You need an active Apple Developer Program membership to create pass certificates.
- Go to developer.apple.com and sign in with your Apple ID
- Enrol in the Apple Developer Program (costs $99/year)
- Wait for approval — usually a few minutes, up to 24 hours
A Pass Type ID is a unique reverse-domain identifier for your pass.
- Go to Identifiers → Pass Type IDs
- Click +, select Pass Type IDs, click Continue
- Enter a description and an identifier starting with
pass. (e.g. pass.com.acmecorp.loyalty)
- Click Continue, then Register
A CSR proves your identity when requesting the pass certificate. Done on your Mac in Keychain Access.
- Open Keychain Access (
Cmd+Space, type Keychain Access)
- Menu bar: Keychain Access → Certificate Assistant → Request a Certificate From a Certificate Authority…
- Enter your email and a common name (e.g.
Acme Wallet Pass), leave CA Email blank, select Saved to disk
- Save as
CertificateSigningRequest.certSigningRequest
- Go to Identifiers → Pass Type IDs
- Click on your Pass Type ID
- Under Production Certificates click Create Certificate
- Upload the CSR file you saved in the previous step
- Click Continue, then Download
- Double-click the downloaded
pass.cer to install it into Keychain Access
- Open Keychain Access → click My Certificates in the left sidebar
- Find the certificate named
Pass Type ID: pass.com…
- Right-click → Export… and save as
wallet-pass-cert.p12
- Set a password to protect the file and note it below
Enter the password you chose, then upload the .p12 file.
The API requires the certificate as a single-line base64 string. Open Terminal and run:
base64 -i wallet-pass-cert.p12 | tr -d '
'
Tip — copy straight to clipboard:
base64 -i wallet-pass-cert.p12 | tr -d '
' | pbcopy
Paste the result in the field below. If you uploaded the .p12 file in the previous step you can skip this.
Optional but recommended — verify the certificate opens correctly before submitting.
Run in Terminal (replace the password with the one you set in step 5):
openssl pkcs12 -in wallet-pass-cert.p12 -noout -passin pass:YOUR_PASSWORD
No output and no error = valid. Mac verify error = wrong password.
- Go to developer.apple.com/account
- Scroll to the Membership details section
- Your Team ID is a 10-character alphanumeric string, e.g.
AB12CD34EF
APNs (Apple Push Notification service) enables live pass updates on users' devices.
- Go to Keys in your developer account
- Click +, give the key a name (e.g.
Wallet Pass Push Notifications)
- Tick Apple Push Notifications service (APNs)
- Click Continue, then Register
- Click Download — file will be named
AuthKey_XXXXXXXXXX.p8
⚠️ This file can only be downloaded once. Keep it somewhere safe.
Your Key ID is the 10-character string in the filename and shown on the keys page.
⚠️ Private keys are multi-line files. Every line break must be a literal
— not a real line break. The command below handles this automatically.
Run in Terminal (replace the path with where you saved the .p8 file):
awk 'NF {printf "%s\n", $0}' /path/to/AuthKey_XXXXXXXXXX.p8 | tr -d '
'
Copy straight to clipboard:
awk 'NF {printf "%s\n", $0}' /path/to/AuthKey_XXXXXXXXXX.p8 | tr -d '
' | pbcopy
- Go to pay.google.com/business/console
- Sign in with a company Google account (not a personal Gmail)
- Click Get started and complete the application form
- Google reviews applications manually — allow a few business days
Once approved you will have access to the Google Pay & Wallet Console.
- In the Google Pay & Wallet Console, click Google Wallet API in the left menu
- Your Issuer ID is displayed near the top — a long number, e.g.
3388000000012345678
If you already have a Cloud project you want to use, skip to the next step.
- Go to console.cloud.google.com
- Click the project dropdown at the top → New Project
- Give it a name (e.g.
Wallet Passes) → click Create
- Make sure this project is selected before continuing
- Go to APIs & Services → Library
- Search for Google Wallet API
- Click on it, then click Enable
⚠️ Without this step the service account cannot create passes even with correct credentials.
A service account is a robot user the API authenticates as when creating and updating passes on your behalf.
- Go to IAM & Admin → Service Accounts
- Click Create Service Account
- Set the name to
wallet-passes (the ID fills automatically)
- Click Create and Continue
- Skip the optional grant-access steps → click Done
- In the service accounts list, click on the account you just created
- Click the Keys tab
- Click Add Key → Create new key
- Select JSON → click Create
- A
.json file will download, e.g. your-project-abc123.json
⚠️ Keep this file safe. Anyone with it can create passes on your behalf.
⚠️ The private key inside the JSON file contains real line breaks. Use the commands below — do not copy the key directly from the file or it will be rejected.
Get the service account email:
python3 -c "import json; d=json.load(open('your-project.json')); print(d['client_email'])"
Get the private key (copy to clipboard):
python3 -c "import json; d=json.load(open('your-project.json')); print(d['private_key'].replace('
','\n'),end='')" | pbcopy
- Go back to the Google Pay & Wallet Console
- Click Google Wallet API in the left menu
- Under Service accounts, click New Service Account
- Enter the service account email from the previous step
- Select Reader, Writer for permissions
- Click Save