To ship a native binary to the App Store or Google Play, Hiveku needs credentials that let it act on your behalf — sign iOS builds, upload to TestFlight, push Android releases to Play Console. These are your credentials, owned by your developer accounts, stored encrypted in AWS Secrets Manager. Hiveku never owns the apps it ships for you; you do.Documentation Index
Fetch the complete documentation index at: https://docs.hiveku.com/llms.txt
Use this file to discover all available pages before exploring further.
Where credentials live
The Mobile Credentials page lives at/dashboard/<projectId>/mobile-credentials. It’s an Expo-only tab that appears in the project nav.
Each platform (iOS and Android) is a separate card with three states:
- Not connected — shows the inline 5-step setup guide and an upload form
- Connected — shows non-secret metadata (Apple Team ID, Apple ID, Last verified time) plus inline toggles for auto-submit and Play track
- Connected but verification failed — same as Connected with a red banner explaining the specific error
Connecting Apple Developer
Prerequisite: an active Apple Developer Program membership ($99/year). Allow ~24 hours after enrolling for Apple to verify your account before generating API keys.What you upload
| Field | What it is |
|---|---|
.p8 file | App Store Connect API private key. One-time download. |
| Apple Team ID | 10-character alphanumeric. Found at developer.apple.com/account → Membership Details. |
| Apple ID | The email address of the Apple ID that owns the developer account. |
| ASC API Key ID | 10-character alphanumeric. Shown next to the key in App Store Connect → Users and Access → Integrations. |
| ASC Issuer ID | UUID. Shown at the top of the ASC API Keys page. |
Step-by-step
Generate the ASC API Key
Open App Store Connect → Users and Access → Integrations → App Store Connect API. Click Generate API Key. Name it
Hiveku. Pick the Admin role (recommended for first builds — see “Why Admin?” below). Click Generate.Download the .p8 file
Apple offers the
.p8 as a one-time download. Save it now. If you close the page without downloading, you have to revoke the key and generate a new one. Apple does not let you redownload.Copy the IDs
Note the Issuer ID at the top of the page (a UUID) and the Key ID in the row of the key you just created (10 chars).
Find your Team ID
Open developer.apple.com/account → Membership Details → copy the 10-character Team ID.
/v1/users endpoint and confirms the credentials are accepted. You’ll see a green banner within 5 seconds.
Why Admin role?
The Admin role is required for automatic iOS App Store record creation on your first iOS build. Hiveku callsPOST /v1/bundleIds and POST /v1/apps to register the bundle ID with Apple and create the App Store Connect app entry — saving you a manual setup step.
If your key is App Manager role only:
- Builds and submits will still work for apps that already exist in App Store Connect
- The first iOS build will fail with a clear error: “Your ASC API key role is App Manager — auto-creating the App Store record requires Admin”
- Workaround: manually create the app in App Store Connect with the bundle ID Hiveku shows you (
com.hiveku.<12-hex>), then re-trigger the build
Common errors
| Banner says… | What it means | Fix |
|---|---|---|
| ”App Store Connect rejected the API key” | Wrong Key ID, Issuer ID, or .p8 file is malformed | Re-copy the IDs; if the .p8 looks corrupted, revoke and regenerate |
| ”API key does not have App Manager access” | Key was generated with Developer or lower role | Re-generate the key in ASC with App Manager (or Admin) role |
| ”Failed to sign JWT — the .p8 file is likely malformed” | The file you uploaded isn’t a valid PKCS#8 or SEC1 PEM | Re-download from Apple; make sure it starts with -----BEGIN PRIVATE KEY----- |
| ”Your ASC API key role is App Manager — auto-creating the App Store record requires Admin” | First build can’t auto-create the iOS App Store entry | Either upgrade the key to Admin, or manually create the app in App Store Connect first |
Connecting Google Play
Prerequisites:- A Google Play Developer account ($25 one-time)
- A Google Cloud Console account (free; same Google login as Play Console works)
- Your app entry already created in Play Console (Google Play API can’t create the very first version of an app — only updates)
What you upload
| Field | What it is |
|---|---|
| Service Account JSON | The credentials JSON for a Google Cloud service account that has Play Console release-manager access |
| Initial Play Track | Where new releases land. Default: Internal testing (safest — only invited testers see it). |
Step-by-step
Create a Google Cloud Service Account
Open Google Cloud Console → IAM → Service Accounts. Click Create Service Account. Name it
hiveku-publisher. No project roles needed at this step — Play Console grants its own permission separately.Download the JSON key
Open the service account → Keys → Add Key → Create new key → JSON. Save the downloaded file securely.
