Core concepts

API Keys & Credentials

1 min read

Managing your store API keys and credentials securely is critical for automated publishing.

Google Play service account

The service account JSON key contains sensitive credentials. Lunadeck encrypts these keys at rest and only decrypts them during the publishing step.

Key format

The service account JSON key looks like this:

{
  "type": "service_account",
  "project_id": "your-project-id",
  "private_key_id": "...",
  "private_key": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n",
  "client_email": "your-sa@your-project.iam.gserviceaccount.com",
  "client_id": "...",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://oauth2.googleapis.com/token"
}

Required permissions

Your service account needs the following Play Console permissions:

• View app information and download bulk reports
• Manage production releases
• Manage testing track releases

Rotating credentials

To rotate your API credentials:

1. Generate a new service account key in Google Cloud Console
2. Upload the new key in Settings > Store Connections
3. Delete the old key from Google Cloud Console

Lunadeck will immediately start using the new key for all subsequent publishes.

Security best practices

• Use a dedicated service account for Lunadeck (don't share with other services)
• Enable audit logging in Google Cloud to track API usage
• Rotate keys every 90 days
• Restrict the service account to only the apps it needs to publish