<?php // Path to the private key file $file_path = '/www/wwwroot/domain.com/folder/AuthKey_WAJVXXXXXX.p8'; // Read the private key from the file $private_key = openssl_pkey_get_private("file://$file_path"); if (!$private_key) { echo "Error retrieving the private key: " . openssl_error_string(); exit; } // Setup the Header without 'alg' ,Also with 'alg' the code didn't work properly $header = json_encode([ 'kid' => 'WAJVXXXXXX' // Key ID ]); // Setup the Payload $payload = json_encode([ 'iss' => '69a6de97-1498-47e3-e053-xxxxxxxxxxxx', // Issuer ID 'exp' => time() + 3600, // Token validity for one hour 'aud' => 'appstoreconnect-v1' // Audience ]); // Encode Header and Payload to Base64 $header_base64 = base64_encode($header); $payload_base64 = base64_encode($payload); $data = $header_base64 . '.' . $payload_base64; // Sign the data $signature = ''; if (!openssl_sign($data, $signature, $private_key, OPENSSL_ALGO_SHA256)) { echo "Error signing the data: " . openssl_error_string(); exit; } // Encode the signature to Base64 $signature_base64 = base64_encode($signature); // Create the JWT $jwt = $header_base64 . '.' . $payload_base64 . '.' . $signature_base64; echo "JWT: " . $jwt; ?> { "errors": [{ "status": "401", "code": "NOT_AUTHORIZED", "title": "Authentication credentials are missing or invalid.", "detail": "Provide a properly configured and signed bearer token, and make sure that it has not expired. Learn more about Generating Tokens for API Requests https://developer.apple.com/go/?id=api-generating-tokens" }] }