Server-Side Receipt Validation for Mobile Purchases

TRUETECH is engaged in the development, support and maintenance of iOS, Android, PWA mobile applications. We have extensive experience and expertise in publishing mobile applications in popular markets like Google Play, App Store, Amazon, AppGallery and others.
8+Years of work900+Completed projects100+In house employees19+Partners
Development and support of all types of mobile applications:
Information and entertainment mobile applications
News apps, games, reference guides, online catalogs, weather apps, fitness and health apps, travel apps, educational apps, social networks and messengers, quizzes, blogs and podcasts, forums, aggregators
E-commerce mobile applications
Online stores, B2B apps, marketplaces, online exchanges, cashback services, exchanges, dropshipping platforms, loyalty programs, food and goods delivery, payment systems.
Business process management mobile applications
CRM systems, ERP systems, project management, sales team tools, financial management, production management, logistics and delivery management, HR management, data monitoring systems
Electronic services mobile applications
Classified ads platforms, online schools, online cinemas, electronic service platforms, cashback platforms, video hosting, thematic portals, online booking and scheduling platforms, online trading platforms

These are just some of the types of mobile applications we work with, and each of them may have its own specific features and functionality, tailored to the specific needs and goals of the client.

Offered services
Showing 1 of 1 servicesAll 1735 services
Server-Side Receipt Validation for Mobile Purchases
Complex
~2-3 business days
FAQ
Our competencies:
Development stages
Latest works
  • image_mobile-applications_feedme_467_0.webp
    Development of a mobile application for FEEDME
    756
  • image_mobile-applications_xoomer_471_0.webp
    Development of a mobile application for XOOMER
    624
  • image_mobile-applications_rhl_428_0.webp
    Development of a mobile application for RHL
    1052
  • image_mobile-applications_zippy_411_0.webp
    Development of a mobile application for ZIPPY
    947
  • image_mobile-applications_affhome_429_0.webp
    Development of a mobile application for Affhome
    862
  • image_mobile-applications_flavors_409_0.webp
    Development of a mobile application for the FLAVORS company
    445
Show more works

Implementing Server-Side Purchase Verification (Receipt Validation)

A client submitted a bug report: a user bought Premium, got a transaction token, then restored the app from a backup on another device — and Premium is active again without re-payment. Classic. The reason — validation only on the client: the app checks the local receipt or trust flag from StoreKit, without consulting the server.

Why client-side validation is not validation

On iOS StoreKit 2 returns a Transaction with Apple's signature. You can verify the signature locally through Transaction.verificationResult, but this doesn't protect against replay attacks: an attacker intercepts a valid receipt from one user and substitutes it in another account. On Android the situation is analogous — BillingClient.queryPurchasesAsync() returns Purchase objects that the client should not treat as confirmation without server verification of purchaseToken.

The most common fraud scheme is "receipt sharing": one receipt is distributed between users via forums. Without a server database that records which originalTransactionId (iOS) or orderId (Android) has already been used, this can't be detected.

How proper server verification is structured

iOS side (App Store Server API). The old approach — POST to https://buy.itunes.apple.com/verifyReceipt with base64-encoded receipt-data — is outdated. Apple promotes App Store Server API v1: client sends server the transactionId from Transaction.id (StoreKit 2), server makes GET /inApps/v1/history/{transactionId} with a JWT token (signed with ES256 key from App Store Connect). Response — JWSTransaction, which needs to be decoded and signature verified through Apple Root CA.

In parallel, subscribe to App Store Server Notifications V2: Apple pushes events (DID_RENEW, EXPIRED, REFUND, GRACE_PERIOD_EXPIRED) to your endpoint. Without this, subscription status on the server becomes stale — user canceled the subscription, but you still have them as Premium.

Android side (Google Play Developer API). For one-time purchases — purchases.products.get with packageName, productId, purchaseToken. For subscriptions — purchases.subscriptions.v2.get. Authorization through Service Account with Financial data viewer role — this is the minimum necessary permissions, don't give Editor access to the entire project. Response contains purchaseState (0 = Purchased, 1 = Canceled, 2 = Pending) and acknowledgementState — if 0, need to call purchases.products.acknowledge, otherwise Google returns money automatically after 3 days.

Idempotency and replay protection. Store in a table purchase_receipts with a unique index on original_transaction_id + product_id. On each verification request, first check if the record exists — if we already verified with a different user_id, return an error. This is receipt sharing protection.

purchase_receipts
  id                    uuid PK
  user_id               uuid FK
  platform              enum('ios','android')
  original_transaction_id varchar UNIQUE (per product)
  product_id            varchar
  purchase_state        smallint
  expires_at            timestamptz  -- for subscriptions
  raw_payload           jsonb        -- original response from Apple/Google
  verified_at           timestamptz

Stack and integration

Server-side usually Node.js (library app-store-server-api) or Python (google-auth + googleapiclient). For Node, the node-apple-receipt-verify package is convenient for legacy endpoints, but better to use app-store-server-api from Apple directly — supports JWT authorization and JWS verification out of the box.

On the iOS client side — minimal code: get Transaction.id from Transaction.all or from the updates stream, send to backend. Don't pass the entire appStoreReceiptURL — this is legacy, and the file may be invalid on the simulator.

On Android client sends purchaseToken and productId from Purchase.purchaseToken. Important: the token can be the same for multiple productId on subscription upgrade — account for this in the logic.

Workflow

Start with an audit of the current validation scheme — where exactly the receipt is checked, whether there is a server database of purchases, whether Server Notifications are handled. Then design the database schema and API endpoints, implement verification for each platform, configure webhook handler for Server Notifications, cover with tests using mock responses from Apple/Google. Separate phase — load testing of the verification endpoint, because at peak launches (promotion, feature in top App Store) it gets everything at once.

Estimated time — 2 to 5 days, depends on the presence of server infrastructure and the number of types of purchases (one-time, subscriptions, consumable, non-consumable). If the server already exists and you only need to add verification — closer to 2 days. Full architecture from scratch plus migrating existing users — up to 5.