I’m using storekit2 in swift to handle subscriptions and I’m told that I need to validate receipts from apple on the sever side using node js. Why do I need to do this? Can someone please explain? Doesn’t storekit2 already handle this for me?

I’m using storekit2 in swift to handle subscriptions and I’m told that I need to validate receipts from apple on the sever side using node js. Why do I need to do this? Can someone please explain? Doesn’t storekit2 already handle this for me?

• ios
• node.js
• swift
• storekit
• storekit2

• What alternative would you suggest for ensuring a user has paid for their subscription before provisioning them the service to which they are subscribing? How exactly would you expect StoreKit alone to implement this in your server’s code? If you don’t do this verification, what’s stopping me from crafting a request to tell your server that I’ve subscribed, even if I haven’t? – esqew Commented yesterday

1 Answer 1

You don't necessarily need to validate purchases on the server side. Store Kit2 entitlement information that is available to your app is secure.

However there is always a possibility that someone has attacked the logic in your app or maybe successfully attacked the store kit framework on the device, in which case server-side validation can provide more protection against fraud.

With StoreKit 2 APIs you don't need to validate the receipt. You can use the transactionId with the Get Transaction Info endpoint. If the transaction id is not valid then an error will be returned. Since the response returned by Apple is signed you can be sure that the information regarding the transaction id was provided by Apple.

You also need to consider whether the user will have access to their subscription benefits outside of your app. If so, then your server needs to know that the user has a current subscription, even if they haven't opened the app. This is different to transaction validation however.