There are fake receipts used by hackers, which are the receipts before iOS7.The Receipt can be successfully verified with an incorrect password.Is this a bug?https://developer.apple.com/documentation/appstorereceipts/verifyreceipt --Do I need to completely drop compatibility for this?

Receipt verification on my app's server suddenly started giving an error, and all billing-related processes became errors. The error that is occurring is Signature verification failed　is.(FireBaseJWT throw Exception) The code is below, but it was working fine until 3 days ago. JWT::decode($lastTransaction['signedTransactionInfo'], $appleCertificate, ['ES256']); The certificate used here was created by the server developer, so I don't know how to create it. Could you please help me which certificate should I use? I tried using the ApplePKI certificate, but the same error occurred. 私のアプリのサーバでのレシート検証が突然エラーを吐くようになり、課金関連の処理が全てエラーになってしまいました。 発生しているエラーはSignature verification failedです。(FireBaseJWTのException) コードは以下になっていますが、3日前までは正常に動作していたコードです。 JWT::decode($lastTransaction['signedTransactionInfo'], $appleCertificate, ['ES256']); ここで利用している証明書はサーバ開発者に作成して貰っていたので作成方法が分かりません。 どの証明書を使えば良いか助けて貰えないでしょうか。 ApplePKIの証明書は粗方試してみましたが同様のエラーになっています。

Hi , i have a question to ask: When i first request to get transactionInfo to valid receipt. use getTransactionInfo endpoint. it found 4040010 error. After a while ,I send the same request ,it response correct transaction info It happen rate about 2% What the reason?

Hello! Please let me know after I make a request for purchase information GET https://api.storekit-sandbox.itunes.apple.com/inApps/v1/transactions/2000000411047647 I receive encrypted information in this format { "signedTransactionInfo":"eyJhbGciOiJFUzI1NiIsIng1YyI6WyJNSUlFTURDQ0E3YWdBd0lCQWdJUWZUbGZkMGZOdkZXdnpDMVlJQU5zWGpBS0JnZ3Foa2pPUFFRREF6QjFNVVF3UWdZRFZRUURERHRCY0hCc1pTQlhiM0pzWkhkcFpHVWdSR1YyWld4dmNHVnlJRkpsYkdGMGFXOXVjeUJEWlhKMGFXWnBZMkYwYVc5dUlFRjFkR2h2Y21sMGVURUxNQWtHQTFVRUN3d0NSell4RXpBUkJnTlZCQW9NQ2tGd2NHeGxJRWx1WXk0eEN6QUpCZ05WQkFZVEFsVlRNQjRYRFRJek1Ea3hNakU1TlRFMU0xb1hEVEkxTVRBeE1URTVOVEUxTWxvd2daSXhRREErQmdOVkJBTU1OMUJ5YjJRZ1JVTkRJRTFoWXlCQmNIQWdVM1J2Y21VZ1lXNWtJR2xVZFc1bGN5QlRkRzl5WlNCU1pXTmxhWEIwSUZOcFoyNXBibWN4TERBcUJnTlZCQXNNSTBGd2NHeGxJRmR2Y214a2QybpBQmhpVm9kSFJ3T2k4dmIyTnpjQzVoY0hCc1pTNWpiMjB2YjJOemNEQXpMWGQzWkhKbk5qQXlNSUlCSGdZRFZSMGdCSUlCRlRDQ0FSRXdnZ0VOQmdvcWhraUc5Mk5rQlFZQk1JSCtNSUhEQmdnckJnRUZCUWNDQWpDQnRneUJzMUpsYkdsaGJtTmxJRzl1SUhSb2FYTWdZMlZ5ZEdsbWFXTmhkR1VnWW5rZ1lXNTVJSEJoY25SNUlHRnpjM1Z0WlhNZ1lXTmpaWEIwWVc1alpTQnZaaUIwYUdVZ2RHaGxiaUJoY0hCc2FXTmhZbXhsSUhOMFlXNWtZWEprSUhSbGNtMXpJR0Z1WkNCamIyNWthWFJwYjI1eklHOW1JSFZ6WlN3Z1kyVnlkR2xtYVdOaGRHVWdjRzlzYVdONUlHRnVaQ0JqWlhKMGFXWnBZMkYwYVc5dUlIQnlZV04wYVdObElITjBZWFJsYldWdWRITXVNRFlHQ0NzR0FRVUZCd0lCRmlwb2RIUndPaTh2ZDNkM0xtRndjR3hsTG1OdmJTOWpaWEowYVdacFkyRjBaV0YxZEdodmNtbDBlUzh3SFFZRFZSME9CQllFRkFNczhQanM2VmhXR1FsekUyWk9FK0dYNE9vL01BNEdBMVVkRHdFQi93UUVBd0lIZ0RBUUJnb3Foa2lHOTJOa0Jnc0JCQUlGQURBS0JnZ3Foa2pPUFFRREF3Tm9BREJsQWpFQTh5Uk5kc2twNTA2REZkUExnaExMSndBdjVKOGhCR0xhSThERXhkY1BYK2FCS2pqTzhlVW85S3BmcGNOWVVZNVlBakFQWG1NWEVaTCtRMDJhZHJtbXNoTnh6M05uS20rb3VRd1U3dkJUbjBMdmxNN3ZwczJZc2xWVGFtUllMNGFTczVrPSIsIk1JSURGakNDQXB5Z0F3SUJBZ0lVSXNHaFJ3cDBjMm52VTRZU3ljYWZQVGp6Yk5jd0NnWUlLb1pJemowRUF3TXdaekViTUJrR0ExVRWUVFERER0QmNIQnNaU0JYYjNKc1pIZHBaR1VnUkdWMlpXeHZjR1Z5SUZKbGJHRj000OUJBTURBMmdBTUdVQ01RQ0Q2Y0hFRmw0YVhUUVkyZTN2OUd3T0FFWkx1***5UmhIRkQvM21lb3locG12T3dnUFVuUFdUeG5TNGF0K3FJeFVDTUcxbWloREsxQ" } Please tell me how I can decode the information signedTransactionInfo ? and what is needed for this? (I'm trying to decode on Node.js)

