API DocumentationV1

Sign, verify, and distribute iOS apps programmatically

Export
Base URL
https://flarestore.app
Quick Reference
POST/check-cert
Verify certificate validity & OCSP revocation
POST/api/sign
All-in-one sign — upload & sign in one call
POST/api/sign/batch
Batch sign — up to 20 IPAs in one call
POST/upload/ipa
Upload IPA and get a session ID
POST/sign
Sign uploaded IPA with cert & options
GET/i/{sign_id}
OTA install page with QR code
GET/i/{id}/manifest.plist
OTA manifest for itms-services://
GET/i/{id}/app.ipa
Download signed IPA binary
POST/api/plist
Generate OTA plist from any IPA URL
GET/api/plist/{id}
Retrieve generated plist manifest
01 CERTIFICATE CHECKER
POST /check-cert
Verify a signing certificate's validity and OCSP revocation status. Supports two modes: upload a P12 file, or check by serial number.
Request (multipart/form-data)
method string Check mode: "p12" (default) or "serial"
p12* file P12 certificate file (.p12 / .pfx) — required for p12 mode
provision file Provisioning profile (.mobileprovision) for compatibility check
password string P12 password if protected
serial string Certificate serial number (for serial mode)
serialType string "decimal" (default) or "hex"
Response
{ "success": true, "certificate": { "valid": true, "message": "Certificate is valid and ready for signing", "subject": "Apple Development: John Doe (XXXXXXXXXX)", "issuer": "Apple Worldwide Developer Relations CA", "serialNumber": "123456789", "serialNumberHex": "0x75bcd15", "notBefore": "2024-01-15", "notAfter": "2025-01-14", "expired": false, "revoked": false, "ocspStatus": "good", "matchesProvision": true }, "provision": { "name": "My Profile", "appId": "com.example.app", "teamId": "ABC123XYZ", "teamName": "My Team", "expiration": "2025-01-14", "expired": false, "uuid": "550e8400-e29b-41d4-a716-446655440000" } }
Example Request
curl -X POST \ https://flarestore.app/check-cert \ -F "[email protected]" \ -F "[email protected]" \ -F "password=your_password"
02 ALL-IN-ONE SIGNING
POST /api/sign
Upload IPA, certificate, and provisioning profile in a single multipart request. Returns the signed IPA binary directly as a file download. Best for simple integrations that don't need an install page.
Request (multipart/form-data)
ipa* file IPA file to sign (max 500 MB)
p12* file Signing certificate (.p12 / .pfx)
provision* file Provisioning profile (.mobileprovision)
p12_password string Certificate password
icon file Custom app icon (.png / .jpg)
tweak file Dylib to inject (.dylib / .deb)
Optional Signing Options (form fields)
bundle_id Custom bundle ID
app_name Display name
app_version Version string
min_os_version Minimum iOS
duplicate_install "true" to duplicate
remove_watch "true" to strip Watch
remove_all_extensions "true" to strip extensions
remove_ui_supported_devices "true" to remove limits
enable_file_browser "true" for file sharing
enable_itunes_file_sharing "true" for iTunes
enable_promotion "true" for 120Hz
enable_game_mode "true" for Game Mode
remove_url_schemes "true" to strip schemes
add_url_schemes Comma-separated schemes
remove_embedded_provision "true" to remove embed
is_mac "true" for macOS signing
Response
HTTP/1.1 200 OK Content-Type: application/octet-stream Content-Disposition: attachment; filename="MyApp_signed.ipa" <binary IPA data>
The response is the raw signed IPA binary, not JSON. Use -o output.ipa with curl to save it. Signing timeout is 5 minutes. Max file size 500 MB.
Example Request
curl -X POST \ https://flarestore.app/api/sign \ -F "[email protected]" \ -F "[email protected]" \ -F "[email protected]" \ -F "p12_password=pass123" \ -F "app_name=My App" \ -F "duplicate_install=true" \ -o signed.ipa
POST /api/sign/batch
Sign up to 20 IPA files in a single request. Uses a shared certificate, provisioning profile, and signing options for all IPAs. Returns JSON with install URLs for each successfully signed app.
