A Developer's Guide to verify In-App purchase

Disclaimer: Helpful document for the coder

This document is providing the API calls needed from the mobile device to verify the purchase from the respective stores. The RESTful API will connect with the respective store and verify the purchase, update the user data and will provide the necessary response to the user call.

We are going to verify the receipt data from the Apple Store and the purchase token from the Google Play Store. Both stores provide steps to verify/get details of the transaction but this document comes in handy and provides action plans for the mobile app developer and the backend team.

Objective

Verify In-App purchase/subscription from Google Play Store and Apple Store

Requirements

Apple IAP Verification: Apple shared secret
Google IAP Verification: Service Account Key file (JSON file)
Key factors: Expertise & Patience

RESTful APIs

Purchase subscription/product

This will be the first API call from the mobile app to send the purchase details to the backend.


	Parameters
	item_id	string Subscription package or Product package.
	receipt	string iPhone should pass the receipt_data and the Android should pass the purchase_token
	platform	string Either “google” or “apple”
	is_renewable	int Optional parameter for Android only. iPhone devices can skip this parameter. 1 = True, 0 = False - 1 indicates that it’s a subscription package - 0 indicates that it’s a product package

Sequence diagrams

Verify Purchase

This will be another API call from the mobile app to verify the purchase period and the Backend is checking this on daily basis with the CRON (The CRON is a software utility, offered by a Linux-like operating system that automates the scheduled task at a predetermined time.)

Sequence diagram

Verify on Google

When the “platform” is “google”, the backend needs to verify the purchase token stored in the key “receipt”. To do so, the backend team needs the Service Account JSON file to communicate with the Google Play Developer API. To get the purchased details and to verify it, you have to check, if you are checking for product purchase or subscription purchase.

Requirements:

Service Account JSON file | How to get one? Please refer to Google Play Developer API: How to Create a Service Account.
Authorization Scope: Requires the following OAuth scope to verify purchases.products or purchases.subscriptions:

purchases.products

Checks the purchase and consumption status of an in-app item.

HTTP Request
GET https://androidpublisher.googleapis.com/androidpublisher/v3/applications/{packageName}/purchases/products/{productId}/tokens/{purchaseToken}?access_token={accessToken}

The URL uses gRPC Transcoding syntax.

purchases.subscriptions

Checks whether a user's subscription purchase is valid and returns its expiry time.

HTTP Request
GET
https://androidpublisher.googleapis.com/androidpublisher/v3/applications/{packageName}/purchases/subscriptions/{subscriptionId}/tokens/{purchaseToken}?access_token={accessToken}

The URL uses gRPC Transcoding syntax.

Parameters
packageName	string The package name of the application the in-app product was sold in (for example, 'com.devdigital.app').
productId	string The package name of the application the in-app product was sold in (e.g., 'com.devdigital.app.tier1.package1').
subscriptionId	string The purchase subscription id (e.g., 'com.devdigital.app.tier1.monthly')
purchaseToken	string The purchase token stored in the database by the user
accessToken	string The access token generated with OAuth Steps

Sample Response

Verify on Apple

When the “platform” is “apple”, the backend needs to verify the receipt-data stored in the key “receipt”.

Requirements:

Apple Shared Secret | How to get one? Please refer to help.apple.com/app-store-connect

verifyReceipt

Send a receipt to the App Store for verification HTTP requests.

HTTP Request
Sandbox URL: https://sandbox.itunes.apple.com/verifyReceipt
Production URL: https://buy.itunes.apple.com/verifyReceipt
Method: POST
HTTP Body: requestBody
Response Codes: 200 - responseBody

References

Apple IAP verification

Sandbox API endpoint: https://sandbox.itunes.apple.com/verifyReceipt
Production API endpoint: https://buy.itunes.apple.com/verifyReceipt

Google IAP verification

OAuth URL: https://accounts.google.com/o/oauth2/token
Scope: https://www.googleapis.com/auth/androidpublisher
Android Product Purchase URL: https://www.googleapis.com/androidpublisher/v3/applications/{app_package_name}/purchases/products/{subscription_package_id}/tokens/{purchase_token}?access_token={service_account_access_token}

Here service account access token should be derived from the OAuth URL and Scope. The service account key file (.json) have all the necessary details.

Android Subscription Purchase URL: https://www.googleapis.com/androidpublisher/v3/applications/{app_package_name}/purchases/subscriptions/{subscription_package_id}/tokens/{purchase_token}?access_token={service_account_access_token}

General

Google Play Developer API: How to Create a Service Account

Why am I reading this? Mobile applications are surrounded by so many modules in addition to that, the IN-APP Purchase and Subscriptions play a good amount of role, where you as an owner of the app, can generate revenue by selling consumable and non-consumable goods such as Coins for Games, Subscription plans for your app many things. Now, as you are selling some goods on your app, there must be a way to validate that purchase or get the details. But obviously, you can do it from the app itself as Google does provide SDK for the same. (SDK – Software Development Kit). But, we are living in a world where Android and iOS exist and in a very competitive market! Google Play Developer API gives us the power to check the user’s transaction from the RESTful APIs which leads you to read this blog. With the RESTful API, we can do this call from the BACKEND and leave the app standalone and do other stuff Offering Google Play Developer API lets you manage the two main components in your project Th...

Rahul Upadhyay

Search This Blog