The error message "Purchase of this item is not currently available. The item is being modified." keeps appearing for journalists in different countries trying to get early copies of the latest build of my app using promo codes. This error has only started appearing when redeeming promo codes recently. Just days ago, users had no problem redeeming codes for the same build. No changes have been made to the app since then. The app is also free globally with an in-app-purchase option to remove ads. The promo codes to remove ads have been working fine with no error messages, but redeeming the latest build displayed the error message though it has worked days before. Generating new promo codes for the same build did not work either. This is the message that I got from a reviewer from one journalist: "I've sent the code over to one of our reviewers, and he says that when he tried to redeem the code to download your app, an error message popped up saying "purchase not currently available, item is being modified". He's still getting the same error message even after restarting his iPhone. He even tried a different device and checked for updates on both devices to no avail. Can you help?" It's an urgent matter not only because the press can't review the game, but also I worry it would affect the launch of the app in a few days. What if this error means users can't download the app on launch?

Hello, I finding contradictory information. Is it possible to place PWA in the app store?

As of September 6, 2023, I have registered and paid the Apple Developer participation fee to be able to publish the application on the App Store. However, up to now, it has been 5 days since registering and I have not received any notification or response about my account status, even though Apple informed me in the message that I need to wait 2 days for processing. . I'm really frustrated, is there anyone else like me with this situation? If you have any way to solve the above problem, please help me. Thank you very much!