Request (multipart/form-data)
ipa* file[] One or more IPA files (max 20, each up to 500 MB)
p12* file Signing certificate (.p12 / .pfx)
provision* file Provisioning profile (.mobileprovision)
p12_password string Certificate password
icon file Custom app icon (.png / .jpg) — applied to all IPAs
tweak file Dylib to inject (.dylib / .deb) — injected into all IPAs
Optional Signing Options (form fields)
bundle_id Custom bundle ID
app_name Display name
app_version Version string
min_os_version Minimum iOS
duplicate_install "true" to duplicate
remove_watch "true" to strip Watch
remove_all_extensions "true" to strip extensions
remove_ui_supported_devices "true" to remove limits
enable_file_browser "true" for file sharing
enable_itunes_file_sharing "true" for iTunes
enable_promotion "true" for 120Hz
enable_game_mode "true" for Game Mode
remove_url_schemes "true" to strip schemes
add_url_schemes Comma-separated schemes
remove_embedded_provision "true" to remove embed
is_mac "true" for macOS signing
Response
{ "success": true, "total": 3, "signed": 2, "failed": 1, "results": [ { "filename": "App1.ipa", "success": true, "install_url": "/i/a1b2c3d4", "app_name": "App 1", "bundle_id": "com.example.app1", "version": "1.0" }, { "filename": "App2.ipa", "success": true, "install_url": "/i/e5f6g7h8", "app_name": "App 2", "bundle_id": "com.example.app2", "version": "2.1" }, { "filename": "Bad.ipa", "success": false, "error": "IPA is not a valid zip file" } ] }
Each IPA is signed sequentially. success at the top level is true if at least one IPA was signed. Use the per-item install_url to access install pages, manifests, and downloads via the Distribution endpoints. Max 20 IPAs per request.
Example Request
curl -X POST \ https://flarestore.app/api/sign/batch \ -F "[email protected]" \ -F "[email protected]" \ -F "[email protected]" \ -F "[email protected]" \ -F "[email protected]" \ -F "p12_password=pass123" \ -F "duplicate_install=true"
03 SESSION-BASED SIGNING
Two-step flow: first upload the IPA to get a session ID, then sign it. Returns an install URL instead of a raw binary. Sessions expire after 1 hour. Max 1000 concurrent sessions.
POST /upload/ipa
Upload an IPA file and receive a session ID for the signing step.
Request (multipart/form-data)
ipa* file IPA file (max 500 MB)
Response
{ "success": true, "session_id": "550e8400-e29b-41d4-a716-446655440000", "filename": "MyApp.ipa", "size": 15728640 }
Example
curl -X POST \ https://flarestore.app/upload/ipa \ -F "[email protected]"
POST /sign
Sign a previously uploaded IPA using its session ID. Returns an install URL for OTA distribution.
Request (multipart/form-data)
session_id* string Session ID from /upload/ipa
p12* file Signing certificate (.p12 / .pfx)
provision* file Provisioning profile (.mobileprovision)
p12_password string Certificate password
icon file Custom app icon
tweak file Dylib to inject
Optional Signing Options
bundle_id Custom bundle ID
app_name Display name
app_version Version string
min_os_version Minimum iOS
duplicate_install "true" to duplicate
remove_watch "true" to strip Watch
remove_all_extensions "true" to strip extensions
remove_ui_supported_devices "true" to remove limits
enable_file_browser "true" for file sharing
enable_itunes_file_sharing "true" for iTunes
enable_promotion "true" for 120Hz
enable_game_mode "true" for Game Mode
remove_url_schemes "true" to strip schemes
add_url_schemes Comma-separated schemes
remove_embedded_provision "true" to remove embed
is_mac "true" for macOS signing
Response
{ "success": true, "message": "App signed successfully", "install_url": "/i/a1b2c3d4e5f6" }
Example
curl -X POST \ https://flarestore.app/sign \ -F "session_id=550e8400-e29b-41d4-a716-446655440000" \ -F "[email protected]" \ -F "[email protected]" \ -F "p12_password=pass123" \ -F "app_name=My App" \ -F "duplicate_install=true"
04 INSTALL & DISTRIBUTION
After signing via POST /sign, the install_url path gives you access to these distribution endpoints. The {sign_id} is the unique identifier for each signed build.
