Select the type of receipt validation that works for your app.
Framework
- Store
Kit
Overview
An App Store receipt provides a record of the sale of an app or any purchase made from within the app, and you can authenticate purchased content by adding receipt validation code to your app or server. Receipt validation requires an understanding of secure coding techniques in order to employ a solution that is secure and unique to your application.
Choose a Validation Technique
There are two ways to verify a receipt's authenticity:
Local, on-device receipt validation, recommended to validate the signature of the receipt for apps with in-app purchases.
Server-side receipt validation with the App Store, recommended for persisting in-app purchases to maintain and manage purchase records.
Compare the approaches and determine the best fit for your app and your infrastructure. You can also choose to implement both approaches.
Consumable in-app purchases remain in the receipt until you call finish. Maintain and manage records of consumables on a server if needed. Non-consumables, auto-renewing subscription items, and non-renewing subscription items remain in the receipt indefinitely. For auto-renewable subscription management, server-side receipt validation gives key advantages over on-device receipt validation.
On-device versus server-side validation for auto-renewable subscriptions
On-device validation | Server-side validation | |
|---|---|---|
Validates authenticity of receipt | Yes | Yes |
Includes renewal transactions | Yes | Yes |
Includes additional user subscription information | No | Yes |
Handles renewals without client dependency | No | Yes |
Resistant to device clock change | No | Yes |
See WWDC 2018 > Engineering Subscriptions for more information on implementing receipt validation for apps that contain auto-renewable subscription products.
Verify Receipts
Validating locally requires code to read and validate a PKCS #7 signature, and code to parse and validate the signed payload. Validating with the App Store requires a secure connection between your app and your server, and code on your server to to validate the receipt with the App Store. For more information on server-side validation, see Validating Receipts with the App Store.
Although receipts typically update immediately after a completed purchase or restored purchase, changes can happen at other times when the app is not running. When necessary, call SKReceipt to ensure the receipt you are working with is up-to-date, such as when a subscription renews in the background. This refresh requires a network connection.