Hi all, We're facing an issue with our app's subscription and in-app purchases: We are using StoreKit 2 Up until 6 hours ago, everything was fine. Now, users are telling us they can't access what they've paid for. We could reproduce the error on iOS 16.6, not on iOS 17 developer beta Buying or restore purchases are timing out. Everything works fine in Sandbox and TestFlight. We are getting these two errors with production builds: Error enumerating unfinished transactions Error enumerating all current transactions both with the following timeout message: Error Domain=NSURLErrorDomain Code=-1001 "Zeitüberschreitung bei der Anforderung." UserInfo={NSErrorFailingURLStringKey=https://mzstorekit.itunes.apple.com/inApps/v1/history?reason=initial, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask, NSUnderlyingError=0x2837a4f00 {Error Domain=kCFErrorDomainCFNetwork Code=-1001 "(null)" UserInfo={_kCFStreamErrorCodeKey=-2102, _kCFStreamErrorDomainKey=4}}, _kCFStreamErrorCodeKey=-2102 Is anyone else seeing this? Any fixes? Thanks for any help or advice. Best, Juno

If my user purchase and get transaction_id: 2000000395609292, and then another user just makeup a same transaction_id to call the App Store Server API If in the old way, the receipt seems impossiable to makeup, how about now? Is that equally safe as before? Or is there any way to protect transaction_id. I am not that good at security, so please forgive me about missing any point. o(╥﹏╥)o Looking forward to your response, sincerely!! :)

I try to call Get Transaction Info from App Store Server API, and the transactionId is for a Non-consumable type product, but it is odd that there are so many different transactionId and they have a same originalTransactionId { "bundleId": "${bundleId}", "environment": "Production", "inAppOwnershipType": "PURCHASED", "originalPurchaseDate": 1691220528000, "originalTransactionId": "${originalTransactionId}", "productId": "${productId}", "purchaseDate": 1691220528000, "quantity": 1, "signedDate": 1692590989925, "storefront": "USA", "storefrontId": "143441", "transactionId": "${originalTransactionId}", "transactionReason": "PURCHASE", "type": "Non-Consumable" } the defination of Non-Consumable is can only purchase once for same apple account. But why there would have originalTransactionId?

In the old verifyReceipt endpoint doc, there is an important desc As a best practice, always call the production URL https://buy.itunes.apple.com/verifyReceipt first and proceed to verify with the sandbox URL if you receive a 21007 status code. Following this approach ensures that you don’t have to switch between URLs while your app is in testing, in review by App Review, or live in the App Store. So I can know the transactionId is for sandbox if return back 21007. And I am about to access to new App Store Server API, so the same, I wonder how can I recognize the transactionId is from sandbox by status code? The most likely desc is this: If you don’t have environment information, follow these steps: Call the endpoint using the production URL. If the call succeeds, the original transaction identifier belongs to the production environment. If you receive an [errorCode 4040005] with errorMessage as OriginalTransactionIdNotFoundError, (or HTTP response code 404 from the Send Consumption Information endpoint), call the endpoint using the sandbox environment. If the call succeeds, the original transaction identifier belongs to the sandbox environment. If the call fails with the same error code, the original transaction identifier isn’t present in either environment. And I have a try for Get Transaction Info API, but actually get 4040010, Transaction id not found. as return. So I just wanna clear that is there any doc clarify this point that I miss? Looking forward to your response, sincerely!! :)

I'm noticing that when I build for development and switch Apple accounts while the app is running, the device receipt isn't updated even after I call SKReceiptRefreshRequest.start(). The app behaves as expected if I install fresh. Is this a known issue if we're running from Xcode?

Issue Currently I have multiple subscription offers available for yearly/monthly subscriptions. Each of the subscription offers have multiple different custom codes available. When the customer buys a subscription and the receipt is being handled in the backend, I need to know which of the custom codes was used. What I have tried When i call the https://buy.itunes.apple.com/verifyReceipt I get the values offer_code_ref_name and promotional_offer_id. The offer_code_ref_name is the subscription offer name AND NOT the custom code. I tried to get more info using the https://api.storekit.itunes.apple.com/inApps/v1/subscriptions/{transactionId} request, but it does not give me any info about the custom code used either. I do however see which custom code has been used if I go to Sales and Trends > Sales and Trends Reports and download Subscritpion Reports. There the offer code can be found ref. as "Promotional Offer ID" my question How can I get which custom code was used when purchasing a renewable subscription using transaction id or transaction Receipt?

