Ask for the required setup context without exposing app-specific identifiers publicly. |
| Destination failure | BigQuery, GCS, S3 or Snowflake cannot be written. | Separate destination access issues from Apple source issues while keeping destination identifiers private. |
Security, encryption and secret management
A setup guide should be useful without becoming a credential leak. Netice can describe Apple source access categories, saved connection behavior, report-family coverage, encryption, secret management and source/destination separation without exposing real identifiers or realistic credential examples.
| Public explanation | Kept out of public examples and summaries |
|---|---|
| Credential categories and encrypted secret handling | Issuer IDs, key IDs, private keys, JWTs or screenshots containing identifiers. |
| Vendor scope concept | Real vendor numbers or account-specific vendor mappings. |
| Saved connection concept | Saved connection IDs, secret references, credential references, internal task references or internal secret identifiers. |
| Raw family setup categories | App resource IDs, raw review contents, source file names or provider rows. |
| Source-vs-destination boundary | Customer BigQuery projects, S3 buckets, Snowflake accounts or object paths. |
Encrypted, secret-managed credential storage
Customer credential material is encrypted and handled through Netice’s secret-management layer. Task and connection screens can show safe status and configuration metadata, but raw private keys, tokens, credential references and internal secret identifiers are kept out of public examples, normal summaries and support copy.
Safe synthetic setup examples
The examples below use synthetic names only. They show the setup shape without exposing credentials, provider screenshots, customer configuration or source report data.
Daily Apple app-sales analytics
Source mode: google_apple_app_sales
Selected provider: Apple App Store
Apple source access: saved connection named example_apple_app_store_reporting
Vendor scope: VENDOR_SYNTHETIC_SALES
Destination access: saved connection named example_bigquery_app_revenue
Output target: example_project.example_dataset.app_sales_dailyApple financeReports through Finance Unified
Source mode: finance_unified
Selected provider: Apple Finance Reports
Finance vendor scope: VENDOR_SYNTHETIC_FINANCE
Finance region scope: Z1
Destination: example_project.example_dataset.finance_unified
Reporting period: 2026-04Apple raw report setup
Source mode: apple_app_store_raw_reports
Raw sync mode: recommended_bundle
Apple source access: saved connection named example_apple_raw_reporting
Destination: s3://example-app-revenue/raw/apple/Keep public examples synthetic: real issuer IDs, key IDs, private keys, vendor numbers, app resource IDs, app IDs, bundle IDs, SKUs, source rows, source paths, source row hashes, destination paths, task IDs, run IDs, logs, payment references and customer data belong only in private customer setup and Netice’s encrypted secret-management flow.
FAQ
What Apple App Store Connect access does Netice need?
Netice needs Apple source access for the selected report family. Daily App Sales uses Sales and Trends style reports, Finance Unified uses financeReports where configured, and Raw Reports use selected provider-native raw families.
Which App Store Connect API key fields are required?
Apple source setup uses App Store Connect credential categories such as issuer ID, key ID, private key and vendor/reporting context. Netice encrypts customer secret material, stores it through secret management, and does not show raw credential values back after saving.
Does Netice encrypt Apple credential material?
Yes. Customer secret material is encrypted and handled through Netice’s secret-management layer. Public examples and normal summaries do not include raw keys, tokens, secret references, credential references or internal secret identifiers.
Is a Sales and Trends vendor number enough for financeReports?
No. Sales and Trends vendor coverage does not prove financeReports coverage. Finance Unified requires finance-capable vendor access.
What is the difference between Apple daily salesReports and financeReports?
Daily /salesReports feed Daily App Sales and operational analytics. Apple /financeReports feed Finance Unified and monthly finance-period output where configured.
Can I save Apple App Store Connect access for recurring tasks?
Yes, saved Apple access can be used for recurring tasks where configured. Saved access reduces repeated credential handling, but it does not remove report-family or destination-access requirements.
Are Apple private keys shown back after saving?
No. Apple credential values are write-only after saving. Saved connection summaries show safe metadata, not raw credential material.
Can Apple source access write to BigQuery, GCS, S3 or Snowflake?
No. Apple source access lets Netice read App Store Connect reports. Destination access for BigQuery, GCS, S3 or Snowflake must be configured separately.
What happens if I delete a saved Apple connection?
Delete can be blocked while tasks still reference the saved connection. Deleting the Netice saved connection does not automatically revoke the Apple API key in App Store Connect.
When do raw Apple report families need region codes or app resource IDs?
Some advanced raw families can need extra setup such as finance region scope or app-specific report context. Those identifiers stay private to the customer’s setup and are excluded from public examples.
Why can an Apple report be unavailable even when credentials are valid?
A report can be not ready, outside the selected period, unavailable for the selected vendor/report family, or blocked by report-family-specific access. Missing does not automatically mean zero revenue.
Set up Apple source access without mixing report families or destinations
Netice separates Apple source access, encrypted secret handling, saved connections, Daily App Sales, Finance Unified, Raw Reports and customer-owned destinations so app revenue pipelines remain understandable and safe to operate.
