diff --git a/cli/package.json b/cli/package.json
index 7706da9693..845c6a1589 100644
--- a/cli/package.json
+++ b/cli/package.json
@@ -71,6 +71,7 @@
     "test:upload": "bun test/test-upload-validation.mjs",
     "test:credentials": "bun test/test-credentials.mjs",
     "test:credentials-validation": "bun test/test-credentials-validation.mjs",
+    "test:android-service-account-validation": "bun test/test-android-service-account-validation.mjs",
     "test:build-zip-filter": "bun test/test-build-zip-filter.mjs",
     "test:checksum": "bun test/test-checksum-algorithm.mjs",
     "test:build-needed": "bun test/test-build-needed.mjs",
@@ -93,7 +94,7 @@
     "test:macos-signing": "bun test/test-macos-signing.mjs",
     "test:apple-api-import-helpers": "bun test/test-apple-api-import-helpers.mjs",
     "test:manifest-path-encoding": "bun test/test-manifest-path-encoding.mjs",
-    "test": "bun run build && bun run test:version-detection:setup && bun run test:bundle && bun run test:functional && bun run test:semver && bun run test:version-edge-cases && bun run test:regex && bun run test:upload && bun run test:credentials && bun run test:credentials-validation && bun run test:build-zip-filter && bun run test:checksum && bun run test:build-needed && bun run test:ci-prompts && bun run test:ci-secrets && bun run test:posthog-exception && bun run test:build-platform-selection && bun run test:onboarding-recovery && bun run test:onboarding-progress && bun run test:onboarding-run-targets && bun run test:run-device-command && bun run test:init-app-conflict && bun run test:init-guardrails && bun run test:prompt-preferences && bun run test:esm-sdk && bun run test:mcp && bun run test:version-detection && bun run test:platform-paths && bun run test:payload-split && bun run test:manifest-path-encoding && bun run test:macos-signing && bun run test:apple-api-import-helpers && bun run test:ai-log-capture && bun run test:ai-analyze-flow && bun run test:ai-render-markdown",
+    "test": "bun run build && bun run test:version-detection:setup && bun run test:bundle && bun run test:functional && bun run test:semver && bun run test:version-edge-cases && bun run test:regex && bun run test:upload && bun run test:credentials && bun run test:credentials-validation && bun run test:android-service-account-validation && bun run test:build-zip-filter && bun run test:checksum && bun run test:build-needed && bun run test:ci-prompts && bun run test:ci-secrets && bun run test:posthog-exception && bun run test:build-platform-selection && bun run test:onboarding-recovery && bun run test:onboarding-progress && bun run test:onboarding-run-targets && bun run test:run-device-command && bun run test:init-app-conflict && bun run test:init-guardrails && bun run test:prompt-preferences && bun run test:esm-sdk && bun run test:mcp && bun run test:version-detection && bun run test:platform-paths && bun run test:payload-split && bun run test:manifest-path-encoding && bun run test:macos-signing && bun run test:apple-api-import-helpers && bun run test:ai-log-capture && bun run test:ai-analyze-flow && bun run test:ai-render-markdown",
     "test:build-platform-selection": "bun test/test-build-platform-selection.mjs",
     "test:ai-log-capture": "bun test/test-ai-log-capture.mjs",
     "test:ai-analyze-flow": "bun test/test-ai-analyze-flow.mjs",
diff --git a/cli/src/build/onboarding/android/progress.ts b/cli/src/build/onboarding/android/progress.ts
index 41babe40ca..287f73138e 100644
--- a/cli/src/build/onboarding/android/progress.ts
+++ b/cli/src/build/onboarding/android/progress.ts
@@ -141,7 +141,37 @@ export function getAndroidResumeStep(progress: AndroidOnboardingProgress | null)
   if (!keystoreFullyValid(progress))
     return keystoreResumeStep(progress)
 
