i m integrate App Store Server Notifications for External Purchase Server API The documentation says: For external purchase tokens that are unreported after 10 days, Apple sends a server notification to your server https://developer.apple.com/documentation/externalpurchaseserverapi#Receive-notifications-for-unreported-tokens I have a doubt. After I'm generating an external purchase token (sandbox), apple notify me 4 times in next 2-3h, even they say, they will notify me after 10 days for unreported tokens. Mention: Response for notification call was 200 token_create: 13:18 notification_1: 13:58 notification_2: 14:38 notification_3: 15:08 notificaiton_4: 15:38 "notificationType": "EXTERNAL_PURCHASE_TOKEN", "subtype": "UNREPORTED", I have no clue what's happening

We are currently performing maintenance and operation on our app. I would like to ask a question about Apple's purchase processing. When retrieving purchase information for a user who has multiple original transaction IDs, such as original transaction ID AAA and original transaction ID BBB, if "Get All Subscription Statues" is executed with BBB as an argument, is it possible that purchase information for original transaction ID "AAA" will be retrieved? If this kind of issue does occur, please share the conditions under which it occurs.

Hello everyone, I’m hoping someone might help with auto-renewable subscription validation in Apple’s Sandbox environment. Here’s the situation: My Setup: I’ve configured three auto-renewable subscriptions in App Store Connect and generated an In-App Purchase key (with the correct Issuer ID and Key ID). (I also tried the App Store Connect API Keys) I’m using Apple’s App Store Server API v2 endpoints (GET /inApps/v2/subscriptions/{originalTransactionId}/latest) to fetch the latest subscription status. I’ve created several Sandbox test users (with fresh email addresses), signed out of old test accounts on my devices, and tested purchasing subscriptions anew. What Works: I am receiving valid Server Notifications from Apple (e.g. SUBSCRIBED, DID_RENEW) with the correct environment: "Sandbox" field. My JWT generation appears to be correct because I’m no longer receiving 401 errors—only 404. That suggests Apple accepts the key and credentials. My fallback logic attempts production first; if it sees a 404 or 410, it switches over to the Sandbox endpoint. This is exactly what Apple’s documentation recommends. The Problem: Whenever I query GET https://api.storekit-sandbox.itunes.apple.com/inApps/v2/subscriptions/{originalTransactionId}/latest using the originalTransactionId from Apple’s own Server Notification, Apple returns a 404 (indicating it can’t find that subscription). This happens even though the subscription is active in Sandbox (I see notifications arriving for it). I’ve tried adding a brief waiting period (2 seconds) before calling the Sandbox endpoint, but it consistently returns 404. I’ve also tried multiple retries over a longer timeframe without success. I tested multiple fresh Sandbox test users, ensuring each one was signed in to the device’s App Store. After each new purchase, I still get the same 404. Additional Checks: These are definitely auto-renewable subscriptions, not non-renewing or consumable products. I also tried calling GET /inApps/v2/subscriptions/{transactionId}/latest but I still see 404. I tried everything mentioned above in production as I said to no avail: GET https://api.storekit.itunes.apple.com/inApps/v2/subscriptions/{originalTransactionId}/latest

Hi, all! I am wondering about something about App Receipts. I'm using App Receipt hash to key some information server-side. I'm curious however, if that doesn't actually have a possible flaw. Is it possible to get a new receipt that would yield a different hash for the same transaction? Reinstalling the app, perhaps? Installing the app on a new phone? Basically, I want to make sure this hash is something I can rely on. If the user can get a new hash for the same purchase, that's obviously problematic. Thanks!

Hi, all! I have an AppStore Server-side question. User sends up an AppReceipt that I am validating. What's the best way to tell the receipt belongs to said user? I want to make sure that the source of the AppReceipt was actually the original purchaser of the item. Is fetching Transaction + AppAccountToken the only way? AppAccountToken can only be utilized if the original purchase used it, and it is associated with the user's data. Is there another way?

If you are experiencing an unexpected or inconsistent behavior when using the App Store Server Library, review the following resources to ensure that your implementation workflow didn’t cause the issue: Simplifying your implementation by using the App Store Server Library Explore App Store server APIs for In-App Purchase Meet the App Store Server Library If you are unable to resolve your issue using the above resources, file a GitHub issue. Alternatively, if you wish to provide specific requests, transactions, or other private information for review, submit a Feedback Assistant report with the following information: The bundleId or appAppleId of your app The date and time your issue occurred The library language(s) The version of the library The environment (i.e., Production, Sandbox, or Xcode) The GitHub issue for this report if available The endpoint(s) reproducing your issue The HTTP body and headers of the endpoint raw request The HTTP body and headers of the endpoint response To submit the report, perform these steps: Log into Feedback Assistant. Click on the Compose icon to create a new report. Select the Developer Tools & Resources topic. In the sheet that appears: Enter a title for your report. Select “App Store Server Library” from the “Which area are you seeing an issue with?” pop-up menu. Select “Incorrect/Unexpected Behavior” from the “What type of feedback are you reporting?” pop-up menu. Enter a description of your issue and how to reproduce it. Add the information gathered above to the sheet. Submit your report. After filing your report, please respond in your existing Developer Forums post with the Feedback Assistant ID. Use your Feedback Assistant ID to check for updates or resolutions. For more information, see Understanding feedback status.

