Article

Choosing a Receipt Validation Technique

Select the type of receipt validation that works for your app.

Overview

An App Store receipt provides a record of the sale of an app or any purchase made from within the app, and you can authenticate purchased content by adding receipt validation code to your app or server. Receipt validation requires an understanding of secure coding techniques in order to employ a solution that is secure and unique to your application.

Choose a Validation Technique

There are two ways to verify a receipt's authenticity:

  • Local, on-device receipt validation, recommended to validate the signature of the receipt for apps with in-app purchases.

  • Server-side receipt validation with the App Store, recommended for persisting in-app purchases to maintain and manage purchase records.

Compare the approaches and determine the best fit for your app and your infrastructure. You can also choose to implement both approaches.

Consumable in-app purchases remain in the receipt until you call finishTransaction(_:). Maintain and manage records of consumables on a server if needed. Non-consumables, auto-renewing subscription items, and non-renewing subscription items remain in the receipt indefinitely. For auto-renewable subscription management, server-side receipt validation gives key advantages over on-device receipt validation.

Table 1

On-device versus server-side validation for auto-renewable subscriptions

On-device validation

Server-side validation

Validates authenticity of receipt

Yes

Yes

Includes renewal transactions

Yes

Yes

Includes additional user subscription information

No

Yes

Handles renewals without client dependency

No

Yes

Resistant to device clock change

No

Yes

See WWDC 2018 > Engineering Subscriptions for more information on implementing receipt validation for apps that contain auto-renewable subscription products.

Verify Receipts

Validating locally requires code to read and validate a PKCS #7 signature, and code to parse and validate the signed payload. Validating with the App Store requires a secure connection between your app and your server, and code on your server to to validate the receipt with the App Store. For more information on server-side validation, see Validating Receipts with the App Store.

Although receipts typically update immediately after a completed purchase or restored purchase, changes can happen at other times when the app is not running. When necessary, call SKReceiptRefreshRequest to ensure the receipt you are working with is up-to-date, such as when a subscription renews in the background. This refresh requires a network connection.

See Also

Validating Purchases

Validating Receipts with the App Store

Verify transactions with the App Store on a secure server.