Select the type of receipt validation that works for your app.
An App Store receipt provides a record of the sale of an app or any purchase made from within the app, and you can authenticate purchased content by adding receipt validation code to your app or server. Receipt validation requires an understanding of secure coding techniques in order to employ a solution that is secure and unique to your application.
Choose a Validation Technique
There are two ways to verify a receipt's authenticity:
Local, on-device receipt validation, recommended to validate the signature of the receipt for apps with in-app purchases.
Server-side receipt validation with the App Store, recommended for persisting in-app purchases to maintain and manage purchase records.
Compare the approaches and determine the best fit for your app and your infrastructure. You can also choose to implement both approaches.
Consumable in-app purchases remain in the receipt until you call
finish. Maintain and manage records of consumables on a server if needed. Non-consumables, auto-renewing subscription items, and non-renewing subscription items remain in the receipt indefinitely. For auto-renewable subscription management, server-side receipt validation gives key advantages over on-device receipt validation.
Validates authenticity of receipt
Includes renewal transactions
Includes additional user subscription information
Handles renewals without client dependency
Resistant to device clock change
See WWDC 2018 > Engineering Subscriptions for more information on implementing receipt validation for apps that contain auto-renewable subscription products.
Validating locally requires code to read and validate a PKCS #7 signature, and code to parse and validate the signed payload. Validating with the App Store requires a secure connection between your app and your server, and code on your server to to validate the receipt with the App Store. For more information on server-side validation, see Validating Receipts with the App Store.
Although receipts typically update immediately after a completed purchase or restored purchase, changes can happen at other times when the app is not running. When necessary, call
SKReceipt to ensure the receipt you are working with is up-to-date, such as when a subscription renews in the background. This refresh requires a network connection.