-  // Phase 2 — Google sign-in: marker + refresh token. We need the refresh
+  // Phase 2 — Service-account fork. Routes onto the import path or the OAuth
+  // path. Legacy progress files don't have `serviceAccountMethod` — treat
+  // those as OAuth (existing behavior) so in-flight onboardings continue
+  // along the path they started on.
+  if (progress.serviceAccountMethod === 'existing') {
+    // Phase 2a — Import existing SA JSON.
+    //
+    // `_serviceAccountKeyBase64` is set once we accept the JSON (either
+    // validation passed or the user picked "save anyway"). After that point
+    // routing is identical to the OAuth path's tail: `saving-credentials`.
+    if (progress._serviceAccountKeyBase64)
+      return 'saving-credentials'
+
+    // Package name confirmation is the first step inside the import path.
+    if (!completedSteps.androidPackageChosen)
+      return 'android-package-select'
+
+    // We have a package but no accepted SA yet. If the user already picked a
+    // file, jump back to validation; otherwise back to file selection.
+    if (progress.serviceAccountJsonPath)
+      return 'sa-json-validating'
+    return 'sa-json-existing-path'
+  }
+
+  // Backward compatibility: legacy progress files (created before the
+  // service-account fork existed) never set `serviceAccountMethod`. Per the
+  // design contract those resume into the OAuth path they were already on —
+  // we must NOT route them to the new fork screen and force them to re-pick
+  // mid-flow. Only routes through the fork explicitly set the method.
+
+  // Phase 2b — Google sign-in: marker + refresh token. We need the refresh
   // token to mint access tokens for the rest of the flow on subsequent
   // resumes; if it's missing we must re-auth.
   if (!completedSteps.googleSignInComplete || !progress._oauthRefreshToken)
diff --git a/cli/src/build/onboarding/android/service-account-validation.ts b/cli/src/build/onboarding/android/service-account-validation.ts
new file mode 100644
index 0000000000..5f3325e006
--- /dev/null
+++ b/cli/src/build/onboarding/android/service-account-validation.ts
@@ -0,0 +1,469 @@
+// src/build/onboarding/android/service-account-validation.ts
+//
+// Validates a user-supplied Google Play service account JSON before we save it
+// as PLAY_CONFIG_JSON. Three layers:
+//
+//   1. Shape check — JSON.parse and confirm the file looks like a service
+//      account key (type, private_key, client_email, project_id, token_uri).
+//   2. Token exchange — sign a JWT with the SA private key and POST it to the
+//      SA's token endpoint. Proves the key is cryptographically valid and the
+//      account isn't revoked.
+//   3. App-access check — open and immediately close a draft edit on the user's
+//      Play Console app (`applications/{packageName}/edits`). This is exactly
+//      what fastlane's `supply` will do at build time — if this passes the
+//      build will pass.
+//
+// All network calls forward an AbortSignal so the React UI can cancel mid-flight.
+
+import type { Buffer } from 'node:buffer'
+import jwt from 'jsonwebtoken'
+
+const ANDROIDPUBLISHER_SCOPE = 'https://www.googleapis.com/auth/androidpublisher'
+const ANDROIDPUBLISHER_BASE = 'https://androidpublisher.googleapis.com/androidpublisher/v3'
+const JWT_LIFETIME_SECONDS = 3600
+const DEFAULT_FETCH_TIMEOUT_MS = 30_000
+const ALLOWED_GOOGLE_TOKEN_URIS = new Set([
+  'https://oauth2.googleapis.com/token',
+  'https://accounts.google.com/o/oauth2/token',
+  'https://www.googleapis.com/oauth2/v4/token',
+])
+
+export interface ServiceAccountKey {
+  type: 'service_account'
+  client_email: string
+  private_key: string
+  project_id: string
+  token_uri: string
+  private_key_id?: string
+  client_id?: string
+}
+
+export type ValidationResult
+  = | { ok: true, serviceAccountEmail: string, projectId: string }
+    | { ok: false, kind: 'shape-error', message: string }
+    | { ok: false, kind: 'token-error', message: string }
+    | { ok: false, kind: 'no-app-access', message: string, serviceAccountEmail: string }
+    | { ok: false, kind: 'network-error', message: string }
+
+export interface ValidateOptions {
+  jsonBytes: Buffer
+  packageName: string
+  signal?: AbortSignal
+  /** Override per-request timeout. Defaults to 30s. */
+  timeoutMs?: number
+  /** Test-only injection point. Defaults to globalThis.fetch. */
+  fetchImpl?: typeof fetch
+}
+
+/**
+ * Parse + minimally validate the service account JSON structure.
+ *
+ * Google's SA JSON for `service_account` type has more optional fields, but
+ * these five are the ones we actually need to authenticate. Missing any of
+ * them means we can't proceed — surface a precise error so the user knows
+ * what's wrong rather than discovering it at token-exchange time with an
+ * opaque crypto error.
+ */
+export function parseServiceAccountKey(jsonBytes: Buffer): ServiceAccountKey {
+  let parsed: unknown
+  try {
+    parsed = JSON.parse(jsonBytes.toString('utf-8'))
+  }
+  catch (err) {
+    throw new Error(`Service account file is not valid JSON: ${err instanceof Error ? err.message : String(err)}`)
+  }
+  if (!parsed || typeof parsed !== 'object')
+    throw new Error('Service account file is not a JSON object.')
+
+  const obj = parsed as Record<string, unknown>
+  if (obj.type !== 'service_account')
+    throw new Error(`Expected "type": "service_account" — found ${JSON.stringify(obj.type)}. This file is not a service account key.`)
+
+  const required = ['client_email', 'private_key', 'project_id', 'token_uri'] as const
+  for (const field of required) {
+    const value = obj[field]
+    if (typeof value !== 'string' || value.length === 0)
+      throw new Error(`Service account JSON is missing required field "${field}".`)
+  }
+  if (!ALLOWED_GOOGLE_TOKEN_URIS.has(obj.token_uri as string))
+    throw new Error('Service account JSON has an unsupported token_uri. Expected a Google OAuth token endpoint.')
+
+  return {
+    type: 'service_account',
+    client_email: obj.client_email as string,
+    private_key: obj.private_key as string,
+    project_id: obj.project_id as string,
+    token_uri: obj.token_uri as string,
+    private_key_id: typeof obj.private_key_id === 'string' ? obj.private_key_id : undefined,
+    client_id: typeof obj.client_id === 'string' ? obj.client_id : undefined,
+  }
+}
+
+/**
+ * Sign a JWT bearer assertion suitable for Google's OAuth2 token endpoint.
+ *
+ * Google requires:
+ *   - alg: RS256
+ *   - iss: service account email
+ *   - scope: space-separated OAuth scopes
+ *   - aud: the token endpoint URL
+ *   - exp: now + 3600 (max accepted by Google)
+ *   - iat: now
+ *
+ * Ref: https://developers.google.com/identity/protocols/oauth2/service-account#authorizingrequests
+ */
+function signSaAssertion(key: ServiceAccountKey): string {
+  const now = Math.floor(Date.now() / 1000)
+  return jwt.sign(
+    {
+      iss: key.client_email,
+      scope: ANDROIDPUBLISHER_SCOPE,
+      aud: key.token_uri,
+      exp: now + JWT_LIFETIME_SECONDS,
+      iat: now,
+    },
+    key.private_key,
+    {
+      algorithm: 'RS256',
+      header: { alg: 'RS256', typ: 'JWT', kid: key.private_key_id ?? '' },
+    },
+  )
+}
+
+interface GoogleTokenResponse {
+  access_token: string
+  expires_in: number
+  token_type: string
+}
+
+interface GoogleTokenErrorResponse {
+  error?: string
+  error_description?: string
+}
+
+/**
+ * Marker thrown by `exchangeJwtForAccessToken` for transient/transport-class
+ * failures (5xx from Google, non-JSON, etc.) so the outer `validate*` catch
+ * can route them to `network-error` instead of `token-error`. 4xx responses
+ * still throw a plain Error and map to `token-error` (credentials genuinely
+ * rejected).
+ */
+class TokenExchangeTransientError extends Error {
+  constructor(message: string) {
+    super(message)
+    this.name = 'TokenExchangeTransientError'
+  }
+}
+
+/**
+ * Exchange a signed JWT bearer assertion for an OAuth access token at Google's
+ * token endpoint. The token is short-lived (1h) and is used only for the
+ * downstream `edits.insert` / `edits.delete` round trip.
+ */
+async function exchangeJwtForAccessToken(args: {
+  key: ServiceAccountKey
+  assertion: string
+  signal?: AbortSignal
+  timeoutMs: number
+  fetchImpl: typeof fetch
+}): Promise<string> {
+  const body = new URLSearchParams({
+    grant_type: 'urn:ietf:params:oauth:grant-type:jwt-bearer',
+    assertion: args.assertion,
+  })
+
+  const res = await fetchWithTimeout({
+    url: args.key.token_uri,
+    init: {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/x-www-form-urlencoded',
+        'Accept': 'application/json',
+      },
+      body: body.toString(),
+    },
+    signal: args.signal,
+    timeoutMs: args.timeoutMs,
+    fetchImpl: args.fetchImpl,
+  })
+
+  const text = await res.text()
+  if (!res.ok) {
+    let detail = `${res.status} ${res.statusText}`
+    try {
+      const errBody = JSON.parse(text) as GoogleTokenErrorResponse
+      if (errBody.error) {
+        detail = errBody.error_description
+          ? `${errBody.error}: ${errBody.error_description}`
+          : errBody.error
+      }
+    }
+    catch {}
+    // 5xx (and unexpected 1xx/3xx) are server-side or transport problems, not
+    // credential rejections — flag them as transient so the outer validator
+    // surfaces a network-error and the UI offers retry rather than telling
+    // the user their key is bad.
+    if (res.status >= 500 || res.status < 400)
+      throw new TokenExchangeTransientError(`Google's token endpoint returned ${detail}. Try again in a moment.`)
+    throw new Error(`Google rejected the service account credentials (${detail}). The private key may be revoked or invalid.`)
+  }
+
+  let parsed: GoogleTokenResponse
+  try {
+    parsed = JSON.parse(text) as GoogleTokenResponse
+  }
+  catch {
+    throw new TokenExchangeTransientError(`Google's token endpoint returned a non-JSON response (${res.status}).`)
+  }
+  if (typeof parsed.access_token !== 'string' || parsed.access_token.length === 0)
+    throw new TokenExchangeTransientError('Google\'s token response was missing an access_token field.')
+  return parsed.access_token
+}
+
+interface EditResponse {
+  id: string
+  expiryTimeSeconds?: string
+}
+
+async function fetchWithTimeout(args: {
+  url: string
+  init: RequestInit
+  signal?: AbortSignal
+  timeoutMs: number
+  fetchImpl: typeof fetch
+}): Promise<Response> {
+  // Compose the caller's AbortSignal with a per-request timeout signal so
+  // either source can cancel the request.
+  const timeoutController = new AbortController()
+  const timer = setTimeout(() => timeoutController.abort(), args.timeoutMs)
+
+  let combinedSignal: AbortSignal
+  // Captured so the `finally` block can detach them on success. Without this,
+  // a long-lived caller `signal` would accumulate one listener per request
+  // (each `{ once: true }` listener auto-detaches on fire, but never on
+  // successful completion).
+  let abortComposite: (() => void) | null = null
+  if (args.signal) {
+    const composite = new AbortController()
+    abortComposite = () => composite.abort()
+    args.signal.addEventListener('abort', abortComposite, { once: true })
+    timeoutController.signal.addEventListener('abort', abortComposite, { once: true })
+    if (args.signal.aborted || timeoutController.signal.aborted)
+      composite.abort()
+    combinedSignal = composite.signal
+  }
+  else {
+    combinedSignal = timeoutController.signal
+  }
+
+  try {
+    return await args.fetchImpl(args.url, { ...args.init, signal: combinedSignal })
+  }
+  finally {
+    clearTimeout(timer)
+    if (abortComposite) {
+      args.signal?.removeEventListener('abort', abortComposite)
+      timeoutController.signal.removeEventListener('abort', abortComposite)
+    }
+  }
+}
+
+/**
+ * Open a draft edit on the Play Console app, then immediately delete it.
+ *
+ * Mirrors fastlane's auth code path — if this round trip succeeds, every
+ * subsequent supply call will succeed too. The draft itself is invisible in
+ * Play Console for most views and auto-expires after 7 days even if our
+ * cleanup DELETE fails.
+ */
+async function probeAppAccess(args: {
+  accessToken: string
+  packageName: string
+  signal?: AbortSignal
+  timeoutMs: number
+  fetchImpl: typeof fetch
+}): Promise<{ kind: 'ok' } | { kind: 'no-access', detail: string } | { kind: 'network', detail: string }> {
+  const insertUrl = `${ANDROIDPUBLISHER_BASE}/applications/${encodeURIComponent(args.packageName)}/edits`
+
+  let insertRes: Response
+  try {
+    insertRes = await fetchWithTimeout({
+      url: insertUrl,
+      init: {
+        method: 'POST',
+        headers: {
+          'Authorization': `Bearer ${args.accessToken}`,
+          'Content-Type': 'application/json',
+          'Accept': 'application/json',
+        },
+        body: '{}',
+      },
+      signal: args.signal,
+      timeoutMs: args.timeoutMs,
+      fetchImpl: args.fetchImpl,
+    })
+  }
+  catch (err) {
+    return {
+      kind: 'network',
+      detail: err instanceof Error ? err.message : String(err),
+    }
+  }
+
+  const insertText = await insertRes.text()
+
+  // 401 / 403 / 404 = SA exists and auth worked at the token-exchange level,
+  // but this SA can't see this package. Anything in the 5xx range or other
+  // unexpected codes is a network/server failure, not an access failure —
+  // surface that distinction so the user gets the right recovery options.
+  if (insertRes.status === 401 || insertRes.status === 403 || insertRes.status === 404) {
+    return {
+      kind: 'no-access',
+      detail: parseGoogleErrorMessage(insertText) ?? `${insertRes.status} ${insertRes.statusText}`,
+    }
+  }
+  if (!insertRes.ok) {
+    return {
+      kind: 'network',
+      detail: `${insertRes.status} ${insertRes.statusText}: ${insertText.slice(0, 200)}`,
+    }
+  }
+
+  let edit: EditResponse
+  try {
+    edit = JSON.parse(insertText) as EditResponse
+  }
+  catch {
+    return { kind: 'network', detail: 'Play API returned non-JSON on edits.insert' }
+  }
+  if (typeof edit.id !== 'string' || edit.id.length === 0)
+    return { kind: 'network', detail: 'Play API returned no edit id' }
+
+  // Best-effort cleanup — the draft auto-expires regardless. Don't surface
+  // failures here, just log internally via the caller.
+  const deleteUrl = `${ANDROIDPUBLISHER_BASE}/applications/${encodeURIComponent(args.packageName)}/edits/${encodeURIComponent(edit.id)}`
+  try {
+    await fetchWithTimeout({
+      url: deleteUrl,
+      init: {
+        method: 'DELETE',
+        headers: { Authorization: `Bearer ${args.accessToken}` },
+      },
+      signal: args.signal,
+      timeoutMs: args.timeoutMs,
+      fetchImpl: args.fetchImpl,
+    })
+  }
+  catch {
+    // swallowed by contract — auto-expiry covers us
+  }
+
+  return { kind: 'ok' }
+}
+
+function parseGoogleErrorMessage(body: string): string | null {
+  try {
+    const parsed = JSON.parse(body) as { error?: { message?: string, status?: string } }
+    if (parsed.error?.message) {
+      return parsed.error.status
+        ? `${parsed.error.status}: ${parsed.error.message}`
+        : parsed.error.message
+    }
+  }
+  catch {}
+  return null
+}
+
+/**
+ * Run the full validation chain. The function never throws — all failure
+ * shapes are returned as `{ ok: false, kind: … }` so the UI can react to each
+ * case independently (e.g. "no-app-access" routes to a recovery screen with
+ * actionable Play Console invite instructions).
+ */
+export async function validateServiceAccountJson(opts: ValidateOptions): Promise<ValidationResult> {
+  const timeoutMs = opts.timeoutMs ?? DEFAULT_FETCH_TIMEOUT_MS
+  const fetchImpl = opts.fetchImpl ?? globalThis.fetch.bind(globalThis)
+
+  // 1. Shape
+  let key: ServiceAccountKey
+  try {
+    key = parseServiceAccountKey(opts.jsonBytes)
+  }
+  catch (err) {
+    return {
+      ok: false,
+      kind: 'shape-error',
+      message: err instanceof Error ? err.message : String(err),
+    }
+  }
+
+  if (opts.signal?.aborted)
+    return { ok: false, kind: 'network-error', message: 'Validation cancelled.' }
+
+  // 2. Token exchange. Distinguishes between "Google rejected the key" (real
+  // token-error) and transport/transient failures (network-error). Aborts and
+  // fetch-level rejections always go to network-error so the recovery UI can
+  // offer retry rather than a misleading "your credentials are bad" message.
+  let accessToken: string
+  try {
+    const assertion = signSaAssertion(key)
+    accessToken = await exchangeJwtForAccessToken({
+      key,
+      assertion,
+      signal: opts.signal,
+      timeoutMs,
+      fetchImpl,
+    })
+  }
+  catch (err) {
+    const message = err instanceof Error ? err.message : String(err)
+    const isAbort = (err as { name?: string } | null)?.name === 'AbortError'
+    const isTransient = err instanceof TokenExchangeTransientError
+    const looksNetworky = /timeout|timed out|network|fetch failed|ENOTFOUND|EAI_AGAIN|ECONNRESET|ECONNREFUSED/i.test(message)
+    if (isAbort || isTransient || looksNetworky) {
+      return {
+        ok: false,
+        kind: 'network-error',
+        message,
+      }
+    }
+    return {
+      ok: false,
+      kind: 'token-error',
+      message,
+    }
+  }
+
+  if (opts.signal?.aborted)
+    return { ok: false, kind: 'network-error', message: 'Validation cancelled.' }
+
+  // 3. App-access check
+  const probe = await probeAppAccess({
+    accessToken,
+    packageName: opts.packageName,
+    signal: opts.signal,
+    timeoutMs,
+    fetchImpl,
+  })
+
+  if (probe.kind === 'ok') {
+    return {
+      ok: true,
+      serviceAccountEmail: key.client_email,
+      projectId: key.project_id,
+    }
+  }
+  if (probe.kind === 'no-access') {
+    return {
+      ok: false,
+      kind: 'no-app-access',
+      serviceAccountEmail: key.client_email,
+      message: `Service account "${key.client_email}" cannot access package "${opts.packageName}" on Google Play (${probe.detail}). Open Play Console → Users and permissions, invite the service account email, and grant access to this app.`,
+    }
+  }
+  return {
+    ok: false,
+    kind: 'network-error',
+    message: probe.detail,
+  }
+}
diff --git a/cli/src/build/onboarding/android/types.ts b/cli/src/build/onboarding/android/types.ts
index c5f4aae1ef..d4cd58a973 100644
--- a/cli/src/build/onboarding/android/types.ts
+++ b/cli/src/build/onboarding/android/types.ts
@@ -21,7 +21,14 @@ export type AndroidOnboardingStep
     | 'keystore-new-key-password'
     | 'keystore-new-cn'
     | 'keystore-generating'
-  // Phase 2 — Google sign-in (OAuth)
+  // Phase 2 — Service account method fork: existing JSON vs. OAuth provisioning
+    | 'service-account-method-select'
+  // Phase 2a — Import existing service account JSON
+    | 'sa-json-existing-path'
+    | 'sa-json-existing-picker'
+    | 'sa-json-validating'
+    | 'sa-json-validation-failed'
+  // Phase 2b — Google sign-in (OAuth)
     | 'google-sign-in'
     | 'google-sign-in-running'
   // Phase 3 — Play developer account ID (pasted by the user — Play Developer API
@@ -55,9 +62,19 @@ export type AndroidOnboardingErrorCategory
   = | 'keystore_invalid'
     | 'google_oauth_failed'
     | 'play_account_id_invalid'
+    // Imported service-account JSON validation failures. Each value mirrors
+    // the corresponding `ValidationResult.kind` from
+    // `service-account-validation.ts` so PostHog funnel analysis can
+    // distinguish "wrong file" from "SA not invited to app" from "transient
+    // network/server issue" — each implies a different recovery for the user.
+    | 'sa_json_shape_invalid'
+    | 'sa_json_token_rejected'
+    | 'sa_json_no_app_access'
+    | 'sa_json_network_error'
     | 'unknown'
 
 export type KeystoreMethod = 'existing' | 'generate'
+export type ServiceAccountMethod = 'existing' | 'generate'
 
 export interface KeystoreReady {
   keystorePath: string
@@ -115,6 +132,19 @@ export interface AndroidOnboardingProgress {
   keystoreKeyPassword?: string
   keystoreCommonName?: string
 
