feat: add support for individual API keys (Xcode 26 supported feature) (#246)

Author: Armster15

README.md

@@ -82,7 +82,7 @@ await notarize({
 Alternatively, you can also authenticate via JSON Web Token (JWT) with App Store Connect.
 
 You can obtain an API key from [App Store Connect](https://appstoreconnect.apple.com/access/integrations/api).
-Create a **Team Key** (not an _Individual Key_) with **App Manager** access.
+Create a **Team Key** with **App Manager** access.
 
 Note down the Issuer ID (UUID format) and Key ID (10-character alphanumeric string),
 and download the `.p8` API key file (`AuthKey_<appleApiKeyId>.p8`).
@@ -100,6 +100,8 @@ await notarize({
 });
 ```
 
+You can alternatively use an [individual API key](https://developer.apple.com/documentation/appstoreconnectapi/creating-api-keys-for-app-store-connect-api#Generate-an-Individual-Key) if (and only if) you are using Xcode 26+. When using an individual API key, it is imperative that you omit `appleApiIssuer` (issuer ID); otherwise you will receive a "401 Unauthorized" response from the server.
+
 ### Usage with Keychain credentials
 
 As an alternative to passing authentication options, you can also store your authentication

src/notarytool.ts

@@ -30,14 +30,18 @@ function authorizationArgs(rawOpts: NotaryToolCredentials): string[] {
       makeSecret(opts.teamId),
     ];
   } else if (isNotaryToolApiKeyCredentials(opts)) {
-    return [
-      '--key',
-      makeSecret(opts.appleApiKey),
-      '--key-id',
-      makeSecret(opts.appleApiKeyId),
-      '--issuer',
-      makeSecret(opts.appleApiIssuer),
-    ];
+    // --issuer is an optional argument as it must not be provided if using an Individual key; Individual keys can only be used with Xcode 26+
+    if (opts.appleApiIssuer) {
+      return [
+        '--key',
+        makeSecret(opts.appleApiKey),
+        '--key-id',
+        makeSecret(opts.appleApiKeyId),
+        '--issuer',
+        makeSecret(opts.appleApiIssuer),
+      ];
+    }
+    return ['--key', makeSecret(opts.appleApiKey), '--key-id', makeSecret(opts.appleApiKeyId)];
   } else {
     // --keychain is optional -- when not specified, the iCloud keychain is used by notarytool
     if (opts.keychain) {

src/types.ts

@@ -44,9 +44,13 @@ export interface NotaryToolApiKeyCredentials {
   appleApiKeyId: string;
   /**
    * App Store Connect API Issuer ID. The issuer ID is a UUID format string
-   * (e.g. `c055ca8c-e5a8-4836-b61d-aa5794eeb3f4`).
+   * (e.g. `c055ca8c-e5a8-4836-b61d-aa5794eeb3f4`). Required for Team keys.
+   * Do not provide for Individual keys, this will result in a "401 Unauthorized"
+   * response from the server.
+   *
+   * Individual keys can only be used with Xcode 26+.
    */
-  appleApiIssuer: string;
+  appleApiIssuer?: string;
 }
 
 /**

src/validate-args.ts

@@ -69,10 +69,6 @@ export function validateNotaryToolAuthorizationArgs(
       throw new Error(
         'The appleApiKey property is required when using notarization with ASC credentials',
       );
-    } else if (!apiKeyCreds.appleApiIssuer) {
-      throw new Error(
-        'The appleApiIssuer property is required when using notarization with ASC credentials',
-      );
     } else if (!apiKeyCreds.appleApiKeyId) {
       throw new Error(
         'The appleApiKeyId property is required when using notarization with ASC credentials',