Can I delete the file StoreKitTestCertificate.cer if I have a published app that uses StoreKit 2? This is how I was using it earlier to do receipt validation but it's no longer in my released app: #if DEBUG let certificate = "StoreKitTestCertificate" #else let certificate = "AppleIncRootCertificate" #endif Source: https://developer.apple.com/documentation/xcode/setting-up-storekit-testing-in-xcode/ Can I safely delete StoreKitTestCertificate.cer in my next version this file without affecting the released app or TestFlight?

Hi, We offer a premium account IAP for our app. We recently noticed on our proceeds section of App Store Connect that a refund for the IAP had been processed but we didn't receive a notification regarding this and from what I can see there is no way to see who applied for it. This is a problem as we need to be able to switch the premium account off for that account. Can someone help with this please?

Currently, my app validates App Store receipts on the device, so as per this news, I need to make changes to it, But I am unable to make a decision on where I should start, Can anyone please help me out on this? Do I need to make changes in the device receipt validation? If yes, what steps should I take? OR Should I do the receipt validation from the server side? If yes, then what steps to follow to make a receipt validation on the server? Your suggestions will be highly appreciated.

I am trying to calculate apple cut, if users days of paid service is more than a year apple reduces commission to %15. By the docs: If a subscription expires due to a cancellation or billing issue, the days of paid service stop accumulating. If the subscription is renewed within 60 days, the days of paid service resume from the recovery date. So can i assume if original_transaction_id stays the same user not violated 60 days, therefore if i sum all the (expiration_date - purchase_date) with that id, is it a viable result ? Thanks in advance.

I am interested in using sandbox users for my automation, and I want to bypass the UI and execute the automation using the APIs. I have found the APIs to list users, modify users, and clear purchase history, but I am not sure if there is a way to create and delete users programmatically. https://developer.apple.com/documentation/appstoreconnectapi/sandbox_testers Currently, our app calls Apple to get the payment receipt, and then our internal workflows are triggered based on the response received from Apple. Is there a way to bypass UI and achieve the same thing using the backend APIs for sandbox user accounts? I also need some clarification on how to generate the JWT token for authorization purposes. Do I need to regenerate the JWT token every 30 days? Thank you for your time and consideration.

Hello everyone I am testing receipt validation for an app to be submitted to the mac app store. After starting the app a login window popped up and I entered my regular apple id before realising I need to enter an apple id associated with a sandbox account. Now I can't get the login window to show again when starting the app, it seems as I am permanently (or temporarily?) logged into the sandbox account on the mac. How can I log out from the sandbox account? Is it even possible? Does the account time out after a while so that I just need to wait?

DESCRIPTION OF PROBLEM We have integrated App store server notifications API to receive in-app-purchase transactions. When we are testing in Sandbox mode, we have faced some issue. We tested auto-renewable subscriptions in the application, App store server notifications received two times at the same time with the same transaction ID. In our mobile, We did not disable the "Allow purchases and renewals" option in sandbox account , but in server API it throws renewal failure notification and in few minutes renewal success notification coming 3)We have set 5 minutes interval for transactions in my sandbox account. Some time notifications coming on time, but some time it is delayed. Will this be happen in production also? Any proper way to test this? For failed transactions, transaction ID becomes same as previously succeeded transaction ID. How failed transaction Id is being generated actually? STEPS TO REPRODUCE Implement App store server notification API listener in Node JS Create sandbox account in app store and purchase a Auto renewable subscription from iOS device Expected Result App store server notification should come on time Duplicate transaction ID should not come on auto renewal subscription XCODE version - 14.3