+  // Service account fork — set at `service-account-method-select`. Absent on
+  // legacy progress files (pre-2026-05) → resume defaults to `generate` so
+  // existing in-flight onboardings continue on the OAuth path they started on.
+  serviceAccountMethod?: ServiceAccountMethod
+  // Import path — path the user picked at `sa-json-existing-path` /
+  // `sa-json-existing-picker`. The file is read fresh at validation time so
+  // we never persist its contents to disk before the user explicitly accepts.
+  serviceAccountJsonPath?: string
+  // Set when the user picks "Save anyway" at `sa-json-validation-failed`.
+  // Read at `saving-credentials` to surface a yellow banner — does not affect
+  // routing.
+  serviceAccountValidationSkipped?: boolean
+
   // Chosen project name for a fresh create — remembered while the async op runs
   pendingNewProjectId?: string
   pendingNewProjectDisplayName?: string
@@ -159,6 +189,15 @@ export const ANDROID_STEP_PROGRESS: Record<AndroidOnboardingStep, number> = {
   'keystore-new-cn': 16,
   'keystore-generating': 20,
 
+  'service-account-method-select': 22,
+
+  // Import path keeps the bar moving without leaping past the OAuth path's
+  // matching milestones (Google sign-in lands at 35, GCP setup at 70).
+  'sa-json-existing-path': 28,
+  'sa-json-existing-picker': 28,
+  'sa-json-validating': 70,
+  'sa-json-validation-failed': 70,
+
   'google-sign-in': 25,
   'google-sign-in-running': 35,
 
@@ -210,6 +249,13 @@ export function getAndroidPhaseLabel(step: AndroidOnboardingStep): string {
     case 'keystore-new-cn':
     case 'keystore-generating':
       return 'Step 1 of 4 · Keystore'
+    case 'service-account-method-select':
+      return 'Step 2 of 4 · Service account'
+    case 'sa-json-existing-path':
+    case 'sa-json-existing-picker':
+    case 'sa-json-validating':
+    case 'sa-json-validation-failed':
+      return 'Step 3 of 4 · Service account'
     case 'google-sign-in':
     case 'google-sign-in-running':
       return 'Step 2 of 4 · Sign in with Google'
diff --git a/cli/src/build/onboarding/android/ui/app.tsx b/cli/src/build/onboarding/android/ui/app.tsx
index 2db1fe0b2f..eafb3129c0 100644
--- a/cli/src/build/onboarding/android/ui/app.tsx
+++ b/cli/src/build/onboarding/android/ui/app.tsx
@@ -28,11 +28,12 @@ import { loadSavedCredentials, updateSavedCredentials } from '../../../credentia
 import { requestBuildInternal } from '../../../request.js'
 import type { CiSecretEntry, CiSecretSetupAdvice, CiSecretTarget } from '../../ci-secrets.js'
 import { createCiSecretEntries, detectCiSecretTargets, getCiSecretTargetLabel, listExistingCiSecretKeys, uploadCiSecrets } from '../../ci-secrets.js'
-import { mapAndroidOnboardingError } from '../../error-categories.js'
-import { canUseFilePicker, openKeystorePicker } from '../../file-picker.js'
+import { mapAndroidOnboardingError, mapSaValidationKindToCategory } from '../../error-categories.js'
+import { canUseFilePicker, openKeystorePicker, openServiceAccountJsonPicker } from '../../file-picker.js'
 import { trackBuilderOnboardingStep } from '../../telemetry.js'
 import { Divider, ErrorLine, FilteredTextInput, Header, SpinnerLine, SuccessLine } from '../../ui/components.js'
 import { findAndroidApplicationIds } from '../gradle-parser.js'
+import { validateServiceAccountJson } from '../service-account-validation.js'
 import {
   ANDROIDPUBLISHER_API,
   createServiceAccountKey,
@@ -219,10 +220,19 @@ const AndroidOnboardingApp: FC<AppProps> = ({ appId, initialProgress, androidDir
       ? undefined
       : now - previous.startedAt
 
+    // Steps whose telemetry event carries an `errorCategory` dimension. The
+    // generic `'error'` step always has one (set by `handleError`); the
+    // SA-import `'sa-json-validation-failed'` step also carries one because
+    // the validation effect populates `errorCategoryRef.current` with the
+    // mapped `ValidationResult.kind` before transitioning. Funnel analysis
+    // in PostHog can split sa-json-validation-failed events by category to
+    // see whether failures are "wrong file" vs "SA not invited to app" vs
+    // transient network issues.
+    const carriesErrorCategory = step === 'error' || step === 'sa-json-validation-failed'
     const eventPayload = {
       step,
       durationMs,
-      errorCategory: step === 'error' ? errorCategoryRef.current : undefined,
+      errorCategory: carriesErrorCategory ? errorCategoryRef.current : undefined,
     }
 
     stepTimingRef.current = { step, startedAt: now }
@@ -248,7 +258,36 @@ const AndroidOnboardingApp: FC<AppProps> = ({ appId, initialProgress, androidDir
   const pickerOpenedRef = useRef(false)
   const oauthStartedRef = useRef(false)
   const setupStartedRef = useRef(false)
+  const saPickerOpenedRef = useRef(false)
+  const validationStartedRef = useRef(false)
+  // Cleanup hook for the in-flight SA validation. Invoked by the main
+  // useEffect cleanup so a step change / unmount / Ctrl+C aborts the
+  // outbound JWT exchange + Play API round trip rather than letting it run
+  // detached.
+  const validationCleanupRef = useRef<(() => void) | null>(null)
+  /**
+   * Per-step submission guard for `<Select>` `onChange` callbacks.
+   *
+   * `@inkjs/ui` v2.0.0 ships a known footgun in `use-select-state.js`: the
+   * effect that fires `onChange` lists the `onChange` callback itself in its
+   * dependency array AND never resets `state.previousValue` after a selection.
+   * Because parent re-renders create a fresh inline arrow each pass, every
+   * downstream `setState` after the first selection re-triggers `onChange`,
+   * causing duplicate log lines, double persistAndStep writes, and spammed
+   * step transitions.
+   *
+   * This ref is cleared once per step change (see the useEffect below). Any
+   * `onChange` handler that performs a one-shot action (logging, persisting,
+   * step transition) checks the ref and bails on re-fires.
+   *
+   * NOTE: handlers that only flip a sub-mode within the same step (e.g.,
+   * `setKeystorePathMode('manual')`) intentionally do NOT guard, because those
+   * unmount the `<Select>` synchronously and the effect doesn't get a chance
+   * to re-fire.
+   */
+  const selectFiredRef = useRef(false)
   const [keystorePathMode, setKeystorePathMode] = useState<'choose' | 'manual'>('choose')
+  const [saJsonPathMode, setSaJsonPathMode] = useState<'choose' | 'manual'>('choose')
 
   // Phase 1 — keystore
   const [, setKeystoreMethod] = useState<'existing' | 'generate' | null>(
@@ -272,7 +311,21 @@ const AndroidOnboardingApp: FC<AppProps> = ({ appId, initialProgress, androidDir
   const [keyPasswordProbe, setKeyPasswordProbe] = useState<null | 'auto' | 'prompt'>(null)
   const keyPasswordProbeRef = useRef(false)
 
-  // Phase 2 — Google sign-in
+  // Phase 2 — Service account method fork
+  const [serviceAccountMethod, setServiceAccountMethod] = useState<'existing' | 'generate' | null>(
+    initialProgress?.serviceAccountMethod || null,
+  )
+  const [serviceAccountJsonPath, setServiceAccountJsonPath] = useState(
+    initialProgress?.serviceAccountJsonPath || '',
+  )
+  // Result of the last validation attempt — drives the sa-json-validation-failed UI.
+  // Loose typing here to avoid pulling the entire ValidationResult union into the
+  // component file; the module owns the discriminated shape.
+  const [saValidationResult, setSaValidationResult] = useState<
+    null | { ok: true } | { ok: false, kind: 'shape-error' | 'token-error' | 'no-app-access' | 'network-error', message: string }
+  >(null)
+
+  // Phase 2b — Google sign-in
   const [, setGoogleSignIn] = useState<GoogleSignInComplete | null>(
     initialProgress?.completedSteps.googleSignInComplete || null,
   )
@@ -611,6 +664,13 @@ const AndroidOnboardingApp: FC<AppProps> = ({ appId, initialProgress, androidDir
       oauthStartedRef.current = false
     if (step !== 'gcp-setup-running')
       setupStartedRef.current = false
+    if (step !== 'sa-json-existing-picker')
+      saPickerOpenedRef.current = false
+    if (step !== 'sa-json-validating')
+      validationStartedRef.current = false
+    // Reset the @inkjs/ui Select re-fire guard on every step transition so each
+    // new step gets a clean slate. See the JSDoc on `selectFiredRef`.
+    selectFiredRef.current = false
 
     if (step === 'keystore-existing-picker' && !pickerOpenedRef.current) {
       pickerOpenedRef.current = true
@@ -635,6 +695,95 @@ const AndroidOnboardingApp: FC<AppProps> = ({ appId, initialProgress, androidDir
       })()
     }
 
