API Keys

API keys let CI, scripts and the GitHub Action authenticate as you without signing in interactively. Instead of your login, an automated release carries a scoped token that you create in the app and can revoke at any time. Publishing a release from CI needs exactly one of these, passed as AMORE_TOKEN.

Create a key

  1. Open AmoreSettings… (⌘,) and scroll to API Keys. You need to be signed in to Amore to manage keys.
  2. Click New Key.
  3. Give it a Name you'll recognize later, e.g. GitHub Actions. It's just a label.
  4. Pick a Scope (see below). Release is the default and the right choice for CI.
  5. Click Create.

The secret token appears once. Copy it right then: for your security, Amore never shows it again. If you lose it, delete the key and create a new one.

A token looks like amore_ followed by a long string. Treat it like a password.

Scopes

  • Release: upload releases and read your account. Best for CI.
  • Full access: every endpoint, including licenses and products.

Give a key the least it needs. Release is enough to build and publish, so use it for any release pipeline. Reach for Full access only when a script also has to manage licenses or products.

Use it in GitHub Actions

Add the token as a repository secret named AMORE_TOKEN under SettingsSecrets and variablesActionsNew repository secret, then pass it into the release step:

amore-token: ${{ secrets.AMORE_TOKEN }}

That's the only Amore-specific secret the action needs. See GitHub Actions for the full workflow and the Apple signing secrets.

Use it with the CLI

Set AMORE_TOKEN in the environment and the CLI authenticates with it instead of your local sign-in, so there's no amore login step:

export AMORE_TOKEN=amore_your_token_here
amore release --scheme MyApp

This is what any CI runner or server-side script should do. When AMORE_TOKEN is set the CLI runs in token mode and won't read or write your login keychain.

Manage and rotate keys

The API Keys list shows each key's Name, Scope and Last used. Last used reads Never until the key's first request, so you can spot one that isn't being used.

To rotate a key, create a new one, update AMORE_TOKEN wherever it's stored, then delete the old key. Deleting takes effect immediately: any CI or script still using that token stops working at once. Use a separate key per pipeline or machine so you can revoke one without breaking the others.