Expo Launch replit integration requires AppleID and Password but should also accept API key

The current behavior of the Expo Launch Replit integration requires users to provide their Apple ID and password for authentication. However, this integration ideally should allow the optional use of an App Store Connect API key instead, enabling secure programmatic access without sharing personal credentials.

Also, I understand that they are implementing SRP which should resolve this concern, however, The “we never see your password” guarantee from SRP assumes EAS is running on your machine. When it runs on Replit’s VPS instead, the entire trust model shifts.

I also understand that when using EAS CLI directly you can configure the eas.json for API authentication however I am only referring to the new automated EAS Launch integration in Replit.

Thanks!

It has to auth through Apple and 2FA, what are you worried about?

2FA does help, but you still have to type your Apple password into a third-party web form and send it to a VPS before SRP can do its thing. This breaks the fundamental security model of SRP. It is not the same as using EAS locally with SRP.

That being said, the real request, actually an improvement, here is that the Expo Launch integration in Replit support App Store Connect API keys the same way the EAS CLI does since that will always be the better option.

Thanks!