+    if (step === 'sa-json-existing-picker' && !saPickerOpenedRef.current) {
+      saPickerOpenedRef.current = true
+      ;(async () => {
+        try {
+          const selected = await openServiceAccountJsonPicker()
+          if (cancelled)
+            return
+          if (!selected) {
+            // Cancelled — fall back to manual input. Reset the chooser screen
+            // so we don't loop back into picker mode immediately.
+            setSaJsonPathMode('manual')
+            setStep('sa-json-existing-path')
+            return
+          }
+          setServiceAccountJsonPath(selected)
+          await persist((p) => ({ ...p, serviceAccountJsonPath: selected }))
+          addLog(`✔ Service account JSON · ${selected}`)
+          setStep('sa-json-validating')
+        }
+        catch (err) {
+          if (!cancelled)
+            handleError(err, 'sa-json-existing-path')
+        }
+      })()
+    }
+
+    if (step === 'sa-json-validating' && !validationStartedRef.current) {
+      validationStartedRef.current = true
+      // Bound the network round trips to the lifetime of this step. If the
+      // user Ctrl+C's, picks a different file, or unmounts the component
+      // mid-flight, the cleanup at the bottom of this effect aborts the
+      // controller and the in-flight fetch/JWT exchange unwinds promptly.
+      const validationAbort = new AbortController()
+      validationCleanupRef.current = () => validationAbort.abort()
+      ;(async () => {
+        try {
+          if (!serviceAccountJsonPath)
+            throw new Error('No service account JSON path on record — pick the file again.')
+          if (!androidPackageChoice)
+            throw new Error('No Android package on record — pick the package again.')
+
+          const jsonBytes = await readFile(serviceAccountJsonPath)
+          if (cancelled)
+            return
+
+          const result = await validateServiceAccountJson({
+            jsonBytes,
+            packageName: androidPackageChoice.packageName,
+            signal: validationAbort.signal,
+          })
+          if (cancelled)
+            return
+
+          if (result.ok) {
+            const base64 = jsonBytes.toString('base64')
+            setServiceAccountKeyBase64(base64)
+            setSaValidationResult({ ok: true })
+            await persist((p) => ({
+              ...p,
+              _serviceAccountKeyBase64: base64,
+              // Clear any stale "skipped" flag from a previous attempt.
+              serviceAccountValidationSkipped: false,
+            }))
+            addLog(`✔ Service account verified — ${result.serviceAccountEmail}`)
+            setStep('saving-credentials')
+            return
+          }
+
+          setSaValidationResult(result)
+          // Stash the validation failure kind so the PostHog
+          // `sa-json-validation-failed` step event carries the dimension.
+          // Read by the telemetry useEffect on the upcoming step transition.
+          errorCategoryRef.current = mapSaValidationKindToCategory(result.kind)
+          // shape-error indicates the file itself is wrong — surface as a
+          // banner log and route to the same recovery screen so the user
+          // can pick a different file or fall back to OAuth. Other kinds
+          // (token, no-app-access, network) already get full text on the
+          // recovery screen.
+          if (result.kind === 'shape-error')
+            addLog(`✖ ${result.message}`, 'red')
+          setStep('sa-json-validation-failed')
+        }
+        catch (err) {
+          if (!cancelled)
+            handleError(err, 'sa-json-existing-path')
+        }
+      })()
+    }
+
     if (step === 'keystore-existing-detecting-alias') {
       ;(async () => {
         try {
@@ -749,11 +898,26 @@ const AndroidOnboardingApp: FC<AppProps> = ({ appId, initialProgress, androidDir
             completedSteps: { ...p.completedSteps, keystoreReady: ready },
           }))
           addLog(`✔ Keystore loaded — ${keystoreExistingPath}`)
-          // Smart-route: skip phases already complete (e.g. on resume).
+          // Smart-route: skip phases already complete (e.g. on resume into
+          // this step after a legacy progress file already had OAuth steps
+          // done). If progress shows nothing past keystoreReady, land on the
+          // new fork; otherwise pick up where we left off (resume contract:
+          // legacy progress without `serviceAccountMethod` defaults to OAuth
+          // via `getAndroidResumeStep`).
           const fresh = await loadAndroidProgress(appId)
           if (cancelled)
             return
-          setStep(fresh ? getAndroidResumeStep(fresh) : 'google-sign-in')
+          const hasAnyOAuthProgress = !!(
+            fresh?.completedSteps.googleSignInComplete
+            || fresh?.completedSteps.playAccountChosen
+            || fresh?.completedSteps.gcpProjectChosen
+            || fresh?.completedSteps.androidPackageChosen
+            || fresh?._oauthRefreshToken
+          )
+          if (hasAnyOAuthProgress || fresh?.serviceAccountMethod !== undefined)
+            setStep(fresh ? getAndroidResumeStep(fresh) : 'service-account-method-select')
+          else
+            setStep('service-account-method-select')
         }
         catch (err) {
           if (!cancelled)
@@ -799,7 +963,15 @@ const AndroidOnboardingApp: FC<AppProps> = ({ appId, initialProgress, androidDir
           // here — at this point the password lives only in the in-memory
           // state and the progress file, not in `credentials.json`.
           setRetryCount(0)
-          setStep('google-sign-in')
+          // After keystore is freshly generated in THIS run, always land on
+          // the new method-select fork — we know there's no prior SA choice
+          // because we just finished the keystore phase. Resume mid-flow on
+          // a subsequent run goes through `getAndroidResumeStep`, which
+          // routes legacy progress (absent `serviceAccountMethod`) to the
+          // OAuth path for backward compatibility.
+          if (cancelled)
+            return
+          setStep('service-account-method-select')
         }
         catch (err) {
           if (!cancelled)
@@ -1265,10 +1437,22 @@ const AndroidOnboardingApp: FC<AppProps> = ({ appId, initialProgress, androidDir
         if (!cancelled)
           exit()
       }, 100)
-      return () => { cancelled = true; clearTimeout(timer) }
+      return () => {
+        cancelled = true
+        clearTimeout(timer)
+        validationCleanupRef.current?.()
+        validationCleanupRef.current = null
+      }
     }
 
-    return () => { cancelled = true }
+    return () => {
+      cancelled = true
+      // Abort any in-flight SA validation. Safe to call when there isn't one
+      // — the ref is reset to null on every step transition that doesn't
+      // start a new validation.
+      validationCleanupRef.current?.()
+      validationCleanupRef.current = null
+    }
   }, [step])
 
   const progressPct = ANDROID_STEP_PROGRESS[step] ?? 0
@@ -1545,12 +1729,22 @@ const AndroidOnboardingApp: FC<AppProps> = ({ appId, initialProgress, androidDir
                     completedSteps: { ...p.completedSteps, keystoreReady: ready },
                   }))
                   addLog(`✔ Keystore loaded — ${keystoreExistingPath}`)
-                  // Smart-route: skip phases already complete (same pattern as
-                  // the auto-probe branch in the useEffect above) so a resume
-                  // that re-enters key-password doesn't drag the user back to
-                  // google-sign-in if they've already completed it.
+                  // Smart-route: same pattern as the auto-probe branch above.
+                  // If the user has any OAuth-side progress (legacy resume or
+                  // mid-flow), pick up where they left off; otherwise drop
+                  // them on the new fork.
                   const fresh = await loadAndroidProgress(appId)
-                  setStep(fresh ? getAndroidResumeStep(fresh) : 'google-sign-in')
+                  const hasAnyOAuthProgress = !!(
+                    fresh?.completedSteps.googleSignInComplete
+                    || fresh?.completedSteps.playAccountChosen
+                    || fresh?.completedSteps.gcpProjectChosen
+                    || fresh?.completedSteps.androidPackageChosen
+                    || fresh?._oauthRefreshToken
+                  )
+                  if (hasAnyOAuthProgress || fresh?.serviceAccountMethod !== undefined)
+                    setStep(fresh ? getAndroidResumeStep(fresh) : 'service-account-method-select')
+                  else
+                    setStep('service-account-method-select')
                 }
                 catch (err) {
                   handleError(err, 'keystore-existing-path')
@@ -1667,7 +1861,203 @@ const AndroidOnboardingApp: FC<AppProps> = ({ appId, initialProgress, androidDir
         <Box marginTop={1}><SpinnerLine text="Generating 2048-bit RSA keystore..." /></Box>
       )}
 
-      {/* ── Phase 2 — Google sign-in ── */}
+      {/* ── Phase 2 — Service account method fork ── */}
+
+      {step === 'service-account-method-select' && (
+        <Box flexDirection="column" marginTop={1}>
+          <Alert variant="info">
+            Capgo needs a Google Play service account JSON to upload AABs on your behalf. You can bring your own or let Capgo set one up via Google sign-in.
+          </Alert>
+          <Newline />
+          <Text bold>Do you already have a service account JSON?</Text>
+          <Newline />
+          <Select
+            options={[
+              { label: '🔐  No, set one up for me via Google', value: 'generate' },
+              { label: '✅  Yes, I have my service account JSON file', value: 'existing' },
+            ]}
+            onChange={(value) => {
+              if (selectFiredRef.current)
+                return
+              selectFiredRef.current = true
+              const method: 'existing' | 'generate' = value === 'existing' ? 'existing' : 'generate'
+              setServiceAccountMethod(method)
+              if (method === 'existing') {
+                // Import path needs the package name first so validation can
+                // probe edits.insert(packageName). The package-select step is
+                // shared with the OAuth path and routes back here based on
+                // serviceAccountMethod.
+                persistAndStep(
+                  (p) => ({ ...p, serviceAccountMethod: 'existing' }),
+                  'android-package-select',
+                )
+              }
+              else {
+                persistAndStep(
+                  (p) => ({ ...p, serviceAccountMethod: 'generate' }),
+                  'google-sign-in',
+                )
+              }
+            }}
+          />
+        </Box>
+      )}
+
+      {/* ── Phase 2a — Import existing service account JSON ── */}
+
+      {step === 'sa-json-existing-path' && (
+        <Box flexDirection="column" marginTop={1}>
+          <Text bold>Existing service account JSON (.json)</Text>
+          <Newline />
+          {canUseFilePicker() && saJsonPathMode === 'choose'
+            ? (
+                <>
+                  <Text>How do you want to provide it?</Text>
+                  <Newline />
+                  <Select
+                    options={[
+                      { label: '📂  Open file picker', value: 'picker' },
+                      { label: '📝  Type the path', value: 'manual' },
+                    ]}
+                    onChange={(value) => {
+                      // 'manual' just flips the sub-mode (Select unmounts) and
+                      // is safe from the re-fire bug. 'picker' triggers a step
+                      // transition that takes time — guard against re-fires
+                      // before commit.
+                      if (value === 'picker') {
+                        if (selectFiredRef.current)
+                          return
+                        selectFiredRef.current = true
+                        setStep('sa-json-existing-picker')
+                      }
+                      else {
+                        setSaJsonPathMode('manual')
+                      }
+                    }}
+                  />
+                </>
+              )
+            : (
+                <>
+                  <Text dimColor>Tip: drag a file into this window to paste its path.</Text>
+                  <Newline />
+                  <FilteredTextInput
+                    placeholder="/path/to/service-account.json"
+                    filter=""
+                    onSubmit={(val) => {
+                      const cleaned = cleanPath(val)
+                      if (!cleaned)
+                        return
+                      const abs = resolvePath(cleaned)
+                      if (!existsSync(abs)) {
+                        setError(`File not found: ${abs}`)
+                        setRetryStep('sa-json-existing-path')
+                        setStep('error')
+                        return
+                      }
+                      setServiceAccountJsonPath(abs)
+                      addLog(`✔ Service account JSON · ${abs}`)
+                      persistAndStep(
+                        (p) => ({ ...p, serviceAccountJsonPath: abs }),
+                        'sa-json-validating',
+                      )
+                    }}
+                  />
+                </>
+              )}
+        </Box>
+      )}
+
+      {step === 'sa-json-existing-picker' && (
+        <Box marginTop={1}><SpinnerLine text="Opening file picker..." /></Box>
+      )}
+
+      {step === 'sa-json-validating' && (
+        <Box marginTop={1}>
+          <SpinnerLine text="Validating service account against Google Play..." />
+        </Box>
+      )}
+
+      {step === 'sa-json-validation-failed' && saValidationResult && !saValidationResult.ok && (
+        <Box flexDirection="column" marginTop={1}>
+          <Alert variant="warning">
+            Service account validation failed.
+          </Alert>
+          <Newline />
+          <Box flexDirection="column" marginLeft={2}>
+            <Text color="red">{saValidationResult.message}</Text>
+          </Box>
+          <Newline />
+          <Text bold>What would you like to do?</Text>
+          <Newline />
+          <Select
+            options={[
+              { label: '🔄  Try a different service account file', value: 'retry' },
+              { label: '💾  Save credentials anyway (skip validation)', value: 'save-anyway' },
+              { label: '🆕  Set up a new service account via Google', value: 'oauth' },
+            ]}
+            onChange={(value) => {
+              if (selectFiredRef.current)
+                return
+              selectFiredRef.current = true
+              // Defense-in-depth: the validation failure's errorCategory has
+              // already been emitted on the `sa-json-validation-failed` step
+              // event. Clearing the ref before leaving this step ensures any
+              // subsequent error (e.g. disk failure at `saving-credentials`,
+              // a failed re-validation, or an OAuth issue downstream) gets
+              // its own freshly-mapped category instead of inheriting the
+              // stale SA validation one. `handleError` overwrites this ref
+              // before transitioning to `'error'`, so today this is
+              // belt-and-suspenders — but it makes the ref's invariant
+              // ("most recent unresolved error context") true at every
+              // sa-json-validation-failed exit point.
+              errorCategoryRef.current = undefined
+              if (value === 'retry') {
+                // Clear the saved path so the picker chooser shows fresh.
+                setServiceAccountJsonPath('')
+                setSaValidationResult(null)
+                setSaJsonPathMode('choose')
+                persistAndStep(
+                  (p) => ({ ...p, serviceAccountJsonPath: undefined }),
+                  'sa-json-existing-path',
+                )
+                return
+              }
+              if (value === 'save-anyway') {
+                ;(async () => {
+                  try {
+                    if (!serviceAccountJsonPath)
+                      throw new Error('No service account JSON path on record.')
+                    const bytes = await readFile(serviceAccountJsonPath)
+                    const base64 = bytes.toString('base64')
+                    setServiceAccountKeyBase64(base64)
+                    await persist((p) => ({
+                      ...p,
+                      _serviceAccountKeyBase64: base64,
+                      serviceAccountValidationSkipped: true,
+                    }))
+                    addLog('⚠ Saved service account without validation — builds may fail if the SA isn\'t invited to your Play Console app.', 'yellow')
+                    setStep('saving-credentials')
+                  }
+                  catch (err) {
+                    handleError(err, 'sa-json-existing-path')
+                  }
+                })()
+                return
+              }
+              // oauth — fall back to the OAuth provisioning path.
+              setServiceAccountMethod('generate')
+              setSaValidationResult(null)
+              persistAndStep(
+                (p) => ({ ...p, serviceAccountMethod: 'generate' }),
+                'google-sign-in',
+              )
+            }}
+          />
+        </Box>
+      )}
+
+      {/* ── Phase 2b — Google sign-in ── */}
 
