Skip to content

Validating In-App Purchase

The App Store and Google Play services provide a mechanism that allows validating the authenticity of an in-app purchase. It is used as a protection measure against fraudulent transactions.  The receipt(iOS)/token(Android) becomes available in the app after the first in-app purchase, and depending on the platform can be validated using the API described below.

iOS Receipt Validation

Method

POST

Endpoint URL

Important

Make sure to replace xxxx in the domain name in the sample requests below to the one assigned to your application.

This route forwards all requests to https://buy.itunes.apple.com/verifyReceipt.

POST https://xxxx.backendless.app/commerce/apple/verifyReceipt

Request Headers

None.

Request Body

The request body must be a JSON object containing string values:

{  
  "receipt-data": String,  
  "password": String,  
  "exclude-old-transactions": Boolean  
}

where:

Argument                Description
receipt-data The Base64-encoded receipt data.
password The app’s shared secret which is a hexadecimal string.
exclude-old-transactions Set this value to true if you want to include only the latest renewal transactions for any subscription. Use this parameter only if a receipt contains auto-renewable subscriptions.

In case you want to fetch the receipt-data, we recommend reading this material.

To generate a password(shared secret) navigate to the following document.

Response Body

Returns an HTTP Status code as an integer value, and also an object with the receipt contents.

{  
  "httpCode": int,  
  "body": Nested JSON object  
}

where:

Argument                Description
httpCode An HTTP status code, which indicates the final execution status of the method.
body A JSON representation of the receipt that was sent for verification.

Android Receipt Validation


Method

GET

Endpoint URL

Important

Make sure to replace xxxx in the domain name in the sample requests below to the one assigned to your application.

GET https://xxxx.backendless.app/commerce/googleplay/validate/[packageName]/inapp/[productId]/purchases/[token]

where:

Argument                Description
[packageName] A package name of the application associated with an active in-app subscription purchase. (for example, 'com.some.thing').
[productId] ID of the purchased subscription (for example, 'com.some.thing.monthly001' - where monthly001 is the ID).
[token] A token provided to the application after the subscription purchase.

Request Headers

None.

Request Body

None.

Response Body

Returns GooglePlayPurchaseStatus object containing subscription details:

{  
  "kind": string,  
  "purchaseTimeMillis": long,  
  "purchaseState": int,  
  "consumptionState": int,  
  "developerPayload": string  
}

where:

Argument                Description
kind Represents the inappPurchase object in the androidpublisher service.
purchaseTimeMillis Time when a subscription was purchased. Time is measured in milliseconds passed since the Unix epoch (1 January 1970 00:00:00 UT).
purchaseState The purchase state of the order, where: 0 - Purchased, 1 - Canceled, 2 - Pending.
consumptionState The consumption state of the order, where 0 - Yet to be consumed, 1 - Consumed.
developerPayload A developer-specified string that contains information about an order.