In-app Purchase Receipt Validation API
"Customers don't measure you on how hard you tried. They measure you on what you deliver."
In-app purchase receipt validation is the process of verifying the authenticity and validity of a user's in-app purchase receipt. When a user makes a purchase within your app, the platform (such as Apple's App Store or Google Play) generates a receipt that contains information about the purchase, such as the product ID, transaction ID, and purchase date.
In order to prevent fraud and ensure that the user has actually made a valid purchase, it's important to validate the receipt before granting access to the purchased content or features. This validation process typically involves sending the receipt data to the corresponding platform's server for verification, and receiving a response indicating whether the receipt is valid or not.
In some cases, the app's server may also perform additional validation checks to ensure that the receipt is not fraudulent or tampered with. These checks may include verifying the signature of the receipt, checking that the receipt corresponds to a valid user account, and verifying that the receipt has not been reused or duplicated.
Validating in-app purchase receipts also helps to protect your app from hackers and other malicious actors who may attempt to bypass your app's payment system or make unauthorized purchases. It is a crucial step in ensuring the integrity and security of your app's financial transactions.
How in-App Purchase Receipt Validation Works?
To validate in-app purchase receipts on the server side on your own is very crucial task and needs regular maintenance including experienced developer's team to implement it on your server, Normally you can use Apple's StoreKit API or Google's Play Billing Library API for multiple server side languages, depending on the platform your app is running on. Here's an overview of the steps involved when you validate an in-app purchase receipt on your own:
For Apple StoreKit API:
- Obtain the base64-encoded receipt data from the app.
- Send the receipt data to the App Store server for validation using Apple's StoreKit API.
- Apple's server will respond with a JSON object containing the validation result.
- Parse the JSON response to extract the relevant information, such as the status of the purchase and the product ID.
- Use the information to update your app's server-side database to reflect the purchase status.
For Google Play Billing Library API:
- Obtain the purchase token from the app.
- Send the purchase token to the Google Play server for validation using Google's Play Billing Library API.
- Google's server will respond with a JSON object containing the validation result.
- Parse the JSON response to extract the relevant information, such as the status of the purchase and the product ID.
- Use the information to update your app's server-side database to reflect the purchase status.
To use these APIs, you will need to authenticate with the app store's server using a secret key or access token. You will also need to handle any errors that may occur during the validation process and take appropriate action, such as retrying the validation or alerting the user of the issue.
Why Choose Our in-App Purchase Validation API?
Easy integration
Our API can be easier to integrate into your app than building your own in-app purchase validation system from scratch. This can save time and resources, and help you get your app to market faster.
Security
Our in-app purchase validation APIs often have robust security measures in place to protect against fraud and unauthorized purchases. This can help protect your app and your users from potential security risks.
Accuracy
Our in-app purchase validation APIs are often highly accurate, which can help ensure that you are receiving the correct payment for your products and that users are receiving the content they have paid for.
Support
We offer support and resources to help you integrate our in-app purchase receipt validation API into your app and troubleshoot any issues that may arise. You can connect with us through Live chat, Email, or Call.
No Maintenance Required
You don't need to hire an experienced developer team or follow the App Store guidelines yourself. We have a team that can do both and save your cost.
Your API Authentication Key
We use API keys to authenticate all the requests. You can view and manage your API keys in the My Account -> My APIs Center page. Your API keys can be used to access our all the APIs, So be sure to keep them secure. Do not share your secret API keys in publicly accessible areas such as GitHub, client-side code, and so forth.
XXXX-XXXX-XXXX-XXXX (login to see your free API Key)
API Base URL and Endpoints
The API Base URL serves as the foundation or root of the API's endpoints. It represents the common prefix shared by all API endpoints. An Endpoint URL represents a specific operation or resource provided by the API. It is appended to the API Base URL to form a complete URL for a particular API call.
Base URL:
https://zerosack.org/marketplace/apis/v1
Endpoint for iOS in-App Purchase Validation:
POST /ios_iap_validation
Endpoint for Android in-App Purchase Validation:
POST /android_iap_validation
API Request Method POST
This API use POST HTTP method to get data from our server. All API requests must be made over HTTPS ("S" stands for secure). Calls made over plain HTTP or without authentication key will not allowed.
Request Parameters
An API endpoint is a URL (Uniform Resource Locator) that is used to access a specific resource on a web server. API endpoints are the URLs that clients use to interact with a web API, and they typically consist of a base URL followed by a path that identifies a specific resource or action.
