How to Set Up a Read-Only iTunes Connect User
There are many valuable third-party services that require iOS app developers to share iTunes Connect credentials. These services tend to add value on top of iTunes Connect data and make it easier for developers to understand what’s going on with their app. While these services probably take very good care of your credentials, no system is 100% immune to hackers. In LaunchKit’s Sales Reporter, our warning looks like this:
Your iTunes credentials will be stored using a per-user encryption key on a background worker machine. This system is very secure, but since we must supply Apple with a raw account password, it is possible for a sophisticated attacker to gain access to the password you supply. As such, we highly recommend creating a read-only iTunes Connect account and supplying that login information here, rather than using your personal iTunes account credentials.
To make this easier, here are instructions to create a read-only iTunes Connect account.
Note: It takes between 30–60 minutes for a new user to be visible through the iTunes Connect API, so once you activate the new user, wait a bit to give the credentials to any third party service.
Create a new Apple ID
Head to https://appleid.apple.com/ and create a new account with a given email address, which you’ll invite to iTunes Connect later. The name and such can be anything you like, I’d suggest “Read Only.”
You have to create this as an Apple ID first, because otherwise this account will be locked in the iTunes Connect universe alone, unable to escape.
(In reality, Apple has multiple authentication subsystems, and doing this first guarantees we’ll be able to log in with this account later.)
Sign into iTunes Connect
Next, head over to iTunes Connect and log in with an Admin account. The Admin role is the only type of iTunes user account that can change other user permissions.
Click “Users and Roles”
Click “( + )” to Add New User
Create Your New User
You can obviously name them whatever you like. We have a generic Read Only user we use for third party services. Be sure to use the same e-mail address you chose for the new Apple ID in the first step.
Select “Sales” and “Reports” for their Roles
Apple’s official description of this user type:
Gives the user access to the Sales and Trends, Analytics, Users and Roles, iAd App Network, and Contact Us sections. Users with a Sales role can view other users’ profiles but can edit only their own user information.
Assign this role to those in your organization who need access to reporting, marketing, and ad campaign information but not to app management or financial information.
Ignore the Notifications Page
We are setting this user up to serve as Apple credentials for third party services. We didn’t turn on any notifications, but obviously don’t ignore this page if you want notifications.
Verify the Email
That’s it! Now just verify the email to activate the user. It takes between 30–60 minutes for a new user to be visible through the iTunes Connect API. So wait a bit and then start giving these credentials to people who you don’t want having any write access to your iTunes account.
Please recommend this post and share if you thought this was helpful!
LaunchKit Tools
App Store Sales Alerts in Slack and Email
LaunchKit’s App Store Sales Alerts creates daily download and sales reports for your apps, then posts them into Slack and sends them via email. Sign up here.
App Review Monitor
Review Monitor is a free tool that continually checks the App Store and when a new review is detected, it’s posted into your team’s Slack channel or sent to you via email. Sign up here.
Screenshot Builder
LaunchKit’s Screenshot Builder makes it easy to create gorgeous, custom images for your App Store page and export them in every resolution Apple requires. Learn more here.