       {step === 'google-sign-in' && !showOAuthLearnMore && (
         <Box flexDirection="column" marginTop={1}>
@@ -1936,22 +2326,32 @@ const AndroidOnboardingApp: FC<AppProps> = ({ appId, initialProgress, androidDir
                       { label: '✍️   Type a different package name', value: '__manual__' },
                     ]}
                     onChange={(value) => {
+                      // Mode-switch path unmounts the <Select> synchronously,
+                      // so the @inkjs/ui re-fire bug can't replay it. The
+                      // package-pick path goes through async persistAndStep,
+                      // which keeps the <Select> mounted long enough for the
+                      // bug to spam — gate it with the per-step guard.
                       if (value === '__manual__') {
                         setPackageSelectMode('manual')
                         return
                       }
+                      if (selectFiredRef.current)
+                        return
+                      selectFiredRef.current = true
                       const choice: AndroidPackageChoice = {
                         packageName: value,
                         source: 'gradle',
                       }
                       setAndroidPackageChoice(choice)
                       addLog(`✔ Android package — ${value}`)
+                      const nextStep: AndroidOnboardingStep
+                        = serviceAccountMethod === 'existing' ? 'sa-json-existing-path' : 'gcp-setup-running'
                       persistAndStep(
                         (p) => ({
                           ...p,
                           completedSteps: { ...p.completedSteps, androidPackageChosen: choice },
                         }),
-                        'gcp-setup-running',
+                        nextStep,
                       )
                     }}
                   />
@@ -1978,12 +2378,14 @@ const AndroidOnboardingApp: FC<AppProps> = ({ appId, initialProgress, androidDir
                       }
                       setAndroidPackageChoice(choice)
                       addLog(`✔ Android package — ${name}`)
+                      const nextStep: AndroidOnboardingStep
+                        = serviceAccountMethod === 'existing' ? 'sa-json-existing-path' : 'gcp-setup-running'
                       persistAndStep(
                         (p) => ({
                           ...p,
                           completedSteps: { ...p.completedSteps, androidPackageChosen: choice },
                         }),
-                        'gcp-setup-running',
+                        nextStep,
                       )
                     }}
                   />
diff --git a/cli/src/build/onboarding/error-categories.ts b/cli/src/build/onboarding/error-categories.ts
index 41ab2d49b1..a9e5713e59 100644
--- a/cli/src/build/onboarding/error-categories.ts
+++ b/cli/src/build/onboarding/error-categories.ts
@@ -82,3 +82,26 @@ export function mapAndroidOnboardingError(error: unknown): AndroidOnboardingErro
 