For iOS in-app purchase validation
| Parameter | Description |
|---|---|
| key required |
This is your authentication api key to get requested data from our servers. This is mandatory parameter otherwise data request will be failed. Go to API Key. |
| app_id required |
Get the App ID to register your app with us on the "My API Center" page in your ZNPL account.
You need to store the App Specific Apple Shared Secret key when registering your app with us. You can use the following steps to get apple shared secret key for your in-app purchase validation See Guidelines Here. Now you can go to IAP Validation API App Registration section at "My APIs Center" page to register your app with us. |
| receipt required |
In-app purchase receipt data (in base64 string format). You will receive this purchase receipt whenever a user makes an in-app purchase in your app. To validate it you can either store it in the database corresponding to the user account or use it directly to validate. |
| sandbox optional |
To set testing environment true | false. Use this parameter if you are are making ios in-app purchases using test device and test apple id. Default: false.
|
For android in-app purchase validation
| Parameter | Description |
|---|---|
| key required |
This is your authentication api key to get requested data from our servers. This is mandatory parameter otherwise data request will be failed. Go to API Key. |
| app_id required |
Get the App ID to register your app with us on the "My API Center" page in your ZNPL account.
You need to store the Google Service Account JSON File when registering your app. You can use the following steps to setup google service account and download the json file to validate in-app purchases See Guidelines Here. Now you can go to IAP Validation API App Registration section at "My APIs Center" page to register your app with us. |
| app_package_name required |
This is your app package name. You can see it in android manifest file. Eg: com.example.myapp
|
| app_product_id required |
The in-app purchase product ID located in the Google Play Console or in your app's in-app purchase product list page. Eg: MY_APP_Plan1
|
| purchase_token required |
In-app purchase purchase token which is same as receipt data in iOS. You will receive this purchase token whenever a user makes an in-app purchase in your app. To validate it you can either store it in the database corresponding to the user account or use it directly to validate. |
Example Post Data for iOS Receipt Validation (in Json format)
{
"key": "XXXX-XXXX-XXXX-XXXX (login to see your free API Key)",
"app_id": "IAPVAAID0803xxxxxxxxxxx",
"receipt": "ewoJInNpZ25hdHVyZSIgPSAiQXBNVUJDODZBbHpOaWtWNVl0clpBTWlKUWJLOEVkZVhrNjNrV0JBWHpsQzhkWEd1anE0N1puSVlLb0ZFMW9OL0ZTOGNYbEZmcDlZWHQ5aU1CZEwyNTBsUlJtaU5HYnloaXRyeVlWQVFvcmkzMlc5YVIwVDhML2FZVkJkZlcrT3kvUXlQWkVtb05LeGhudDJXTlNVRG9VaFo4Wis0cFA3MHBlNWtVUWxiZElWaEFBQURWekNDQTFNd2dnSTdvQU1DQVFJQ0NHVVVrVTNaV0FTMU1BMEdDU3FHU0liM0RRRUJCUVVBTUg4eEN6QUpCZ05WQkFZVEFsVlRNUk13RVFZRFZRUUtEQXBCY0hCc1pTQkpibU11TVNZd0pBWURWUVFMREIxQmNIQnNaU0JEWlhKMGFXWnBZMkYwYVc5dUlFRjFkR2h2Y21sMGVURXpNREVHQTFVRUF3d3FRWEJ3YkdVZ2FWUjFibVZ6SUZOMGIzSmxJRU5sY25ScFptbGpZWFJwYjI0Z1FYVjBhRzl5YVhSNU1CNFhEVEE1TURZeE5USXlNRFUxTmxvWERURTBNRFl4TkRJeU1EVTFObG93WkRFak1DRUdBMVVFQXd3YVVIVnlZMmhoYzJWU1pXTmxhWEIwUTJWeWRHbG1hV05oZEdVeEd6QVpCZ05WQkFzTUVrRndjR3hsSUdsVWRXNWxjeUJUZEc5eVpURVRNQkVHQTFVRUNnd0tRWEJ3YkdVZ1NXNWpMakVMTUFrR0ExVUVCaE1DVlZNd2daOHdEUVlKS29aSWh2Y05BUUVCQlFBRGdZMEFNSUdKQW9HQkFNclJqRjJjdDRJclNkaVRDaGFJMGc4cHd2L2NtSHM4cC9Sd1YvcnQvOTFYS1ZoTmw0WElCaW1LalFRTmZnSHNEczZ5anUrK0RyS0pFN3VLc3BoTWRkS1lmRkU1ckdYc0FkQkVqQndSSXhleFRldngzSExFRkdBdDFtb0t4NTA5ZGh4dGlJZERnSnYyWWFWczQ5QjB1SnZOZHk2U01xTk5MSHNETHpEUzlvWkhBZ01CQUFHamNqQndNQXdHQTFVZEV3RUIvd1FDTUFBd0h3WURWUjBqQkJnd0ZvQVVOaDNvNHAyQzBnRVl0VEpyRHRkREM1RllRem93RGdZRFZSMFBBUUgvQkFRREFnZUFNQjBHQTFVZERnUVdCQlNwZzRQeUdVakZQaEpYQ0JUTXphTittVjhrOVRBUUJnb3Foa2lHOTJOa0JnVUJCQUlGQURBTkJna3Foa2lHOXcwQkFRVUZBQU9DQVFFQUVhU2JQanRtTjRDL0lCM1FFcEszMlJ4YWNDRFhkVlhBZVZSZVM1RmFaeGMrdDg4cFFQOTNCaUF4dmRXLzNlVFNNR1k1RmJlQVlMM2V0cVA1Z204d3JGb2pYMGlreVZSU3RRKy9BUTBLRWp0cUIwN2tMczlRVWU4Y3pSOFVHZmRNMUV1bVYvVWd2RGQ0TndOWXhMUU1nNFdUUWZna1FRVnk4R1had1ZIZ2JFL1VDNlk3MDUzcEdYQms1MU5QTTN3b3hoZDNnU1JMdlhqK2xvSHNTdGNURXFlOXBCRHBtRzUrc2s0dHcrR0szR01lRU41LytlMVFUOW5wL0tsMW5qK2FCdzdDMHhzeTBiRm5hQWQxY1NTNnhkb3J5L0NVdk02Z3RLc21uT09kcVRlc2JwMGJzOHNuNldxczBDOWRnY3hSSHVPTVoydG04bnBMVW03YXJnT1N6UT09IjsKCSJwdXJjaGFzZS1pbmZvIiA9ICJld29KSW05eWFXZHBibUZzTFhCMWNtTm9ZWE5sTFdSaGRHVXRjSE4wSWlBOUlDSXlNREV5TFRBMExUTXdJREE0T2pBMU9qVTFJRUZ0WlhKcFkyRXZURzl6WDBGdVoyVnNaWE1pT3dvSkltOXlhV2RwYm1Gc0xYUnlZVzV6WVdOMGFXOXVMV2xrSWlBOUlDSXhNREF3TURBd01EUTJNVGM0T0RFM0lqc0tDU0ppZG5KeklpQTlJQ0l5TURFeU1EUXlOeUk3Q2draWRISmhibk5oWTNScGIyNHRhV1FpSUQwZ0lqRXdNREF3TURBd05EWXhOemc0TVRjaU93b0pJbkYxWVc1MGFYUjVJaUE5SUNJeElqc0tDU0p2Y21sbmFXNWhiQzF3ZFhKamFHRnpaUzFrWVhSbExXMXpJaUE5SUNJeE16TTFOems0TXpVMU9EWTRJanNLQ1NKd2NtOWtkV04wTFdsa0lpQTlJQ0pqYjIwdWJXbHVaRzF2WW1Gd2NDNWtiM2R1Ykc5aFpDSTdDZ2tpYVhSbGJTMXBaQ0lnUFNBaU5USXhNVEk1T0RFeUlqc0tDU0ppYVdRaUlEMGdJbU52YlM1dGFXNWtiVzlpWVhCd0xrMXBibVJOYjJJaU93b0pJbkIxY21Ob1lYTmxMV1JoZEdVdGJYTWlJRDBnSWpFek16VTNPVGd6TlRVNE5qZ2lPd29KSW5CMWNtTm9ZWE5sTFdSaGRHVWlJRDBnSWpJd01USXRNRFF0TXpBZ01UVTZNRFU2TlRVZ1JYUmpMMGROVkNJN0Nna2ljSFZ5WTJoaGMyVXRaR0YwWlMxd2MzUWlJRDBnSWpJd01USXRNRFF0TXpBZ01EZzZNRFU2TlRVZ1FXMWxjbWxqWVM5TWIzTmZRVzVuWld4bGN5STdDZ2tpYjNKcFoybHVZV3d0Y0hWeVkyaGhjMlV0WkdGMFpTSWdQU0FpTWpBeE1pMHdOQzB6TUNBeE5Ub3dOVG8xTlNCRmRHTXZSMDFVSWpzS2ZRPT0iOwoJImVudmlyb25tZW50IiA9ICJTYW5kYm94IjsKCSJwb2QiID0gIjEwMCI7Cgkic2lnbmluZy1zdGF0dXMiID0gIjAiOwp9"
}
Example Post Data for Android Receipt Validation (in Json format)
{
"key": "XXXX-XXXX-XXXX-XXXX (login to see your free API Key)",
"app_id": "IAPVAAID0803xxxxxxxxxxx",
"app_package_name": "com.example.appname",
"app_product_id": "ue_subs_01",
"purchase_token": "filbliildempeeooncnodpok.AO-J1OxCVlz2W5UXupxrhQVLgHGJCDjyjT3IAb-M-8sEriFj9-8HrqPu0S3Us6tmKTPuX8uiCHhOlX6qN97hL_3sZSVR2X3-_MgK0K8LSSMhHTbKfbYCBvA"
}
Response Format
API response format refers to the format in which data is returned from an API endpoint after a request is made. We use JSON format for API response data. JSON (JavaScript Object Notation): JSON is a lightweight data interchange format that is easy to read and write. It is widely used for API response data because it is easy to parse and manipulate in many programming languages.
