server side receipt validation?

[ngethan]

Hey, I'm struggling with server-side receipt validation and could use some help.

I've been trying to validate receipts on my backend by sending the transactionReceipt to Apple's /verifyReceipt endpoint, but I keep getting error 21002 (malformed receipt). The receipt data looks like this: {"transactionId":"123","originalTransactionId":"456"...} - which seems like it's already parsed JSON rather than the base64 receipt blob Apple expects.

Looking at the repo examples, I don't see any server-side validation happening - just client-side purchase handling. Is that intentional?

A few questions:

• Do you have any examples of proper server-side validation with expo-iap?
• With StoreKit 2, do we even need to hit Apple's servers anymore, or can we validate the JWTs locally?
• How do I tell if I'm getting StoreKit 1 receipts vs StoreKit 2 JWTs from expo-iap?

I'm also dealing with the app making tons of validation requests on startup (like 25+), which is probably a separate issue on my end, but wondering if there's a recommended pattern for when/how often to validate.

Any pointers would be awesome. Thanks!

[ngethan]

Hi @hyochan, kindly seeking your support on this. Thank you!

[di-sukharev]

also would be very nice to have examples for node.js, the provided repos links in documentation are 404

[hyochan]

Thanks for raising this and for sharing the details! 🙌

This question is very similar to what I recently addressed on Twitter:
https://x.com/hyodotdev/status/1950487732037497183

In short:

• With StoreKit 2, receipts are now structured differently – transactionReceipt is no longer a base64 blob.
• In expo-iap, you’ll see a parsed JSON object and jwsRepresentationIos instead of the old format.
• Validation should now be done through Apple’s App Store Server API, not the old /verifyReceipt endpoint.
• There’s no need to locally validate JWTs if you’re using Apple’s newer server API.

I’ve seen multiple similar questions recently, so rather than giving a rushed answer here, I’ll consolidate all this information into a proper migration guide and documentation update next week or the following week.

Thanks for your patience while I finish earlier tasks before addressing this in more detail! 🙏

[hyochan]

I'm currently working on a more streamlined and unified IAP solution that aims to address many of the concerns raised here. After extensive planning and iteration, I’m targeting a release of concrete updates and supporting code sometime in September.

This is something I’ve been planning for a while, and it’s directly aligned with what I previously announced in this discussion. I’m actively working to deliver on that promise, aiming to release a practical solution by mid to late September for both StoreKit 2 and Android Billing Client workflows.

Hope this provides some clarity for now — and I truly appreciate your patience and input!

I'll go ahead and move this issue to Discussions to keep things organized.

[jamsch]

fwiw, this is what we do in PHP using hoels/app-store-server-library-php. Send over purchase.transactionReceipt to your server which is the jwsRepresentation.

use AppStoreServerLibrary\Models\Environment;
use AppStoreServerLibrary\Models\JWSTransactionDecodedPayload;
use AppStoreServerLibrary\SignedDataVerifier;
use AppStoreServerLibrary\SignedDataVerifier\VerificationException;

/**
 * Validate an Apple Store purchase receipt.
 *
 * @param string $jwsRepresentation The JWS representation of the receipt
 * @param bool $useSandbox Whether to use the sandbox environment
 *
 * @throws VerificationException if the receipt failed verification
 * @throws Exception if the SKU does not match the product id
 */
public static function validateAppleStorePurchaseStoreKit(
    string $jwsRepresentation,
    bool $useSandbox,
): JWSTransactionDecodedPayload {
    $environment = $useSandbox ? Environment::SANDBOX : Environment::PRODUCTION;

    $signedDataVerifier = new SignedDataVerifier(
        rootCertificates: [
            // sourced from https://www.apple.com/certificateauthority/AppleRootCA-G3.cer
            file_get_contents(config('services.applestore.root_certificate')),
            // sourced from https://www.apple.com/certificateauthority/AppleWWDRCAG6.cer
            file_get_contents(config('services.applestore.intermediate_certificate')),
        ],
        enableOnlineChecks: true,
        environment: $environment,
        // e.g. "com.company.app"
        bundleId: config('services.applestore.bundle_id'),
        // appAppleId is found under App Information -> Apple ID
        appAppleId: config('services.applestore.app_apple_id')
    );

    return $signedDataVerifier->verifyAndDecodeSignedTransaction(
        signedTransaction: $jwsRepresentation,
    );
}