after reading Detecting refunds in in_app_purchase
I wonder if I have my backend listening to purchase messages via pub/sub and a web hook in our backend, can I rely on that or do I have to verify anything on the client side at all? Do I need to listen to the purchaseStream or verify a purchase after the call succeeded inside the app or is it enough to query my backend to verify that the purchase was registered there?
Why do I have to verify a purchase when the backend receives a purchase notification?
After reading some more I understand, that I have to acknowledge that my app has delivered the purchase/subscription. For Android it is recommended to do that directly from our backend by calling Method: purchases.subscriptions.acknowledge | Google Play Developer API | Google for Developers
Is there a similar server API for iOS, because I couldn’t find some conclusive description in the Apple docs yet? Or do I have to do it from the app for iOS?
@escamoteur In my product and experience. We use the user’s system information to synchronize subscriptions with IAP data. There is no doubt that this data is the most recent and stable. We can sync the data when you first subscribe and check it regularly.
What do you mean by “the Users system information”?
Oh, that means “the records from the user’s Apple account or Google account”.
How do you access that records?
We use RevenueCat for IAP implementation. So, for our scenario, it’s easy to access info about the user’s purchases(sub plan, purchase date, expiration date, etc). I’ve been a long time to use native API to do IAP. Now is there no type of API to do this?
Ah, ok, yes we want to use the native APIs not relying on another layer if possible
1 Like
While the backend listening to purchase notifications via pub/sub/webhooks is crucial for tracking and handling purchases, I would recommend to do a combination of client-side and backend verification for both security and user experience. For iOS, you don’t need to acknowledge purchases like you do on Android, but receipt validation is key.
Can you elaborate why I have to validate the receipt I get from the app store?
How could a receipt be wrong that I get? It would need a jail broken phone with a man in the middle attack or is there another possible problem?