   return 'unknown'
 }
+
+/**
+ * Map a `ValidationResult.kind` from the SA-import validation module onto an
+ * AndroidOnboardingErrorCategory so PostHog `Builder Onboarding Step` events
+ * for `sa-json-validation-failed` carry an actionable failure dimension.
+ *
+ * Kept here (alongside `mapAndroidOnboardingError`) so the full SA-error
+ * taxonomy lives in one place.
+ */
+export function mapSaValidationKindToCategory(
+  kind: 'shape-error' | 'token-error' | 'no-app-access' | 'network-error',
+): AndroidOnboardingErrorCategory {
+  switch (kind) {
+    case 'shape-error':
+      return 'sa_json_shape_invalid'
+    case 'token-error':
+      return 'sa_json_token_rejected'
+    case 'no-app-access':
+      return 'sa_json_no_app_access'
+    case 'network-error':
+      return 'sa_json_network_error'
+  }
+}
diff --git a/cli/src/build/onboarding/file-picker.ts b/cli/src/build/onboarding/file-picker.ts
index c2f88aa1ea..ec9ac222a1 100644
--- a/cli/src/build/onboarding/file-picker.ts
+++ b/cli/src/build/onboarding/file-picker.ts
@@ -80,3 +80,18 @@ export function openKeystorePicker(): Promise<string | null> {
     'POSIX path of (choose file of type {"jks", "keystore", "p12"} with prompt "Select your Android keystore")',
   )
 }
+
+/**
+ * Open the macOS native file picker filtered to Google Play service account
+ * JSON files. Used by the Android onboarding "import existing SA" path.
+ *
+ * Uses the official `public.json` Uniform Type Identifier rather than the raw
+ * `"json"` extension hint — AppleScript treats unrecognized strings as 4-char
+ * OSType codes, and the legacy OSType code for `"json"` does not match real
+ * `.json` files, which makes the dialog grey them all out.
+ */
+export function openServiceAccountJsonPicker(): Promise<string | null> {
+  return openMacFilePicker(
+    'POSIX path of (choose file of type {"public.json"} with prompt "Select your Google Play service account JSON")',
+  )
+}
diff --git a/cli/test/test-android-service-account-validation.mjs b/cli/test/test-android-service-account-validation.mjs
new file mode 100644
index 0000000000..b9f49b1722
--- /dev/null
+++ b/cli/test/test-android-service-account-validation.mjs
@@ -0,0 +1,74 @@
+#!/usr/bin/env node
+/**
+ * Unit tests for Android service-account JSON validation.
+ * Keeps coverage focused on local parsing/guardrails; live Google validation is
+ * covered by manual onboarding tests.
+ */
+
+import { Buffer } from 'node:buffer'
+
+console.log('🧪 Testing Android service-account validation helpers...\n')
+
+let testsPassed = 0
+let testsFailed = 0
+
+async function test(name, fn) {
+  try {
+    console.log(`\n🔍 ${name}`)
+    await fn()
+    console.log(`✅ PASSED: ${name}`)
+    testsPassed++
+  }
+  catch (error) {
+    console.error(`❌ FAILED: ${name}`)
+    console.error(`   Error: ${error.message}`)
+    testsFailed++
+  }
+}
+
+function assert(cond, msg) { if (!cond) throw new Error(msg || 'Assertion failed') }
+function assertEquals(a, b, msg) { if (a !== b) throw new Error(msg || `Expected ${b}, got ${a}`) }
+
+async function importValidation() {
+  return await import('../src/build/onboarding/android/service-account-validation.ts')
+}
+
+function serviceAccountJson(overrides = {}) {
+  return Buffer.from(JSON.stringify({
+    type: 'service_account',
+    client_email: 'capgo-build@example-project.iam.gserviceaccount.com',
+    private_key: '-----BEGIN PRIVATE KEY-----\nnot-used-by-these-tests\n-----END PRIVATE KEY-----\n',
+    project_id: 'example-project',
+    token_uri: 'https://oauth2.googleapis.com/token',
+    ...overrides,
+  }))
+}
+
+await test('parseServiceAccountKey accepts Google OAuth token endpoint', async () => {
+  const { parseServiceAccountKey } = await importValidation()
+  const key = parseServiceAccountKey(serviceAccountJson())
+  assertEquals(key.token_uri, 'https://oauth2.googleapis.com/token')
+  assertEquals(key.client_email, 'capgo-build@example-project.iam.gserviceaccount.com')
+})
+
+await test('validateServiceAccountJson rejects non-Google token_uri before network calls', async () => {
+  const { validateServiceAccountJson } = await importValidation()
+  let fetchCalled = false
+  const result = await validateServiceAccountJson({
+    jsonBytes: serviceAccountJson({ token_uri: 'https://example.test/token' }),
+    packageName: 'com.example.app',
+    fetchImpl: async () => {
+      fetchCalled = true
+      throw new Error('fetch should not be called')
+    },
+  })
+
+  assertEquals(fetchCalled, false, 'fetch should not be called for rejected token_uri')
+  assertEquals(result.ok, false)
+  assertEquals(result.kind, 'shape-error')
+  assert(result.message.includes('unsupported token_uri'), `unexpected error: ${result.message}`)
+})
+
+console.log(`\n📊 Results: ${testsPassed} passed, ${testsFailed} failed`)
+if (testsFailed > 0)
+  process.exit(1)
diff --git a/docs/superpowers/specs/2026-05-21-android-import-service-account-design.md b/docs/superpowers/specs/2026-05-21-android-import-service-account-design.md
new file mode 100644
index 0000000000..282d57f7fb
--- /dev/null
+++ b/docs/superpowers/specs/2026-05-21-android-import-service-account-design.md
@@ -0,0 +1,332 @@
+# Android onboarding: import existing service account JSON
+
+**Date:** 2026-05-21
+**Status:** Approved — ready for implementation plan
+**Area:** `cli/src/build/onboarding/android/`
+
+## Problem
+
+The Capgo CLI's `build init` Android onboarding currently has one path for setting
+up Google Play service-account credentials: a fully automated Google OAuth flow
+that signs the user in, picks/creates a GCP project, creates a brand-new service
+account, generates a JSON key, and invites the SA to the user's Play Console
+developer account.
+
+Users who already manage their own service account (because they use fastlane
+`supply` outside Capgo, have a corporate GCP setup, or simply prefer to keep
+secrets self-managed) have no way to plug their existing credentials in via
+`build init`. They have to fall back to `build credentials save`, which bypasses
+the entire onboarding TUI and offers no validation feedback.
+
+The existing keystore phase already supports this pattern — the
+`keystore-method-select` step lets the user choose **existing** or **generate**.
+We want the same affordance for the service account.
+
+## Goals
+
+- Add an "I have my own service account JSON" path to the Android onboarding TUI.
+- Use the macOS native file picker (filtered to `.json`) when running on macOS,
+  with a manual-path fallback on other platforms — mirrors the existing keystore
+  flow.
+- Validate the imported SA against the user's Play Console app *before* saving
+  credentials, so failures surface during onboarding (not at first build).
+- Soft-fail gracefully: if validation can't complete (offline, SA not invited
+  yet, wrong package), let the user save anyway, retry with a different file,
+  or fall back to the OAuth path.
+- Do not regress the existing OAuth path or the keystore fork.
+
+## Non-goals
+
+- Ask the user for a Play Console developer ID. Fastlane's `supply` does not need
+  one — it authenticates with the SA JSON and scopes all calls by `packageName`.
+  See "Why no developer ID" below.
+- Support importing a partial credential bundle (e.g. SA only, keystore still
+  generated). The keystore fork is independent and already covers that case.
+- Migrate the existing OAuth path to share code paths with the import path.
+
+## Why no developer ID
+
+The current OAuth flow asks for the Play Console developer ID because Capgo
+**creates** a fresh SA and calls
+`androidpublisher.developers.{developerId}.users.create` to invite it to the
+user's Play Console developer account
+([`play-api.ts`](../../../cli/src/build/onboarding/android/play-api.ts)).
+That invite is a one-time provisioning step.
+
+For an **imported** SA the user has already performed the invite themselves in
+Play Console → Users and permissions. From then on, every upload call is scoped
+by `packageName` only — Google resolves which developer account owns the package
+on its side. Fastlane's `supply` confirms this:
+
+- `supply/lib/supply/client.rb` authenticates with
+  `Google::Auth::ServiceAccountCredentials.make_creds(json_key_io: …, scope: …)`
+  and then calls `client.insert_edit(package_name)`,
+  `client.list_edit_bundles(package_name, edit_id)`,
+  `client.commit_edit(package_name, edit_id, …)` etc.
+- `supply/lib/supply/options.rb` exposes `package_name`, `json_key`,
+  `json_key_data`, `issuer`, etc. — **no** `developer_id` /
+  `developer_account_id` option.
+
+So for imports the developer ID would only be useful as a validation aid, and
+even then `edits.insert(packageName)` is a strictly better check (it tests the
+same auth path fastlane will take at build time).
+
+## Flow
+
+```text
+keystore phase (unchanged: existing / generate)
+  ↓
+service-account-method-select   ← NEW fork
+  ├─ "Set it up for me via Google" ─→ existing OAuth path (unchanged)
+  └─ "I have my service account JSON" ─→ import path:
+        android-package-select          (reused: confirm packageName)
+        sa-json-existing-path           (NEW: picker-or-manual chooser)
+        ├─ "Open file picker"  ─→ sa-json-existing-picker (macOS only)
+        └─ "Type the path"     ─→ text input
+        sa-json-validating              (NEW: shape → token → edits.insert/delete)
+        ├─ ok       ─→ saving-credentials (existing)
+        └─ failed   ─→ sa-json-validation-failed (NEW: soft-warn recovery)
+                       ├─ "Try a different SA file"      ─→ sa-json-existing-path
+                       ├─ "Save anyway (skip validation)" ─→ saving-credentials
+                       └─ "Set up via Google instead"     ─→ google-sign-in
+```
+
+## State additions
+
+### `AndroidOnboardingStep` (new variants)
+
+```typescript
+| 'service-account-method-select'
+| 'sa-json-existing-path'
+| 'sa-json-existing-picker'
+| 'sa-json-validating'
+| 'sa-json-validation-failed'
+```
+
+Existing `android-package-select` gains a new outbound edge: when
+`serviceAccountMethod === 'existing'` it routes to `sa-json-existing-path`
+instead of `gcp-setup-running`.
+
+### `AndroidOnboardingProgress` (new fields)
+
+```typescript
+serviceAccountMethod?: 'existing' | 'generate'
+serviceAccountJsonPath?: string
+serviceAccountValidationSkipped?: boolean
+```
+
+`serviceAccountMethod` is the source of truth for resume routing. Absent on
+legacy progress files (created before this field existed) → resume defaults to
+`generate` for backward compatibility, exactly like the iOS `setupMethod` field.
+
+### `ANDROID_STEP_PROGRESS` and `getAndroidPhaseLabel`
+
+The existing OAuth phase labels stay unchanged. The new steps map to:
+
+- `service-account-method-select` → `'Step 2 of 4 · Service account'`
+- `sa-json-existing-path`, `sa-json-existing-picker`, `sa-json-validating`,
+  `sa-json-validation-failed` → `'Step 3 of 4 · Service account'`
+
+Progress percentages: `service-account-method-select` = 22,
+`sa-json-existing-path` = 28, `sa-json-existing-picker` = 28,
+`sa-json-validating` = 70, `sa-json-validation-failed` = 70 (same as the OAuth
+path's `gcp-setup-running` so the bar doesn't jump back).
+
+## Validation module
+
+New file: `cli/src/build/onboarding/android/service-account-validation.ts`
+
+```typescript
+export type ValidationResult
+  = | { ok: true, serviceAccountEmail: string, projectId: string }
+    | { ok: false, kind: 'shape-error', message: string }
+    | { ok: false, kind: 'token-error', message: string }
+    | { ok: false, kind: 'no-app-access', message: string, serviceAccountEmail: string }
+    | { ok: false, kind: 'network-error', message: string }
+
+export async function validateServiceAccountJson(args: {
+  jsonBytes: Buffer
+  packageName: string
+  signal?: AbortSignal
+}): Promise<ValidationResult>
+```
+
+### Algorithm
+
+1. **Shape check** — `JSON.parse`, then confirm:
+   - `type === 'service_account'`
+   - non-empty `private_key`, `client_email`, `project_id`, `token_uri`
+   Failure ⇒ `shape-error`.
+
+2. **Token exchange** — build a signed JWT (using `node:crypto.createSign` with
+   the SA private key), POST to `token_uri` with `grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer`
+   and `scope=https://www.googleapis.com/auth/androidpublisher`. Failure ⇒
+   `token-error` with Google's error message.
+
+3. **App-access check** — POST
+   `https://androidpublisher.googleapis.com/androidpublisher/v3/applications/{packageName}/edits`
+   with empty JSON body and the bearer token.
+   - 200 ⇒ grab `editId`, then DELETE
+     `applications/{packageName}/edits/{editId}`. Cleanup is best-effort: log
+     warnings on DELETE failure but treat the overall result as ok (the draft
+     edit auto-expires after 7 days regardless).
+   - 403 / 404 / 401 ⇒ `no-app-access`. Message includes the SA email and
+     packageName plus the actionable hint: "Invite this SA in Play Console →
+     Users and permissions → grant access to package X".
+   - Network failure / non-2xx / 5xx ⇒ `network-error`.
+
+The function takes an `AbortSignal` so the React UI can cancel mid-flight (e.g.
+user hits Ctrl+C). Both fetch calls forward the signal.
+
+## File picker
+
+Add to `cli/src/build/onboarding/file-picker.ts`:
+
+```typescript
+export function openServiceAccountJsonPicker(): Promise<string | null> {
+  return openMacFilePicker(
+    'POSIX path of (choose file of type {"json"} with prompt "Select your Google Play service account JSON")',
+  )
+}
+```
+
+UX mirrors the keystore picker exactly:
+
+- **macOS** — `sa-json-existing-path` shows a `Select` with two options:
+  - "📂 Open file picker" → `sa-json-existing-picker`
+  - "📝 Type the path" → falls through to text input
+  Picker cancellation falls back to text input.
+- **Non-macOS** — `sa-json-existing-path` renders a `FilteredTextInput` straight
+  away, with the "drag a file into this window" hint.
+
