I have started implementing support for the new App Store Server notifications (version 2): https://developer.apple.com/documentation/appstoreservernotifications/receiving_app_store_server_notifications I am not sure how to prevent a possible mad-in-the-middle attack when using those notifications. The decoded header that I get for notifications in the Sandbox environment is missing the "kid" field that is used to identify the key used to generate a signature. Yes, I understand the the whole entire certificate chain is available in the "x5c" field and it could be verified by itself. However, this does not guarantee that a notification was signed by Apple. This approach (with no specific key, with a certificate chain in x5c) works fine when verifying a receipt on device with StoreKit 2 but it does not work when getting a notification on a server.

I have implemented in-App purchases and "App Store Server Notifications" on my app and received the following response on my endpoint. App Store Server Notification Response - https://developer.apple.com/forums/content/attachment/ee18d81f-09d0-4f5f-8720-063f6e8c49b3 However, is there a custom pass-through parameter that I can receive with my notifications/successful purchases. For instance, I want to pass the userId when the user makes a payment so I know which user is associated with each payment. In short, is there a parameter that I can customize to pass information for iOS payments?

Hello, I have two plans for my IAP subscription (auto renew). They are both $3.99 at the moment. They are in the same group. I'm going to change the prices after I figure this out so they're not the same. But I shouldn't have this error. If I sign up (in the sandbox) with the "normal" plan, it's great. Then I change my plan to the "Pro" plan using the popup like this: AppStore.showManageSubscriptions(in: windowScene as! UIWindowScene) Then I get the status of the plan like with a request to the apple server api: ${appleApiUrl}/inApps/v1/subscriptions/${user.originalTransactionId} And everything is great, it shows "Pro" plan as the last transaction. But then if I open the dialog again and switch back to the "normal" plan, when I call the apple server api it just shows the last transaction is the pro plan. So I can't detect that somebody switched back. It's unlikely to happen, but definitely could. Please fix! Thank you!

Transaction info from JWSTransactionDecodedPayload - . Which fields are optional and which flieds always appears? When optional fields appear? EXAMPLE: revocationDate appears always or only for REFUND notification?

I want to understand how to handle CANCEL notification type, I noticed that I get 3 CANCEL notifications one after the other, it sounds like the user gets a refund for 3 different transactions, am I wrong? When I look at the receipt I see also the cancellation date ms field in 3 latest transactions in the latest receipt info, does it mean the user gets 3 refunds for 3 transactions? (the cancellation date is the same cancellation date for all the 3 transactions) This is what I got, as you see I got the cancellation date is the same, does it mean a full refund for every transaction in the following?: "cancellation_date_ms": 1650188985000, "cancellation_reason": "0", "expires_date_ms": 1650732253000, "in_app_ownership_type": 2, "original_purchase_date_ms": 1640606326000, "product_id": "com.neocortext.doublicatapp.subscription.weekly.new", "purchase_date_ms": 1650127453000, "quantity": 1, "subscription_group_identifier": "20843276", "transaction_id": "170001301196587", "original_transaction_id": "170001205648289", "web_order_line_item_id": "170000572783810" }, { "cancellation_date_ms": 1650188985000, "cancellation_reason": "0", "expires_date_ms": 1650127453000, "in_app_ownership_type": 2, "original_purchase_date_ms": 1640606326000, "product_id": "com.neocortext.doublicatapp.subscription.weekly.new", "purchase_date_ms": 1649522653000, "quantity": 1, "subscription_group_identifier": "20843276", "transaction_id": "170001295106872", "original_transaction_id": "170001205648289", "web_order_line_item_id": "170000569655974" }, { "cancellation_date_ms": 1650188985000, "cancellation_reason": "0", "expires_date_ms": 1649522653000, "in_app_ownership_type": 2, "original_purchase_date_ms": 1640606326000, "product_id": "com.neocortext.doublicatapp.subscription.weekly.new", "purchase_date_ms": 1648917853000, "quantity": 1, "subscription_group_identifier": "20843276", "transaction_id": "170001289230515", "original_transaction_id": "170001205648289", "web_order_line_item_id": "170000544361015" },

Hi, I am trying to figure out the following statement in Apple documentation: If a subscription expires due to a cancellation or billing issue, the days of paid service stop accumulating. If the subscription is renewed within 60 days, the days of paid service resume from the recovery date. Let's say the user subscribes to product X in subscription group X, then the expiry date is exceeded. After 10 days, the user subscribes to product Y in subscription group X, does the days of paid service continue accumulating? or the days of paid service will be reset to 0?

Currently, I work with CKSubcription and remote notifications. I have a question concerns application(_:didReceiveRemoteNotification:fetchCompletionHandler:) method. In Apple's documentations we can read: As soon as you finish processing the notification, you must call the block in the handler parameter or your app will be terminated. Your app has up to 30 seconds of wall-clock time to process the notification and call the specified completion handler block. In practice, you should call the handler block as soon as you are done processing the notification. Source: https://developer.apple.com/documentation/uikit/uiapplicationdelegate/1623013-application The method works correctly. My app "wakes up" when got a notification (to observe that, I use option + command + escape). Do I correctly undrestand? - when I call hadler block, should app close immediately? My app closes after 30 second, even if I put only completionHandler(...) in this method. I asked beacuse in the documentation we can read. Your app has UP to 30 seconds Thank you in advance.

Is there any real example of app store signed transaction or signed notification? I can find decoded form for transaction info or notification payload but not real signed example. There are some decoded examples - https://qonversion.io/blog/apples-2021-updates-to-managing-in-app-purchases-from-the-server but I want some real token with header alg and x5c. I would like test my backend implementation during development. My goal is receive App Store Server Notifications v2 and update my data.

