Get in touch

HexSign manages certificates (development, distribution, Developer ID, Mac Installer, Pass Type ID, Apple Push, and more), provisioning profiles (App Store, Ad Hoc, Development, Enterprise), bundle IDs with capabilities, CSRs, and registered devices across iOS, macOS, tvOS, and watchOS.

You provide an App Store Connect API key (Issuer ID, Key ID, and .p8 private key). HexSign uses Apple's official API to sync your data securely. Your private key is stored in AWS Secrets Manager and encrypted at rest.

Yes. Depending on your plan you can connect from one to an unlimited number of Apple Developer team accounts. Each account syncs independently with its own status and error reporting, and all data is visible from a single dashboard.

HexSign sends expiration alerts via email and Slack webhooks. You configure the thresholds (e.g., 7, 14, 30, 60, 90 days before expiry), and you can send a test alert before enabling delivery.

Yes. You can create new provisioning profiles through a guided wizard, update them, regenerate them when they expire or become invalid, and download the .mobileprovision file — all from the HexSign dashboard.

Yes. HexSign can generate certificate signing requests (with the private key encrypted via AWS KMS), upload existing CSRs, request new certificates from Apple, download them as PKCS#12 files, and revoke certificates that are no longer needed.

The relationship graph is an interactive visualization that shows how your certificates, provisioning profiles, bundle IDs, and devices are connected. Nodes are color-coded by health status and you can click to explore dependencies and understand the blast radius of any change.

HexSign supports per-organization users with Owner, Admin, and Member roles. Authentication is backed by AWS Cognito with multi-factor authentication (SMS or TOTP authenticator apps), and every sign-in is recorded in a per-user auth activity log. SSO (SAML / OIDC) is available on higher plans.

Yes. Apple API keys live in AWS Secrets Manager, CSR private keys are encrypted with a dedicated KMS key, and the database runs in a private VPC with encryption at rest. All access is scoped per organization with role-based access control, MFA-protected sign-in, and immutable audit logs of every action.

Only when you explicitly ask. Creating or revoking certificates, creating, updating, regenerating, or deleting profiles, registering or enabling devices, and managing identifiers are all triggered by you from the dashboard or wizard. HexSign never makes changes on your behalf in the background — the scheduled job is read-only and just syncs state.

Every paid plan starts with a 7-day free trial, no credit card required up front. Billing runs through Stripe, and you can manage your subscription — upgrade, downgrade, change payment method, or download invoices — from a self-service customer portal inside HexSign. A free plan is also available for solo developers.