Best practices: ensuring server-side that the AppReceipt sent up by a client belongs to the client

Hi, all!

I have an AppStore Server-side question. User sends up an AppReceipt that I am validating. What's the best way to tell the receipt belongs to said user? I want to make sure that the source of the AppReceipt was actually the original purchaser of the item. Is fetching Transaction + AppAccountToken the only way? AppAccountToken can only be utilized if the original purchase used it, and it is associated with the user's data. Is there another way?

Best practices: ensuring server-side that the AppReceipt sent up by a client belongs to the client
 
 
Q