+Resolved path is `existsSync`-checked before transitioning to
+`sa-json-validating`, same as the keystore path step.
+
+## Saving credentials
+
+Both the validation-success transition and the "save anyway" transition must
+populate the same in-progress field before jumping to `saving-credentials`:
+
+- Read the SA JSON file bytes from `serviceAccountJsonPath`, base64-encode,
+  write into `progress._serviceAccountKeyBase64`. This is the same field the
+  OAuth path uses, so the existing `saving-credentials` code path picks it up
+  unchanged and emits `PLAY_CONFIG_JSON` (already wired through
+  `cli/src/schemas/build.ts`).
+- Set `CredentialFile.PLAY_CONFIG_JSON_PATH` to the user-selected file path so
+  the credential save record points back to the source file.
+- The existing `saving-credentials` step handles disk write, atomic semantics,
+  and the rest of the downstream flow (CI secrets detection, ask-build,
+  request).
+
+No changes to `cli/src/schemas/build.ts`.
+
+## Failure recovery UI
+
+`sa-json-validation-failed` step:
+
+```text
+⚠️  Service account validation failed
+<error message tailored to the failure kind>
+
+What would you like to do?
+  🔄  Try a different service account file
+  💾  Save credentials anyway (validation may have transient causes)
+  🆕  Set up a new service account via Google
+```
+
+- "Try different file" → `sa-json-existing-path` (state preserved: package name
+  pick is still valid).
+- "Save anyway" → set `serviceAccountValidationSkipped: true` in progress, add a
+  yellow banner log entry, jump to `saving-credentials`.
+- "Set up via Google" → set `serviceAccountMethod: 'generate'` in progress, jump
+  to `google-sign-in`. The keystore phase is already complete by this point so
+  the OAuth flow picks up cleanly.
+
+## Resume behaviour
+
+`loadAndroidProgress` returns the progress record. Resume routing already lives
+in `cli/src/build/onboarding/android/progress.ts`. New rules:
+
+- If `serviceAccountMethod === 'existing'`:
+  - If `_serviceAccountKeyBase64` is set (validation passed) → resume at
+    `saving-credentials`.
+  - Else if `serviceAccountJsonPath` is set → resume at `sa-json-validating`.
+  - Else if `androidPackageChosen` is set → resume at `sa-json-existing-path`.
+  - Else → resume at `service-account-method-select` (re-pick the fork).
+- If `serviceAccountMethod === 'generate'` or absent → existing rules apply.
+
+`serviceAccountValidationSkipped` is read at `saving-credentials` to gate the
+banner log; it does not affect routing.
+
+## Telemetry
+
+Hook into the existing onboarding event channel used by `setLog()` /
+`pushEvent()`. New events:
+
+- `onboarding-android-sa-method-existing` / `…-sa-method-generate`
+- `onboarding-android-sa-validation-success` / `…-token-error` /
+  `…-no-app-access` / `…-network-error` / `…-shape-error`
+- `onboarding-android-sa-recovery-retry` / `…-save-anyway` / `…-fallback-oauth`
+
+These mirror the existing OAuth-step events so we can compare funnel completion
+between paths.
+
+## Files touched
+
+| File | Change |
+|------|--------|
+| `cli/src/build/onboarding/android/service-account-validation.ts` | **NEW** — validation module |
+| `cli/src/build/onboarding/file-picker.ts` | Add `openServiceAccountJsonPicker` |
+| `cli/src/build/onboarding/android/types.ts` | New step variants, progress fields, phase labels |
+| `cli/src/build/onboarding/android/progress.ts` | Resume routing for new states |
+| `cli/src/build/onboarding/android/ui/app.tsx` | New step blocks, transitions, file-picker effect |
+
+No backend, no schema changes, no migrations.
+
+## Testing
+
+### Unit
+
+- `service-account-validation.test.ts`:
+  - shape error: missing `private_key`, wrong `type`, malformed JSON
+  - token error: mock `token_uri` returns 401 with `invalid_grant`
+  - no-app-access: mock `edits.insert` returns 403; assert error message names
+    the SA email and packageName
+  - happy path: mock `edits.insert` 200 → mock `edits.delete` 200; assert
+    `ok: true` with extracted email/projectId
+  - network error: mock fetch rejects with `TypeError` (DNS failure)
+  - cleanup-best-effort: mock `edits.insert` 200 → `edits.delete` 500;
+    overall result still `ok: true`, warning logged
+
+- Snapshot test on `service-account-method-select` UI to lock the copy.
+
+### Resume / integration
+
+- Test fixtures for `AndroidOnboardingProgress` at each new step; assert
+  `getAndroidResumeStep` returns the expected step.
+- Test that `serviceAccountValidationSkipped: true` survives a save/load round
+  trip and surfaces the banner on resume.
+
+### Manual / e2e (macOS only)
+
+- Walk the full happy path with a real SA JSON and a real test app.
+- Walk the no-app-access path with an SA that's been revoked from the test app.
+- Walk the recovery options (retry, save-anyway, fallback to OAuth).
+- Confirm the file picker filters to `.json` and that the cancel path falls
+  through to text input.
+
+## Risks & mitigations
+
+- **`edits.insert` side effects** — Creates a draft edit on the user's Play
+  Console. Mitigation: immediate `edits.delete`. Worst case (delete fails) the
+  draft auto-expires in 7 days and is invisible to most Play Console views.
+- **Network flakiness during validation** — Mitigated by the "save anyway"
+  recovery option. The user can proceed and let the build surface the real
+  error.
+- **Progress field collision on resume** — Legacy progress files don't have
+  `serviceAccountMethod`. Default to `'generate'` on absent so existing in-flight
+  onboardings continue on the OAuth path they started on.
+- **SA JSON file relocation between selection and validation** — `existsSync`
+  check at path-input time + re-read at validation time. If the file is gone at
+  validation time, surface as `shape-error` ("Could not read SA JSON: file not
+  found").
diff --git a/tests/android-onboarding-progress.unit.test.ts b/tests/android-onboarding-progress.unit.test.ts
new file mode 100644
index 0000000000..9423f2f63e
--- /dev/null
+++ b/tests/android-onboarding-progress.unit.test.ts
@@ -0,0 +1,180 @@
+import type { AndroidOnboardingProgress } from '../cli/src/build/onboarding/android/types.ts'
+import { describe, expect, it } from 'vitest'
+import { getAndroidResumeStep } from '../cli/src/build/onboarding/android/progress.ts'
+
+// ─── Test fixture helpers ───────────────────────────────────────────
+//
+// Built compositionally so each test makes the minimum-relevant
+// progress shape and the failure-localization on assertions stays
+// clear: if `withFullKeystore(emptyProgress())` resumes to the wrong
+// step, the offending field is unambiguous.
+
+function emptyProgress(): AndroidOnboardingProgress {
+  return {
+    platform: 'android',
+    appId: 'com.test.app',
+    startedAt: '2026-05-21T00:00:00.000Z',
+    completedSteps: {},
+  }
+}
+
+function withFullKeystore(p: AndroidOnboardingProgress): AndroidOnboardingProgress {
+  // `keystoreFullyValid` requires the marker AND all three ephemeral
+  // fields. Helper sets them all so resume always passes the keystore
+  // gate and tests focus on Phase 2+.
+  return {
+    ...p,
+    keystoreAlias: 'release',
+    keystoreStorePassword: 'pw',
+    _keystoreBase64: 'base64-data',
+    completedSteps: {
+      ...p.completedSteps,
+      keystoreReady: {
+        keystorePath: 'release.p12',
+        alias: 'release',
+        isGenerated: true,
+      },
+    },
+  }
+}
+
+function withGoogleSignIn(p: AndroidOnboardingProgress): AndroidOnboardingProgress {
+  return {
+    ...p,
+    _oauthRefreshToken: 'refresh-token',
+    completedSteps: {
+      ...p.completedSteps,
+      googleSignInComplete: {
+        email: 'user@example.com',
+        googleSubject: 'subject-123',
+        scope: 'androidpublisher cloud-platform',
+      },
+    },
+  }
+}
+
+function withPackageChosen(p: AndroidOnboardingProgress): AndroidOnboardingProgress {
+  return {
+    ...p,
+    completedSteps: {
+      ...p.completedSteps,
+      androidPackageChosen: {
+        packageName: 'com.test.app',
+        source: 'gradle',
+      },
+    },
+  }
+}
+
+// ─── Base routing ───────────────────────────────────────────────────
+
+describe('getAndroidResumeStep — base routing', () => {
+  it('returns welcome for null progress', () => {
+    expect(getAndroidResumeStep(null)).toBe('welcome')
+  })
+
+  it('returns keystore-method-select when keystore is not started', () => {
+    expect(getAndroidResumeStep(emptyProgress())).toBe('keystore-method-select')
+  })
+})
+
+// ─── Legacy progress (backward compatibility contract) ──────────────
+//
+// Progress files created before the service-account fork existed have
+// no `serviceAccountMethod` field. The compatibility contract: route
+// them onto the existing OAuth path so in-flight onboardings continue
+// where they were. Don't drop legacy users into the new fork.
+
+describe('getAndroidResumeStep — legacy progress (no serviceAccountMethod)', () => {
+  it('legacy progress with only keystore done routes to google-sign-in', () => {
+    // No serviceAccountMethod → fall through to the OAuth-path rules.
+    // !googleSignInComplete → google-sign-in. This is the contract.
+    const p = withFullKeystore(emptyProgress())
+    expect(getAndroidResumeStep(p)).toBe('google-sign-in')
+  })
+
+  it('legacy progress past google-sign-in continues to play-developer-id-input', () => {
+    const p = withGoogleSignIn(withFullKeystore(emptyProgress()))
+    expect(getAndroidResumeStep(p)).toBe('play-developer-id-input')
+  })
+
+  it('re-runs google-sign-in if the marker exists but the refresh token is missing', () => {
+    // Defensive: a partial completion that lost the refresh token can't
+    // mint new access tokens, so the rest of the OAuth chain would fail.
+    // Treat it as never-signed-in.
+    const p = withFullKeystore(emptyProgress())
+    p.completedSteps.googleSignInComplete = {
+      email: 'user@example.com',
+      googleSubject: 'subject-123',
+      scope: 'androidpublisher cloud-platform',
+    }
+    // Note: no _oauthRefreshToken
+    expect(getAndroidResumeStep(p)).toBe('google-sign-in')
+  })
+})
+
+// ─── Import path (serviceAccountMethod === 'existing') ──────────────
+
+describe('getAndroidResumeStep — import path', () => {
+  it('routes to android-package-select first if no package chosen yet', () => {
+    // Package name is needed for the edits.insert validation probe.
+    // Until we have it, the import path can't proceed past file pick.
+    const p = withFullKeystore(emptyProgress())
+    p.serviceAccountMethod = 'existing'
+    expect(getAndroidResumeStep(p)).toBe('android-package-select')
+  })
+
+  it('routes to sa-json-existing-path after package chosen but no file picked', () => {
+    const p = withPackageChosen(withFullKeystore(emptyProgress()))
+    p.serviceAccountMethod = 'existing'
+    expect(getAndroidResumeStep(p)).toBe('sa-json-existing-path')
+  })
+
+  it('routes to sa-json-validating after file picked but not yet accepted', () => {
+    const p = withPackageChosen(withFullKeystore(emptyProgress()))
+    p.serviceAccountMethod = 'existing'
+    p.serviceAccountJsonPath = '/path/to/sa.json'
+    expect(getAndroidResumeStep(p)).toBe('sa-json-validating')
+  })
+
+  it('routes to saving-credentials once the SA key bytes are accepted', () => {
+    // `_serviceAccountKeyBase64` is set by EITHER a successful validation
+    // OR the user picking "save anyway" on the failure recovery screen.
+    // Both should converge to saving-credentials so we don't re-run
+    // validation pointlessly on resume.
+    const p = withPackageChosen(withFullKeystore(emptyProgress()))
+    p.serviceAccountMethod = 'existing'
+    p.serviceAccountJsonPath = '/path/to/sa.json'
+    p._serviceAccountKeyBase64 = 'base64-sa-bytes'
+    expect(getAndroidResumeStep(p)).toBe('saving-credentials')
+  })
+
+  it('honors save-anyway resume even with serviceAccountValidationSkipped=true', () => {
+    // The skipped flag drives a banner log at save time; it must NOT
+    // affect routing. The key bytes are the source of truth.
+    const p = withPackageChosen(withFullKeystore(emptyProgress()))
+    p.serviceAccountMethod = 'existing'
+    p.serviceAccountJsonPath = '/path/to/sa.json'
+    p._serviceAccountKeyBase64 = 'base64-sa-bytes'
+    p.serviceAccountValidationSkipped = true
+    expect(getAndroidResumeStep(p)).toBe('saving-credentials')
+  })
+})
+
+// ─── Generate path (serviceAccountMethod === 'generate') ────────────
+
+describe('getAndroidResumeStep — generate path', () => {
+  it("'generate' explicitly set falls through to the OAuth-path rules", () => {
+    const p = withFullKeystore(emptyProgress())
+    p.serviceAccountMethod = 'generate'
+    // Same as the legacy case but with an explicit marker — should still
+    // land on google-sign-in because no OAuth steps are done.
+    expect(getAndroidResumeStep(p)).toBe('google-sign-in')
+  })
+
+  it("'generate' continues to play-developer-id-input after sign-in", () => {
+    const p = withGoogleSignIn(withFullKeystore(emptyProgress()))
+    p.serviceAccountMethod = 'generate'
+    expect(getAndroidResumeStep(p)).toBe('play-developer-id-input')
+  })
+})
diff --git a/tests/onboarding-error-categories.unit.test.ts b/tests/onboarding-error-categories.unit.test.ts
index 487a7201df..d25b8d9cd4 100644
--- a/tests/onboarding-error-categories.unit.test.ts
+++ b/tests/onboarding-error-categories.unit.test.ts
@@ -1,7 +1,7 @@
 import { describe, expect, it } from 'vitest'
 import { MissingScopesError } from '../cli/src/build/onboarding/android/oauth-google.ts'
 import { CertificateLimitError } from '../cli/src/build/onboarding/apple-api.ts'
-import { mapAndroidOnboardingError, mapIosOnboardingError } from '../cli/src/build/onboarding/error-categories.ts'
+import { mapAndroidOnboardingError, mapIosOnboardingError, mapSaValidationKindToCategory } from '../cli/src/build/onboarding/error-categories.ts'
 