Example Response
For iOS in-app purchase validation (if success)
{
"status": 1,
"status_message": "success",
"body": {
"last_purchase_receipt_data": {
"original_purchase_date_pst": "2012-04-30 08:05:55 America/Los_Angeles",
"original_transaction_id": "1000000046178817",
"original_purchase_date_ms": "1335798355868",
"transaction_id": "1000000046178817",
"quantity": "1",
"product_id": "com.mindmobapp.download",
"bvrs": "20120427",
"purchase_date_ms": "1335798355868",
"purchase_date": "2012-04-30 15:05:55 Etc/GMT",
"original_purchase_date": "2012-04-30 15:05:55 Etc/GMT",
"purchase_date_pst": "2012-04-30 08:05:55 America/Los_Angeles",
"bid": "com.mindmobapp.MindMob",
"item_id": "521129812"
},
"full_receipt_data": {
"original_purchase_date_pst": "2012-04-30 08:05:55 America/Los_Angeles",
"original_transaction_id": "1000000046178817",
"original_purchase_date_ms": "1335798355868",
"transaction_id": "1000000046178817",
"quantity": "1",
"product_id": "com.mindmobapp.download",
"bvrs": "20120427",
"purchase_date_ms": "1335798355868",
"purchase_date": "2012-04-30 15:05:55 Etc/GMT",
"original_purchase_date": "2012-04-30 15:05:55 Etc/GMT",
"purchase_date_pst": "2012-04-30 08:05:55 America/Los_Angeles",
"bid": "com.mindmobapp.MindMob",
"item_id": "521129812"
}
}
}
For Android in-app purchase validation (if success)
// Consumable (non-auto renewing) Purchases Response.
{
"status": 1,
"status_message": "success",
"body": {
"kind": "androidpublisher#productPurchase",
"purchaseTimeMillis": long,
"purchaseState": integer,
"consumptionState": integer,
"developerPayload": string
}
}
// Subscriptions Purchases Response. Note that startTimeMillis and expiryTimeMillis will be subject to change depending on the duration of the subscription.
{
"status": 1,
"status_message": "success",
"body": {
"kind": "androidpublisher#subscriptionPurchase",
"startTimeMillis": long,
"expiryTimeMillis": long,
"autoRenewing": boolean
}
}
In this response "status": 1. In this case your APIs credit call/request count as 1,
Otherwise in fail condition or any other condition you will receive "status": 0,
In this case API credit calls/request count as 0.
Sample Code
You can use our api with any programming language as well which can handle http GET requests. Here are some sample code snippets for making a GET request to an API endpoint in multiple programming languages:
var myHeaders = new Headers();
myHeaders.append("Content-Type", "application/json");
var postData = JSON.stringify({
"key": "XXXX-XXXX-XXXX-XXXX (login to see your free API Key)",
...,
...
});
var requestOptions = {
method: "POST",
headers: myHeaders,
body: postData
};
fetch("https://zerosack.org/marketplace/apis/v1/ios_iap_validation", requestOptions)
.then(response => response.json())
.then(result => console.log(result))
.catch(error => console.log("error", error));
$curl = curl_init();
$postData = json_encode(
[
"key" => "XXXX-XXXX-XXXX-XXXX (login to see your free API Key)",
...,
...
