Validating receipts with the App Store
Verify transactions with the App Store on a secure server.
Overview
An App Store receipt is a binary encrypted file signed with an Apple certificate. To read the contents of the encrypted file, you need to pass it through the verifyReceipt endpoint. The endpoint’s response includes a readable JSON body. Communication with the App Store is structured as JSON dictionaries, as defined in RFC 4627. Binary data is Base64-encoded, as defined in RFC 4648. Validate receipts with the App Store through a secure server. For information on establishing a secure network connection with the App Store, see Preventing Insecure Network Connections.
Fetch the receipt data
The app receipt is always present in the production environment on devices running macOS, iOS, and iPadOS. The app receipt is also always present in TestFlight on devices running macOS. In the sandbox environment and in StoreKit Testing in Xcode, the app receipt is present only after the tester makes the first in-app purchase. If the app calls SKReceiptRefreshRequest or restoreCompletedTransactions(), the app receipt is present only if the app has at least one in-app purchase.
To retrieve the receipt data from the app on the device, use the appStoreReceiptURL method of Bundle to locate the app’s receipt, and encode the data in Base64. Send this Base64-encoded data to your server.
Send the receipt data to the App Store
On your server, create a JSON object with the receipt-data, password, and exclude-old-transactions keys detailed in requestBody.
Submit this JSON object as the payload of an HTTP POST request. Use the test environment URL https://sandbox.itunes.apple.com/verifyReceipt when testing your app in the sandbox and while your app is in review. Use the production URL https://buy.itunes.apple.com/verifyReceipt when your app is live in the App Store. For more information, see verifyReceipt.
Parse the response
The App Store’s response payload is a JSON object that contains the keys and values detailed in responseBody.
The in_app array contains the non-consumable, non-renewing subscription, and auto-renewable subscription items that the user previously purchased. Check the values in the response for these in-app purchase types to verify transactions as needed.
For auto-renewable subscription items, parse the response to get information about the currently active subscription period. When you validate the receipt for a subscription, latest_receipt contains the latest encoded receipt, which is the same as the value for receipt-data in the request, and latest_receipt_info contains all the transactions for the subscription, including the initial purchase and subsequent renewals, but not including any restores.
You can use these values to check whether an auto-renewable subscription has expired. Use these values along with the expiration_intent subscription field to get the reason for expiration.