GET /i/{sign_id}
Themed HTML install page with OTA install button, direct download, and QR code. Share this URL with users to install the signed app on-device.
Path Parameters
sign_id* string Unique ID from the signing response
Response
Content-Type: text/html Themed install page with: - App icon, name, version, bundle ID - "Install" button (itms-services:// protocol) - "Download IPA" button - QR code for on-device scanning - Copy-to-clipboard for install/download URLs
GET /i/{sign_id}/manifest.plist
OTA installation manifest used by the itms-services:// protocol. iOS uses this plist to know where to download the IPA and what metadata to display.
Path Parameters
sign_id* string Unique signing ID
Response (text/xml)
<?xml version="1.0" encoding="UTF-8"?> <plist version="1.0"> <dict> <key>items</key> <array><dict> <key>assets</key> <array><dict> <key>kind</key><string>software-package</string> <key>url</key><string>https://flarestore.app/i/{sign_id}/app.ipa</string> </dict></array> <key>metadata</key> <dict> <key>bundle-identifier</key><string>com.example.app</string> <key>bundle-version</key><string>1.0</string> <key>kind</key><string>software</string> <key>title</key><string>My App</string> </dict> </dict></array> </dict> </plist>
GET /i/{sign_id}/app.ipa
Download the signed IPA binary directly. Supports both GET and HEAD methods.
Path Parameters
sign_id* string Unique signing ID
Response
Content-Type: application/octet-stream Content-Disposition: attachment; filename="MyApp.ipa" <binary IPA data>
Example
curl -O -J \ https://flarestore.app/i/a1b2c3d4e5f6/app.ipa
GET /i/{sign_id}/icon
Retrieve the custom app icon associated with a signed build. Returns a PNG image.
Path Parameters
sign_id* string Unique signing ID
Response
Content-Type: image/png <binary PNG data>
05 PLIST GENERATOR
Generate OTA install manifests for any IPA hosted anywhere. Useful when you have your own IPA hosting and just need a valid itms-services:// URL. Plists expire after 1 hour.
POST /api/plist
Create a standalone OTA manifest plist pointing to any IPA URL. Returns both the plist URL and a ready-to-use itms-services:// install link.
Request (application/json)
ipa_url* string HTTPS URL where the IPA is hosted
bundle_id* string Bundle identifier (e.g., "com.example.app")
app_name string Display name shown during install
version string Version string (e.g., "1.0")
Response
{ "id": "abc123def456", "plist_url": "https://flarestore.app/api/plist/abc123def456", "itms_url": "itms-services://?action=download-manifest&url=https://flarestore.app/api/plist/abc123def456" }
Example
curl -X POST \ https://flarestore.app/api/plist \ -H "Content-Type: application/json" \ -d '{ "ipa_url": "https://example.com/MyApp.ipa", "bundle_id": "com.example.myapp", "app_name": "My App", "version": "1.0" }'
GET /api/plist/{plist_id}
Retrieve a previously generated plist manifest. Returns XML plist suitable for itms-services:// OTA installation. Expired plists (>1 hour) return 410 Gone.
Path Parameters
plist_id* string Plist ID from the create response
Response (text/xml)
OTA manifest plist (same format as /i/{sign_id}/manifest.plist) Errors: 404 - Plist not found 410 - Plist expired (>1 hour TTL)
06 ERROR RESPONSES
All endpoints return consistent JSON error responses.
Error Format
{ "success": false, "error": "Human-readable error message" }
HTTP Status Codes
200 Success
400 Bad request — missing params, invalid file, bad password
404 Resource not found — invalid sign_id or plist_id
410 Gone — plist or session expired
413 File too large (max 500 MB)
500 Internal error — signing failed
503 Server busy — max concurrent sessions reached
504 Timeout — signing exceeded 5 minute limit