]
);
curl_setopt_array($curl, array(
CURLOPT_URL => "https://zerosack.org/marketplace/apis/v1/ios_iap_validation",
CURLOPT_RETURNTRANSFER => true,
CURLOPT_CUSTOMREQUEST => "POST",
CURLOPT_POSTFIELDS => $postData,
CURLOPT_HTTPHEADER => array("Content-Type: application/json"),
));
$response = curl_exec($curl);
curl_close($curl);
echo $response;
import requests
import json
url = "https://zerosack.org/marketplace/apis/v1/ios_iap_validation"
payload = json.dumps({
"key": "XXXX-XXXX-XXXX-XXXX (login to see your free API Key)",
...,
...
})
headers = {"Content-Type": "application/json"}
response = requests.request("POST", url, headers=headers, data=payload)
print(response.text)
var client = new HttpClient();
var request = new HttpRequestMessage(HttpMethod.Post, "https://zerosack.org/marketplace/apis/v1/ios_iap_validation");
request.Headers.Add("Cookie", "PHPSESSID=st6pbm0imcng6n3k8ju6pvg3j3");
var content = new StringContent("{\r\n \"key\": \"XXXX-XXXX-XXXX-XXXX (login to see your free API Key)\",\r\n ..., ...}", null, "application/json");
request.Content = content;
var response = await client.SendAsync(request);
response.EnsureSuccessStatusCode();
Console.WriteLine(await response.Content.ReadAsStringAsync());
Also you can use Postman platform which enables you to create mock servers to assist with API development and testing. A mock server simulates the behavior of a real API server by accepting requests and returning responses. By adding a mock server to your collection and adding examples to your requests, you can simulate the behavior of a real API.
Do you Need Help? Contact us.
Disclaimers: This APIs is provided "as is" without warranty of any kind. If you have issue / feedback / bug report regarding the same, You can reach out to us.
Generating an App-Specific Shared Secret
The App-Specific Shared Secret allows our API to connect with Apple on your behalf.
Steps:
- Log in to App Store Connect
- Navigate to "My Apps" and select your app.
- Select "App Information" under the "General" section from the left side menu.
-
Select "Manage" under the App-Specific Share Secret section from the right side.
-
Generate and copy your shared secret.
- Now you can use this shared secret key to IAP Validation API App Registration section at "My APIs Center" page to register your app with us
Creating Google Service Account
In order for our API servers to communicate with Google on your behalf, you need to provide a set of google service account credentials. The process for configuring these credentials is a bit complex.
Steps:
- Log in to your Google Play Console Account. Your Google Play Developer account needs to be linked to a Google Cloud Project.
-
Open the Setup dropdown in the sidebar menu and select API access.
-
Select Link to connect your Google Play account to a Google Cloud Project.
-
Agree to the terms and conditions.
-
Next we need to create a service account. This is done from the Google Play Console. Select Create new service account in Play console "API access" page under "Credentials" section.
-
Follow the link to the Google Cloud Console.
-
Create the service account key credentials.
-
Name the service account and add a Pub/Sub Admin Role.
These are the credentials that our API Server will need to communicate with Google. After filling in the details, select Create and Continue.
Add two Roles:
- Pub/Sub Admin
- Monitoring Viewer
-
You can skip the optional third step, Grant users access to this service account, by selecting Done.
-
Create and download the public key: In the Google Cloud Console, select Actions > Manage keys.
-
Select ADD KEY > Create new key.
-
Make sure JSON is selected and select Create to create and download the JSON key.
-
You are all done with the Google Cloud Console. Now switch back to the Google Play Console and select Grant access for the newly created service account. If you do not see the service account you created, try refreshing the page.
-
Grant the following permissions:
- View app information and download bulk reports (read-only)
- View financial data, orders, and cancellation survey responses
- Manage orders and subscriptions
-
Select Invite User at the bottom of the page and send the invite. You will be redirected to Users and Permissions page where you should see your newly created service account as Active.
-
Apply permissions to your apps: In the Users and Permissions section, select the service account and add your apps to the account. Select Apply on the sheet that appears.
Important: Don't forget to Save Changes after applying the permissions!
- Now you can use the downloaded JSON file key (generated in step-13) is what you will need to upload while registering the app in IAP Validation API App Registration section in My APIs Center page to register your app with us.