Hi, I am trying to figure out the following statement in Apple documentation: If a subscription expires due to a cancellation or billing issue, the days of paid service stop accumulating. If the subscription is renewed within 60 days, the days of paid service resume from the recovery date. Let's say the user received a Refund and after 10 days subscribes to the same auto-renewable product, will the days of paid service stop accumulating? After receiving a DID_CHANGE_RENEWAL_STATUS notification with auto_renew_status = 0 and the expiry date is exceeded (means that the subscription is churned) and then after 10 days the user subscribes to the same auto-renewable product, will the days of paid service stop accumulating? If for those cases the days of paid service continue accumulating, will it be also applied for subscribing to another product from the same subscription group? Thanks!!!

We are moving to apple server notifications V2. But i don't understand how to determine what type of intro offer now. We have offerType field with value 1 that means that user in intro offer. But what type of intro offer used? In V1 we can do it with fields isTrialPeriod and isIntroOfferPeriod. But in V2 i can't find anything like this.

For a new app, I have configured my server and the app in App Store Connect according to the official documentation: https://developer.apple.com/documentation/appstoreservernotifications/enabling_app_store_server_notifications https://help.apple.com/app-store-connect/#/dev0067a330b However, for some reason I am not receiving any notifications at all, although I have created several subscriptions, up-/downgraded, cancelled, resubscribed, switched auto-renew on and off, aso. I also have access logs and even there I don't see any call from Apple. A simple test using curl, however, does work as expected: $ curl -v 'https://MY_HOST/apple-s2s/app-store/sandbox' --data-binary '{}' --header 'content-type: application/json' *   Trying my...ip:443... * Connected to MY_HOST (my...ip) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: *  CAfile: /etc/ssl/certs/ca-certificates.crt *  CApath: /etc/ssl/certs * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): * TLSv1.3 (IN), TLS handshake, Certificate (11): * TLSv1.3 (IN), TLS handshake, CERT verify (15): * TLSv1.3 (IN), TLS handshake, Finished (20): * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.3 (OUT), TLS handshake, Finished (20): * SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256 * ALPN, server accepted to use h2 * Server certificate: *  subject: CN=MY_HOST *  start date: Nov 16 19:10:49 2021 GMT *  expire date: Feb 14 19:10:48 2022 GMT *  subjectAltName: host "MY_HOST" matched cert's "MY_HOST" *  issuer: C=US; O=Let's Encrypt; CN=R3 *  SSL certificate verify ok. * Using HTTP2, server supports multi-use * Connection state changed (HTTP/2 confirmed) * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0 * Using Stream ID: 1 (easy handle 0x55dc1f20eb10) > POST /apple-s2s/app-store/sandbox HTTP/2 > Host: MY_HOST > user-agent: curl/7.74.0 > accept: */* > content-type: application/json > content-length: 2 >   * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): * We are completely uploaded and fine * Connection state changed (MAX_CONCURRENT_STREAMS == 250)! < HTTP/2 200   < content-type: application/json < date: Tue, 23 Nov 2021 19:41:35 GMT < server: nginx/1.21.0 < content-length: 2 <   * Connection #0 to host MY_HOST left intact {} There is also nothing from within the App Store Connect where I could see that something went wrong, whether Apple actually tried to connect at all or whether I am missing to configure anything else. No feedback at all here, very sad.

Hi, I want to implement in app purchase for my app. On our server, we set it up to be able to receive https requests. And if I call from postman, it is able to respond and server will log some data. However, when I subscribe and cacnel subscription from the ios app using sandbox user, the server never receive any update although I already set up the URL in Sandbox Server URL. Is there anyway that I could check whether apple has send out the notification so that I know where the problem happens?

I am learning about swiftui. I want my app to be able to send and receive a small amount of data to another app on another device. That device will include andriod as well as Apple. Since I am new to SwiftUI and iphone app development, I am not sure what to use to accomplish this. I thought that notifications would work well because the client app doesn't need to be in a run state or even in the foreground. However I decided I want to work with cross-platforms. I looked into Firebase but still have a lot of research to do. What can I use to send and receive data in a cross-platforms?

This time, when I transferred the app to another company (AppTransfer), the push notification did not fly after that. It doesn't go away even after restarting the app, and it seems that no new tokens have been issued. (I don't know if this is due to Firebase or Apple) The AuthKey seems to be correct because the device that newly installed the app has received the notification. Firebase is used for push notifications, and the replacement of the AuthKey of the new company account has been completed. Firebase is returning a "Not Registered" response, probably an APNs response "Unregistered". So, the question is, (1) Will all tokens become invalid after transferring the app? (2) Will tokens that have become Unregistered be revived? Is there anything we can do after replacing the certificate? (3) If this event is not due to AppTransfer, I would like some other advice that we should investigate. Thank you for reading this far.

We are developing a mobile app with in-app purchases. We plan to offer one-time purchases and subscriptions. In order to support multiple platforms (iOS and others) we plan to track subscriptions via server-to-server notifications and update client licenses accordingly. Now we are struggling to match server notifications to receipts in the database. We have to support iOS14, so we can't use the appAccountToken field. We have the following questions: Is original_transaction_id unique a) globally (across all app store user accounts) ? b) in the context of a user account ? c) in the context of a subscription group? Is original_transaction_id + subscription_group_identifier unique a) globally (across all app store user accounts) ? b) in the context of an user account ? Can an original_transaction_id change? If an original_transaction_id changed, how can I reference the INITIAL_BUY receipt? Thank you for your help!