Security Concern: Third-Party Developer Requesting JSON/API Key for Backend Access”

Subject: Security Concern - Third-Party Developer Requested JSON/API Key for Backend Access

Hello Apple Developer Community,

I recently encountered a security concern involving a third-party app development company that requested full JSON API key access to my Apple Developer account. After conducting my own research, I realized that granting this access would have allowed them unrestricted backend control over my app—even after our contract ended.

Detailed Breakdown of the Issue:

- The development company initially requested temporary access to my Apple Developer account to assist with app deployment.

- They then asked me to generate a JSON API key and provide it to them for “upload purposes.”

- I later discovered that JSON API keys do not expire unless manually revoked—meaning they could push updates, alter financial settings, and even remove my app from the store at any time without my permission.

- Their terms and conditions suggested that this practice is standard for all their clients, which raises concerns about how many other developers might be unknowingly affected.

Key Questions for the Community:

1. Is it ever necessary to provide JSON API key access to a third-party developer?

2. What is the best way to work with external developers while maintaining full security over my app?

3. Does Apple have official guidelines regarding API key sharing and security best practices in third-party development partnerships?

4. Has anyone else encountered a similar request from an external app developer?

Given the potential security risks, I have held off on making any payments for my Apple Developer account until I can fully understand how to secure it properly. I would appreciate any insights from the community on how to handle external development without compromising my account security.

Thank you in advance for your help!