 describe('mapIosOnboardingError', () => {
   it.concurrent('maps 401 from App Store Connect to apple_api_unauthorized', () => {
@@ -97,3 +97,21 @@ describe('mapAndroidOnboardingError', () => {
     expect(mapAndroidOnboardingError(null)).toBe('unknown')
   })
 })
+
+describe('mapSaValidationKindToCategory', () => {
+  it.concurrent('maps shape-error to sa_json_shape_invalid', () => {
+    expect(mapSaValidationKindToCategory('shape-error')).toBe('sa_json_shape_invalid')
+  })
+
+  it.concurrent('maps token-error to sa_json_token_rejected', () => {
+    expect(mapSaValidationKindToCategory('token-error')).toBe('sa_json_token_rejected')
+  })
+
+  it.concurrent('maps no-app-access to sa_json_no_app_access', () => {
+    expect(mapSaValidationKindToCategory('no-app-access')).toBe('sa_json_no_app_access')
+  })
+
+  it.concurrent('maps network-error to sa_json_network_error', () => {
+    expect(mapSaValidationKindToCategory('network-error')).toBe('sa_json_network_error')
+  })
+})
diff --git a/tests/service-account-validation.unit.test.ts b/tests/service-account-validation.unit.test.ts
new file mode 100644
index 0000000000..1b9c64f410
--- /dev/null
+++ b/tests/service-account-validation.unit.test.ts
@@ -0,0 +1,397 @@
+import { Buffer } from 'node:buffer'
+import { generateKeyPairSync } from 'node:crypto'
+import { describe, expect, it } from 'vitest'
+import { parseServiceAccountKey, validateServiceAccountJson } from '../cli/src/build/onboarding/android/service-account-validation.ts'
+
+// ─── Test fixtures ──────────────────────────────────────────────────
+//
+// Generate a real RSA key once per file so JWT signing inside the
+// validator doesn't blow up — even though the token endpoint is mocked,
+// `jwt.sign(..., key.private_key, { algorithm: 'RS256' })` still runs
+// for real and needs a parseable PEM.
+
+const RSA_KEY = (() => {
+  const { privateKey } = generateKeyPairSync('rsa', {
+    modulusLength: 2048,
+    publicKeyEncoding: { type: 'spki', format: 'pem' },
+    privateKeyEncoding: { type: 'pkcs8', format: 'pem' },
+  })
+  return privateKey as string
+})()
+
+const TEST_PACKAGE = 'com.example.app'
+const TEST_SA_EMAIL = 'sa@my-project.iam.gserviceaccount.com'
+const TEST_PROJECT_ID = 'my-project'
+
+function buildSaJson(overrides: Record<string, unknown> = {}): Buffer {
+  return Buffer.from(JSON.stringify({
+    type: 'service_account',
+    client_email: TEST_SA_EMAIL,
+    private_key: RSA_KEY,
+    project_id: TEST_PROJECT_ID,
+    token_uri: 'https://oauth2.googleapis.com/token',
+    private_key_id: 'abc123',
+    ...overrides,
+  }))
+}
+
+// ─── Mock fetch ─────────────────────────────────────────────────────
+//
+// Route requests by URL so each test can wire just the response shape
+// it cares about. Anything unexpected throws so a forgotten mock fails
+// loudly rather than silently making a real outbound call.
+
+interface FetchHandlers {
+  /** Response for POST to the SA's `token_uri`. */
+  token?: (req: { url: string, init?: RequestInit }) => Response | Promise<Response>
+  /** Response for POST to `applications/{pkg}/edits`. */
+  insert?: (req: { url: string, init?: RequestInit }) => Response | Promise<Response>
+  /** Response for DELETE to `applications/{pkg}/edits/{editId}`. */
+  delete?: (req: { url: string, init?: RequestInit }) => Response | Promise<Response>
+}
+
+interface FetchCalls {
+  token: number
+  insert: number
+  delete: number
+}
+
+function makeMockFetch(handlers: FetchHandlers): { fetch: typeof fetch, calls: FetchCalls } {
+  const calls: FetchCalls = { token: 0, insert: 0, delete: 0 }
+  const fetchImpl: typeof fetch = async (url, init) => {
+    const urlStr = typeof url === 'string' ? url : (url as URL).toString()
+    if (urlStr.includes('oauth2.googleapis.com/token') || /\btoken$/.test(urlStr)) {
+      calls.token++
+      if (!handlers.token)
+        throw new Error(`Unexpected token request: ${urlStr}`)
+      return handlers.token({ url: urlStr, init })
+    }
+    if (/\/edits\/[^/]+$/.test(urlStr) || (init?.method === 'DELETE' && urlStr.includes('/edits/'))) {
+      calls.delete++
+      if (!handlers.delete)
+        throw new Error(`Unexpected delete request: ${urlStr}`)
+      return handlers.delete({ url: urlStr, init })
+    }
+    if (urlStr.endsWith('/edits') || urlStr.includes('/edits')) {
+      calls.insert++
+      if (!handlers.insert)
+        throw new Error(`Unexpected insert request: ${urlStr}`)
+      return handlers.insert({ url: urlStr, init })
+    }
+    throw new Error(`Unexpected URL in mock fetch: ${urlStr}`)
+  }
+  return { fetch: fetchImpl, calls }
+}
+
+const goodTokenResponse = () => new Response(
+  JSON.stringify({ access_token: 'fake-token', expires_in: 3600, token_type: 'Bearer' }),
+  { status: 200, headers: { 'Content-Type': 'application/json' } },
+)
+
+// ─── parseServiceAccountKey (synchronous shape checks) ──────────────
+
+describe('parseServiceAccountKey', () => {
+  it('parses a valid service account JSON', () => {
+    const key = parseServiceAccountKey(buildSaJson())
+    expect(key.client_email).toBe(TEST_SA_EMAIL)
+    expect(key.project_id).toBe(TEST_PROJECT_ID)
+    expect(key.token_uri).toBe('https://oauth2.googleapis.com/token')
+  })
+
+  it('throws on malformed JSON', () => {
+    expect(() => parseServiceAccountKey(Buffer.from('not json'))).toThrow(/not valid JSON/)
+  })
+
+  it('throws when `type` is not "service_account"', () => {
+    const buf = Buffer.from(JSON.stringify({ type: 'authorized_user', client_email: 'x', private_key: 'y', project_id: 'z', token_uri: 'u' }))
+    expect(() => parseServiceAccountKey(buf)).toThrow(/not a service account key/)
+  })
+
+  it('throws on missing private_key', () => {
+    const buf = buildSaJson({ private_key: undefined })
+    // JSON.stringify drops undefined keys, so the field is genuinely missing
+    expect(() => parseServiceAccountKey(buf)).toThrow(/missing required field "private_key"/)
+  })
+
+  it('throws on empty client_email', () => {
+    const buf = buildSaJson({ client_email: '' })
+    expect(() => parseServiceAccountKey(buf)).toThrow(/missing required field "client_email"/)
+  })
+})
+
+// ─── validateServiceAccountJson — failure modes ────────────────────
+
+describe('validateServiceAccountJson — shape errors', () => {
+  it('returns shape-error for malformed JSON', async () => {
+    const result = await validateServiceAccountJson({
+      jsonBytes: Buffer.from('garbage'),
+      packageName: TEST_PACKAGE,
+      fetchImpl: makeMockFetch({}).fetch,
+    })
+    expect(result.ok).toBe(false)
+    if (!result.ok)
+      expect(result.kind).toBe('shape-error')
+  })
+
+  it('returns shape-error when private_key is missing', async () => {
+    const result = await validateServiceAccountJson({
+      jsonBytes: buildSaJson({ private_key: undefined }),
+      packageName: TEST_PACKAGE,
+      fetchImpl: makeMockFetch({}).fetch,
+    })
+    expect(result.ok).toBe(false)
+    if (!result.ok) {
+      expect(result.kind).toBe('shape-error')
+      expect(result.message).toMatch(/private_key/)
+    }
+  })
+
+  it('returns shape-error when type !== "service_account"', async () => {
+    const buf = Buffer.from(JSON.stringify({ type: 'user', client_email: 'x', private_key: 'y', project_id: 'z', token_uri: 'u' }))
+    const result = await validateServiceAccountJson({
+      jsonBytes: buf,
+      packageName: TEST_PACKAGE,
+      fetchImpl: makeMockFetch({}).fetch,
+    })
+    expect(result.ok).toBe(false)
+    if (!result.ok)
+      expect(result.kind).toBe('shape-error')
+  })
+})
+
+describe('validateServiceAccountJson — token exchange', () => {
+  it('returns token-error for 401 from token endpoint (credentials rejected)', async () => {
+    const { fetch } = makeMockFetch({
+      token: () => new Response(
+        JSON.stringify({ error: 'invalid_grant', error_description: 'Account disabled' }),
+        { status: 401, headers: { 'Content-Type': 'application/json' } },
+      ),
+    })
+    const result = await validateServiceAccountJson({
+      jsonBytes: buildSaJson(),
+      packageName: TEST_PACKAGE,
+      fetchImpl: fetch,
+    })
+    expect(result.ok).toBe(false)
+    if (!result.ok) {
+      expect(result.kind).toBe('token-error')
+      expect(result.message).toMatch(/invalid_grant/)
+    }
+  })
+
+  it('returns network-error for 500 from token endpoint (transient)', async () => {
+    // 5xx must NOT be classified as a credential rejection — the user's key
+    // could be perfectly fine, Google is just having a moment. The recovery
+    // UI offers retry for network-error vs. "your key is bad" for token-error.
+    const { fetch } = makeMockFetch({
+      token: () => new Response('Internal Server Error', { status: 500 }),
+    })
+    const result = await validateServiceAccountJson({
+      jsonBytes: buildSaJson(),
+      packageName: TEST_PACKAGE,
+      fetchImpl: fetch,
+    })
+    expect(result.ok).toBe(false)
+    if (!result.ok)
+      expect(result.kind).toBe('network-error')
+  })
+
+  it('returns network-error when token endpoint returns non-JSON (transient)', async () => {
+    const { fetch } = makeMockFetch({
+      token: () => new Response('<html>nginx error</html>', { status: 200 }),
+    })
+    const result = await validateServiceAccountJson({
+      jsonBytes: buildSaJson(),
+      packageName: TEST_PACKAGE,
+      fetchImpl: fetch,
+    })
+    expect(result.ok).toBe(false)
+    if (!result.ok)
+      expect(result.kind).toBe('network-error')
+  })
+
+  it('returns network-error when token response is missing access_token', async () => {
+    const { fetch } = makeMockFetch({
+      token: () => new Response(
+        JSON.stringify({ expires_in: 3600 }), // no access_token
+        { status: 200, headers: { 'Content-Type': 'application/json' } },
+      ),
+    })
+    const result = await validateServiceAccountJson({
+      jsonBytes: buildSaJson(),
+      packageName: TEST_PACKAGE,
+      fetchImpl: fetch,
+    })
+    expect(result.ok).toBe(false)
+    if (!result.ok)
+      expect(result.kind).toBe('network-error')
+  })
+
+  it('returns network-error when fetch itself rejects (DNS / offline)', async () => {
+    const fetchImpl: typeof fetch = async () => {
+      throw Object.assign(new Error('ENOTFOUND oauth2.googleapis.com'), { code: 'ENOTFOUND' })
+    }
+    const result = await validateServiceAccountJson({
+      jsonBytes: buildSaJson(),
+      packageName: TEST_PACKAGE,
+      fetchImpl,
+    })
+    expect(result.ok).toBe(false)
+    if (!result.ok)
+      expect(result.kind).toBe('network-error')
+  })
+})
+
+describe('validateServiceAccountJson — app-access probe', () => {
+  it('returns ok with email + projectId on the happy path', async () => {
+    const { fetch, calls } = makeMockFetch({
+      token: goodTokenResponse,
+      insert: () => new Response(
+        JSON.stringify({ id: 'edit-123', expiryTimeSeconds: '1' }),
+        { status: 200, headers: { 'Content-Type': 'application/json' } },
+      ),
+      delete: () => new Response(null, { status: 204 }),
+    })
+    const result = await validateServiceAccountJson({
+      jsonBytes: buildSaJson(),
+      packageName: TEST_PACKAGE,
+      fetchImpl: fetch,
+    })
+    expect(result.ok).toBe(true)
+    if (result.ok) {
+      expect(result.serviceAccountEmail).toBe(TEST_SA_EMAIL)
+      expect(result.projectId).toBe(TEST_PROJECT_ID)
+    }
+    // Mirror of fastlane's auth path: insert + delete must both fire.
+    expect(calls.token).toBe(1)
+    expect(calls.insert).toBe(1)
+    expect(calls.delete).toBe(1)
+  })
+
+  it('returns no-app-access on 403 from edits.insert (SA not invited)', async () => {
+    const { fetch } = makeMockFetch({
+      token: goodTokenResponse,
+      insert: () => new Response(
+        JSON.stringify({ error: { code: 403, message: 'The caller does not have permission', status: 'PERMISSION_DENIED' } }),
+        { status: 403, headers: { 'Content-Type': 'application/json' } },
+      ),
+    })
+    const result = await validateServiceAccountJson({
+      jsonBytes: buildSaJson(),
+      packageName: TEST_PACKAGE,
+      fetchImpl: fetch,
+    })
+    expect(result.ok).toBe(false)
+    if (!result.ok) {
+      expect(result.kind).toBe('no-app-access')
+      // The recovery UI surfaces these — the SA email AND the package name
+      // must both appear so the user knows exactly which invite to add.
+      if (result.kind === 'no-app-access')
+        expect(result.serviceAccountEmail).toBe(TEST_SA_EMAIL)
+      expect(result.message).toMatch(/com\.example\.app/)
+      expect(result.message).toMatch(TEST_SA_EMAIL)
+    }
+  })
+
+  it('returns no-app-access on 404 from edits.insert (wrong package)', async () => {
+    const { fetch } = makeMockFetch({
+      token: goodTokenResponse,
+      insert: () => new Response('Not Found', { status: 404 }),
+    })
+    const result = await validateServiceAccountJson({
+      jsonBytes: buildSaJson(),
+      packageName: TEST_PACKAGE,
+      fetchImpl: fetch,
+    })
+    expect(result.ok).toBe(false)
+    if (!result.ok)
+      expect(result.kind).toBe('no-app-access')
+  })
+
+  it('returns network-error on 503 from edits.insert (transient Play API)', async () => {
+    const { fetch } = makeMockFetch({
+      token: goodTokenResponse,
+      insert: () => new Response('Service Unavailable', { status: 503 }),
+    })
+    const result = await validateServiceAccountJson({
+      jsonBytes: buildSaJson(),
+      packageName: TEST_PACKAGE,
+      fetchImpl: fetch,
+    })
+    expect(result.ok).toBe(false)
+    if (!result.ok)
+      expect(result.kind).toBe('network-error')
+  })
+
+  it('returns ok even if cleanup DELETE fails (best-effort contract)', async () => {
+    // The draft edit auto-expires after 7 days regardless — losing the
+    // cleanup DELETE is a logged warning, not a failure. If we treated
+    // delete-failure as fatal, a transient Google blip on the second call
+    // would tell the user their key is bad. Wrong.
+    const { fetch } = makeMockFetch({
+      token: goodTokenResponse,
+      insert: () => new Response(
+        JSON.stringify({ id: 'edit-leaked', expiryTimeSeconds: '1' }),
+        { status: 200, headers: { 'Content-Type': 'application/json' } },
+      ),
+      delete: () => new Response('Internal Server Error', { status: 500 }),
+    })
+    const result = await validateServiceAccountJson({
+      jsonBytes: buildSaJson(),
+      packageName: TEST_PACKAGE,
+      fetchImpl: fetch,
+    })
+    expect(result.ok).toBe(true)
+  })
+})
+
+describe('validateServiceAccountJson — AbortSignal', () => {
+  it('returns network-error when signal is already aborted before token exchange', async () => {
+    const controller = new AbortController()
+    controller.abort()
+    // Mock fetch should never be called — we abort before reaching it.
+    let tokenFired = false
+    const fetchImpl: typeof fetch = async () => {
+      tokenFired = true
+      return new Response('{}')
+    }
+    const result = await validateServiceAccountJson({
+      jsonBytes: buildSaJson(),
+      packageName: TEST_PACKAGE,
+      fetchImpl,
+      signal: controller.signal,
+    })
+    expect(result.ok).toBe(false)
+    if (!result.ok)
+      expect(result.kind).toBe('network-error')
+    expect(tokenFired).toBe(false)
+  })
+
+  it('forwards the caller signal into fetch so mid-flight abort propagates', async () => {
+    let receivedSignal: AbortSignal | undefined
+    const controller = new AbortController()
+    const fetchImpl: typeof fetch = async (_url, init) => {
+      receivedSignal = init?.signal ?? undefined
+      return new Response(
+        JSON.stringify({ access_token: 'tok', expires_in: 3600, token_type: 'Bearer' }),
+        { status: 200, headers: { 'Content-Type': 'application/json' } },
+      )
+    }
+    // Don't abort — just verify the signal threads through. The
+    // fetchWithTimeout helper composes the caller signal with a per-request
+    // timeout signal, so what fetch receives is a composite, but it must
+    // exist.
+    const result = await validateServiceAccountJson({
+      jsonBytes: buildSaJson(),
+      packageName: TEST_PACKAGE,
+      fetchImpl,
+      signal: controller.signal,
+      // Short timeout so the test doesn't hang if something regresses.
+      timeoutMs: 5000,
+    })
+    // The insert call wasn't mocked — validation will error out as network.
+    // We only care that the signal made it into the first fetch.
+    expect(receivedSignal).toBeDefined()
+    expect(result.ok).toBe(false)
+  })
+})