server side receipt validation?

[ngethan]

Hey, I'm struggling with server-side receipt validation and could use some help.

I've been trying to validate receipts on my backend by sending the transactionReceipt to Apple's /verifyReceipt endpoint, but I keep getting error 21002 (malformed receipt). The receipt data looks like this: {"transactionId":"123","originalTransactionId":"456"...} - which seems like it's already parsed JSON rather than the base64 receipt blob Apple expects.

Looking at the repo examples, I don't see any server-side validation happening - just client-side purchase handling. Is that intentional?

A few questions:

• Do you have any examples of proper server-side validation with expo-iap?
• With StoreKit 2, do we even need to hit Apple's servers anymore, or can we validate the JWTs locally?
• How do I tell if I'm getting StoreKit 1 receipts vs StoreKit 2 JWTs from expo-iap?

I'm also dealing with the app making tons of validation requests on startup (like 25+), which is probably a separate issue on my end, but wondering if there's a recommended pattern for when/how often to validate.

Any pointers would be awesome. Thanks!

[ngethan]

Hi @hyochan, kindly seeking your support on this. Thank you!

[di-sukharev]

also would be very nice to have examples for node.js, the provided repos links in documentation are 404

[hyochan]

Thanks for raising this and for sharing the details! 🙌

This question is very similar to what I recently addressed on Twitter:
https://x.com/hyodotdev/status/1950487732037497183

In short:

• With StoreKit 2, receipts are now structured differently – transactionReceipt is no longer a base64 blob.
• In expo-iap, you’ll see a parsed JSON object and jwsRepresentationIos instead of the old format.
• Validation should now be done through Apple’s App Store Server API, not the old /verifyReceipt endpoint.
• There’s no need to locally validate JWTs if you’re using Apple’s newer server API.

I’ve seen multiple similar questions recently, so rather than giving a rushed answer here, I’ll consolidate all this information into a proper migration guide and documentation update next week or the following week.

Thanks for your patience while I finish earlier tasks before addressing this in more detail! 🙏

[hyochan]

I'm currently working on a more streamlined and unified IAP solution that aims to address many of the concerns raised here. After extensive planning and iteration, I’m targeting a release of concrete updates and supporting code sometime in September.

This is something I’ve been planning for a while, and it’s directly aligned with what I previously announced in this discussion. I’m actively working to deliver on that promise, aiming to release a practical solution by mid to late September for both StoreKit 2 and Android Billing Client workflows.

Hope this provides some clarity for now — and I truly appreciate your patience and input!

I'll go ahead and move this issue to Discussions to keep things organized.