Tech Hub

A Developer’s Guide to Verify In-App Purchase

May 15, 2022

Posted by: Rahul Upadhyay

A Developer’s Guide to Verify In-App Purchase

Disclaimer: Helpful document for the coder.

Objective

Verify In-App purchase/subscription from Google Play Store and Apple Store

Requirements

  1. Apple IAP Verification: Apple shared secret
  2. Google IAP Verification: Service Account Key file (JSON file)
  3. Key factors: Expertise & Patience 

RESTful APIs

Purchase subscription/product

This will be the first API call from the mobile app to send the purchase details to the backend.

Parameters

item_id

string
Subscription package or Product package.

receipt

string

iPhone should pass the receipt_data and the Android should pass the purchase_token

platform

string

Either “google” or “apple”

is_renewable

int

Optional parameter for Android only. iPhone devices can skip this parameter.

1 = True, 0 = False

Now, let’s understand the flow by following the sequence diagram

 

Verify Purchase

This will be another API call from the mobile app to verify the purchase period and the Backend is checking this on daily basis with the CRON (The CRON is a software utility, offered by a Linux-like operating system that automates the scheduled task at a predetermined time.)

 

Now, let’s understand the flow by following the sequence diagram:

Verify on Google

When the “platform” is “google”, the backend needs to verify the purchase token stored in the key “receipt”. To do so, the backend team needs the Service Account JSON file to communicate with the Google Play Developer API. To get the purchased details and to verify it, you have to check, if you are checking for product purchase or subscription purchase.

Requirements:
 
purchases.products

Note: The URL uses gRPC Transcoding syntax. 

Checks the purchase and consumption status of an in-app item.

HTTP request
GET https://androidpublisher.googleapis.com/androidpublisher/v3/applications/{packageName}/purchases/products/{productId}/tokens/{purchaseToken}?access_token={accessToken}
 
purchases.subscriptions

Checks whether a user's subscription purchase is valid and returns its expiry time.

HTTP request
GET https://androidpublisher.googleapis.com/androidpublisher/v3/applications/{packageName}/purchases/subscriptions/{subscriptionId}/tokens/{purchaseToken}?access_token={accessToken}

Parameters

packageName

string
The package name of the application the in-app product was sold in (for example, 'com.devdigital.app').

productId

string

The package name of the application the in-app product was sold in (e.g., 'com.devdigital.app.tier1.package1').

subscriptionId

string

The purchase subscription id (e.g., 'com.devdigital.app.tier1.monthly')

purchaseToken

string

The purchase token stored in the database by the user

accessToken

string

The access token generated with OAuth Steps

This is what subscription response looks like, 

Verify on Apple

When the “platform” is “apple”, the backend needs to verify the receipt-data stored in the key “receipt”.

Requirements:

  • Apple Shared Secret | How to get one? Please refer to this document
 
verifyReceipt

Send a receipt to the App Store for verification HTTP requests.

HTTP request 
Sandbox URL: https://sandbox.itunes.apple.com/verifyReceipt
Production URL: https://buy.itunes.apple.com/verifyReceipt

Method: POST
HTTP Body: requestBody
Response Codes:
200 - responseBody

References

Apple IAP verification:
  1. Sandbox API endpoint: https://sandbox.itunes.apple.com/verifyReceipt
  2. Production API endpoint:  https://buy.itunes.apple.com/verifyReceipt
Google IAP verification:
  1. OAuth URL: https://accounts.google.com/o/oauth2/token
  2. Scope: https://www.googleapis.com/auth/androidpublisher
  3. Android Product Purchase URL: https://www.googleapis.com/androidpublisher/v3/applications/{app_package_name}/purchases/products/{subscription_package_id}/tokens/{purchase_token}?access_token={service_account_access_token}
    • Here service account access token should be derived from the OAuth URL and Scope. The service account key file (.json) have all the necessary details.
  4. Android Subscription Purchase URL: https://www.googleapis.com/androidpublisher/v3/applications/{app_package_name}/purchases/subscriptions/{subscription_package_id}/tokens/{purchase_token}?access_token={service_account_access_token} 
more...

Share this


Back