stubkit docs

Setup · Required before first purchase

Integrations

Stubkit talks to Apple, Google, and Stripe on your behalf to validate purchases and read your product catalog. You paste credentials once per account on the /integrations page, then link them to each app from its settings. Same credentials cover every app under that provider account.

Apple — you need TWO keys

This trips up everyone. Apple has two separate API systems, and they use different keys generated in different tabs of App Store Connect.

KeyWhat forWhere to create
In-App Purchase (IAP)Webhook signature validation, subscription status cross-checkApp Store Connect → Users and Access IntegrationsIn-App Purchase tab → Generate API Key
App Store Connect APIProduct catalog sync (pulling prices, periods)App Store Connect → Users and Access IntegrationsApp Store Connect API tab → Generate API Key → role: App Manager

Apple setup steps

  1. Go to /integrations in stubkit → click Add Apple.
  2. Name it (e.g. “Acme Team”).
  3. Issuer ID — a UUID that is team-level (same for both keys). Copy from either tab’s header in App Store Connect.
  4. IAP key: in the In-App Purchase tab, click Generate API Key, download the SubscriptionKey_*.p8file, copy its Key ID from the row. Paste the .p8 contents into stubkit.
  5. ASC key: in the App Store Connect API tab, click Generate API Key, download the AuthKey_*.p8, copy its Key ID. Paste into stubkit.
  6. Save.

Note: A .p8 file can only be downloaded once. Keep a copy in your password manager. If you lose it, revoke the key in App Store Connect and generate a new one.

Permissions needed for ASC key

The App Store Connect API key must have at least the App Manager role. Lower roles (Developer, Customer Support) will return 403 on catalog endpoints.

Google Play — one service account

  1. Google Cloud Console → create or pick a project → enable Google Play Android Developer API.
  2. IAM & AdminService Accounts Create Service Account. Give it a clear name like play-console-manager. No roles needed at this step.
  3. Open the new service account → Keys tab → Add Key JSON. Download the JSON file.
  4. Google Play ConsoleUsers and permissions Invite new user → paste the service account’s email (*.iam.gserviceaccount.com). Grant at minimum:
    • View app information
    • View financial data
    • Manage orders and subscriptions
    Attach it to every app stubkit should manage.
  5. In stubkit /integrationsAdd Google Play. Paste the JSON (entire file contents). Save.

One service account can cover many Play apps — just grant it per-app access in Play Console as you add them. You only create one stubkit Google connection, even if you sell N apps.

Stripe — webhook secret + account ID

  1. Stripe Dashboard → DevelopersWebhooks Add endpoint.
  2. Endpoint URL: https://api.stubkit.com/v1/webhooks/stripe/{app_id} (replace {app_id} with your stubkit app’s ID).
  3. Events to send — at minimum:
    • customer.subscription.created
    • customer.subscription.updated
    • customer.subscription.deleted
    • invoice.payment_succeeded
    • invoice.payment_failed
    • charge.refunded
  4. After creation, copy the Signing secret (whsec_...).
  5. In stubkit /integrationsAdd Stripe. Paste your Stripe Account ID (starts with acct_) and the signing secret. Save.

Linking connections to apps

After you create connections, open any app’s settings page. Each provider section has a dropdown to pick which connection that app uses. Also fill in app-specific identifiers there:

  • Apple: the app’s bundle ID (com.example.myapp)
  • Google: the app’s package name (same format)
  • Stripe: account ID lives on the connection, not per-app

Verification

Each provider section in app settings has a Test button. It proves your credentials are structurally valid by signing a JWT with your Apple .p8, parsing your Google service account, or checking your Stripe secret format. Real authorization is proved the first time a webhook arrives — which is why we also run a one-shot Sync from stores on the products page the moment you finish setup.

What happens after

  • Webhooks start flowing automatically once Apple/Google/Stripe begin sending them (first purchase in production, or a sandbox test).
  • Your product catalog syncs daily at 03:15 UTC. A new product_id seen in a webhook triggers an on-demand sync within 10 minutes so price metadata populates before the next cron.
  • Rotating a key? Edit the connection, paste the new .p8 or JSON, save. In-flight requests pick up the new key on the next invocation — no downtime.

Troubleshooting

  • Apple 401 on “Sync from stores”: wrong tab’s issuer ID, ASC key role below App Manager, or you pasted the IAP key in the ASC field (or vice versa).
  • Google 403 “Please migrate to the new publishing API”: harmless now — we already migrated to /oneTimeProducts. Re-deploy if you see it.
  • Stripe signature failed: check the signing secret isn’t stale after webhook recreation. Each webhook endpoint has its own secret.