Link to Play Console
Open Play Console → Setup → API Access. Link your Google Cloud project. Find the
hiveku-publisher service account in the list and grant it Release Manager role (must include “Release apps to production”, “Manage releases”, and “Manage testing tracks”).Create the app entry in Play Console
Play Console → All apps → Create app. Set the package name to the exact
com.hiveku.<your-12-hex> value shown on the Mobile Credentials page (under “App identifier”). Once the app exists in Play Console, Google’s API can update it on subsequent builds.- Green — credentials work AND the app exists in Play Console with proper permissions
- Amber — credentials work but the app doesn’t exist in Play Console yet (loop back to Step 4)
- Red — service account doesn’t have Play Console access (verify the Release Manager role in API Access)
Common errors
| Banner says… | What it means | Fix |
|---|---|---|
| ”Service account is authentic but has no Google Play Console access” | Service account exists in Google Cloud but isn’t linked in Play Console | In Play Console → Setup → API Access, grant Release Manager role to this service account |
| ”App doesn’t exist in Google Play Console yet” | Credentials work but the app entry hasn’t been created | Play Console → All apps → Create app, use the bundle ID from Hiveku |
| ”Service account JSON is invalid or disabled” | The JSON is malformed or the service account was disabled in Google Cloud | Re-download the JSON; check that the service account is enabled |
Auto-submit settings
Each platform has an Auto-submit toggle. Default is on.- Auto-submit on (default): when a Build & Ship completes successfully, Hiveku immediately submits the binary to TestFlight (iOS) or your configured Play track (Android). The build → submit chain happens at EAS without intervention.
- Auto-submit off: the build finishes and you get the binary URL but no submission is triggered. Useful for QA-conscious teams who want to review the build artifact before pushing to testers.
Play track configuration
The Android side has a Play track selector. Builds with auto-submit on land in this track:| Track | Audience | When to use |
|---|---|---|
| Internal testing | ≤100 invited testers | Default. Best for early QA. Releases are available immediately. |
| Closed testing (alpha) | Invited testers + groups | Slightly larger circle. Releases need Google review (~hours). |
| Open testing (beta) | Anyone with the opt-in URL | Public beta. Releases need Google review. |
| Production | All Play Store users | Fully public. Releases need full Google review (1-3 days first time). |
Disconnecting credentials
Click Disconnect in the Connected card. Hiveku immediately:- Deletes the encrypted credential from AWS Secrets Manager
- Removes the platform metadata from
expo_config.ios(orexpo_config.android) - Clears the corresponding row in the credential cache
Re-verifying credentials
The Verify credentials now button on each Connected card re-runs the preflight validation. Useful when:- You changed the app entry in Play Console and want to confirm Hiveku still has access
- You suspect Apple revoked your API key and want to confirm
- Your build keeps failing at submit time and you want to isolate whether it’s a credential issue or a code issue
How Hiveku stores credentials
Each credential goes through this path:- Customer uploads via the form (multipart POST)
- Server-side validates format (PEM header for .p8, valid JSON for service account)
- Encrypts via AWS KMS and writes to AWS Secrets Manager (key:
hiveku-project-secrets/<project-id>) - Persists non-secret metadata to
website_projects.expo_config(Apple Team ID, Apple ID, Issuer ID, Key ID for iOS; Application ID, track for Android) - Build pipeline pulls the encrypted credential into a temp directory at build time, writes it as a file inside that temp dir, hands the path to
eas-cli, then deletes the temp dir on completion
What’s next
Builds & Submissions
Trigger your first build now that credentials are connected.
Native Modules
Understand which package additions need a Build & Ship vs an OTA update.