Overview
Connecting Apple Search Ads lets the dashboard:- Create, update, pause, resume, and delete App Store search campaigns plus their ad groups and targeting keywords.
- Run ads that point at any Custom Product Page (CPP) managed in App Store Connect — set the
cpp_idon a creative and the dashboard resolves the matching ASC product page automatically. - Pull spend, impressions, taps, conversions, and CPI metrics via the reports API.
- Run native creative experiments by rotating multiple ad groups (each pinned to a different CPP) under one campaign.
Why this setup is different
Apple Search Ads does not support OAuth. Instead, you generate an API certificate from the Apple Search Ads UI; the certificate gives you a PEM private key plus four identifiers. The integration signs every API request with a JWT minted from that key. This means the connect flow asks for 5 inputs rather than the usual single OAuth click:| Input | What it is | Where to find it |
|---|---|---|
| Team ID | The Apple Developer team identifier. Used as the JWT iss claim. | Apple Developer portal → Membership Details, or the ASA UI top-right account switcher. |
| Key ID | The id of the API certificate you generated. | ASA UI → Settings → API → next to the certificate row. |
| Client ID | The ASA client identifier issued alongside the certificate. | ASA UI → Settings → API → expand the certificate row. |
| Org ID | The numeric ASA organisation id. Sent as the X-AP-Context: orgId={id} header on every API call. | ASA UI → URL bar (/o/{org_id}/...) or Settings → Account. |
| PEM private key | The downloaded .pem file’s contents. | ASA UI → when you generate the certificate, the PEM downloads once — store it in your secret manager. |
Prerequisites
Before connecting, make sure you have:- An Apple Search Ads account in good standing.
- A user with the API role in your ASA org (only API-role users can mint certificates).
- A generated API certificate with the PEM file safely stored. Apple shows the PEM exactly once — re-download is not possible. If the file is lost, generate a new certificate.
Generate an API certificate
Inside the Apple Search Ads console:- Go to Settings → API.
- Click Create API Certificate.
- Pick the appropriate role for the certificate (typically Standard: campaign read + write).
- Confirm — Apple will now show the Key ID, Client ID, and offer the PEM file as a single download.
- Download the
.pemfile and copy it somewhere safe (the dashboard reads it once on connect, then encrypts it at rest). - Note the Key ID and Client ID shown alongside the certificate.
- Find the Org ID in the URL of the ASA console (e.g.
https://app.searchads.apple.com/cm/app/o/123456/campaigns— the org id is123456). - Find your Team ID in the Apple Developer portal.
Connect
- Open the Paid UA → Integrations page in the dashboard.
- Click Connect on the Apple Search Ads tile. (The tile opens an inline form rather than redirecting — Apple Search Ads is the only integration that doesn’t use OAuth.)
- Paste the five values from the previous step into the form. The PEM field accepts the full file contents including the
-----BEGIN EC PRIVATE KEY-----and-----END EC PRIVATE KEY-----lines. - (Optional) Add a comma-separated list of storefronts (2-letter App Store country codes, e.g.
US, GB, DE, JP). You can skip this and pick storefronts per campaign later. - Click Connect. The dashboard mints a JWT, exchanges it for a bearer token, and probes the
/meendpoint to confirm the credentials work.
What happens behind the scenes
| Operation | API endpoint |
|---|---|
| Create / update / delete campaign | POST/PUT/DELETE /campaigns[/id] |
| Create / update ad group | POST/PUT /campaigns/{id}/adgroups[/id] |
| Bulk-upsert targeting keywords | POST /campaigns/{id}/adgroups/{id}/targetingkeywords/bulk |
| Create / update ad (CPP reference) | POST/PUT /campaigns/{id}/adgroups/{id}/ads[/id] |
| List campaigns + pull insights | POST /reports/campaigns (range + selector body) |
| Per-ad-group split-test results | POST /reports/campaigns/{id}/adgroups |
| List accessible orgs (test connection) | GET /me, GET /acls |
Authorization: Bearer <access_token>— the short-lived bearer minted from the PEM.X-AP-Context: orgId={your_org_id}— required by Apple Search Ads on every endpoint.
Idempotency-Key HTTP header. Apple Search Ads doesn’t natively dedupe on this header, so the dashboard also runs a 24-hour Redis-backed dedupe cache to make replays safe even after a transient network failure.
Custom Product Page integration
The most powerful Apple Search Ads feature is the ability to route different ad groups to different Custom Product Pages. The dashboard ties this directly to the ASO module:- Build and publish your CPPs from the ASO module. Each CPP gets a stable internal id and (after publish) an App Store Connect product-page id.
- When creating an ad in the Paid UA module, set
creative.cpp_idto the internal CPP id. The dashboard will:- Look up the CPP row.
- Forward the ASC-side product-page id as
productPageIdon the Apple Search Ads ad creation call. - Fall back to your app’s default App Store product page if the CPP hasn’t been published yet.
- Set up a creative experiment that varies
cpp_idacross variants — the dashboard creates one ad group per variant under a single campaign, each pinned to its own CPP. Apple’s optimisation engine handles traffic rotation; the dashboard collects per-variant metrics for winner declaration.
Rate limiting
Requests are throttled per(client_id, org_id) using a sliding window built on Redis. The default budget is 60 requests per minute per org. Apple Search Ads doesn’t publish hard rate limits, so this is a conservative ceiling. If the platform returns HTTP 429, the request is automatically retried with exponential backoff.
Reporting
Metrics are pulled hourly (or on demand) via the reports API. The default report covers spend (in the org’s currency), impressions, taps, installs, and CPI. Spend is converted to USD on ingestion using same-day FX rates; the native currency, FX rate, and local-currency spend are stored alongside the USD value.Token rotation
Apple Search Ads has no refresh-token grant. The dashboard re-mints a fresh JWT from the long-lived PEM whenever the short-lived bearer expires (the bearer typically lasts 1 hour). The PEM itself is valid for 180 days from the moment Apple issues it; rotate the certificate from the ASA UI before that window closes and reconnect from the dashboard.Disconnect
Click Disconnect on the integration tile. The PEM and bearer token are removed from the dashboard. To fully revoke access, also revoke the API certificate from the ASA UI.Troubleshooting
- “Apple Search Ads connect requires team_id, key_id, client_id, org_id, private_key_pem” — one or more inputs are missing. Re-check the connect form; all five are mandatory.
- “Apple Search Ads token exchange failed: 400” — the PEM does not match the Key ID / Client ID / Team ID combination. Re-download the certificate from the ASA UI; the PEM and ids must come from the same certificate generation.
- “Apple Search Ads /me returned 401” — the bearer expired or the PEM was rotated. Reconnect; the dashboard re-mints a JWT from the stored PEM on every refresh, so this should be self-healing unless the certificate itself was revoked.
- “AppNotAvailableInStorefront: XX” — the campaign requested a storefront where your app is not yet available. Either remove that storefront or expand the app’s territory list in App Store Connect.
- No CPPs available when creating an ad — the ASO module hasn’t published any CPPs yet, or the published CPPs have no ASC product-page id. Publish a CPP from the ASO module first, then return to the ad-creation flow.
- “PEM file lost” — Apple does not allow re-downloads. Generate a new API certificate from the ASA UI, then reconnect with the new credentials.