Payment completed with error: Error Domain=ASDErrorDomain Code=500 "(null)" UserInfo={client-environment-type=Sandbox, storefront-country-code=USA, NSUnderlyingError=0x2828a5950 {Error Domain=AMSErrorDomain Code=305 "Purchase Failed" UserInfo={NSLocalizedDescription=Purchase Failed, AMSURL=https://sandbox.itunes.apple.com/WebObjects/MZBuy.woa/wa/inAppBuy?guid=00008030-000164513691402E, AMSStatusCode=200, AMSServerPayload={ "cancel-purchase-batch" = 1; customerMessage = "Bad Gateway_message"; failureType = ""; "m-allowed" = 0; pings = ( ); }, NSLocalizedFailureReason=Server canceled the purchase}}}

To receive server notifications from the App Store, follow the instructions in Enabling App Store Server Notifications. If your server doesn’t receive any notifications, check your server logs for any incoming web request issues, and confirm that your server supports the Transport Layer Security (TLS) 1.2 protocol or later. If you implement version 2 of App Store Server Notifications, call the Get Notification History endpoint. If there is an issue sending a notification, the endpoint returns the error the App Store received from your server. If your issue persists, submit a Feedback Assistant report with the following information: The bundleId or appAppleId of your app The date and time your issue occurred The raw HTTP body of your notification The affected transactionId(s) if applicable The version of App Store Server Notifications (i.e., Version 1 or Version 2) The environment (i.e., Production or Sandbox) To submit the report, perform these steps: Log into Feedback Assistant. Click on the Compose icon to create a new report. Select the Developer Tools & Resources topic. In the sheet that appears: Enter a title for your report. Select “App Store Server Notifications” from the “Which area are you seeing an issue with?” pop-up menu. Select “Incorrect/Unexpected Behavior” from the “What type of feedback are you reporting?” pop-up menu. Enter a description of your issue. Add the information gathered above to the sheet. Submit your report. After filing your report, please respond in your existing Developer Forums post with the Feedback Assistant ID. Use your Feedback Assistant ID to check for updates or resolutions. For more information, see Understanding feedback status.

A user made an in-app purchase on December 15th at around 4:00 PM Japan Standard Time (JST). However, the confirmation email sent after the purchase shows the receipt date as December 14th. What could be causing this discrepancy in the date? The app store's primary language is set to English. The server region is singapore.

Hello, I would like to draw your attention to the following imperfection. For validating purchases of my paid application Guru Maps Pro, I use the download id. This is a unique ID that can replace the Transaction ID for paid applications. However, with the release of the new AppTransaction API, this field is no longer present in the data. I tried parsing the receipt, but that field is absent there as well. The only way to obtain the download id is to send the receipt to the deprecated /verifyReceipt endpoint. This deprecated status concerns me, because at some point it might stop working. Let me explain a little about why I need this. My users have a guru-account, which they can use both in the web version and on Android. When a user purchases the paid version of the application, they can access the paid features on both web and Android. This works great for in-app purchases, where there is a transaction ID, but it may soon stop working for paid applications because there is no way to determine any ID associated with the purchase. Transaction ID or Download ID – I don't mind which.

So, we've implemented IAP with StoreKit2 e2e for both the client and backend and it's working mostly perfectly, however we have an issue which we can't seem to understand Apple's behavior. So, imagine a purchase that occurred on the 10th of December in the sandbox environment through an install from TestFlight, and this same purchase keeps getting queued in the Transaction.unfinished list for some reason (today, the 17th of December, a whole week after the initial purchase!). Here's the flow: We iterate the list on app launch Send the unfinishedTransaction's transactionId to our servers The server says "hey, we could verify it with Apple but it's not longer active (expired). We can't really work with it so just finish it on your side and don't send it to me again" The client finishes!! the transaction On the very next app launch it keeps reappearing in the Transaction.unfinished queue Are we doing something wrong, why doesn't it get cleaned? Is this an expected behavior? Note, this is generally the server's logic for new purchases: If we weren't able to contact Apple - we tell the client to not finish the transaction so that we'll be able to re-iterate it on the next app launch or retry If the transaction is not expired and valid - we update our records and tell the client to finish the transaction If we couldn't update our records - we tell the client to not finish the transaction so that we'll be able to re-iterate it on the next app launch or retry If the transaction is not valid for some reason - we tell the user to finish the transaction The server might see it as a valid transaction if we'll send the originalTransactionId instead of the 'transactionId(using it to callgetTransactionInfoinAppStoreServerLibrary`), but is this something we want to do? This will obviously not fix the problem because the server tells the client to finish the transaction anyways, but it simply doesn't work. Please, any advice or changes to make to either Client/Server would be greatly appreciated Best Regards, Ofek

I had a standalone python application (created with pyinstaller) which was working perfectly alone. This macOS application was created in VS. I later decided to improve the application by implementing some Swift features (Subscription Manager). This required me to write a brief Swift file (Subscription Management) in XCode which the Python file called on. Python Standalone Application Calling Swift : # Function to check if the user has a valid subscription def check_subscription(): subscription_manager_path = "/Users/isseyyohannes/Library/Developer/Xcode/DerivedData/SubscriptionManager2-ezwjnnjruizvamaesqighyoxljmy/Build/Products/Debug/SubscriptionManager2" # Adjust path try: result = subprocess.run([subscription_manager_path], capture_output=True, text=True, check=True) return "VALID_SUBSCRIPTION" in result.stdout # Return True if valid, False otherwise except subprocess.CalledProcessError as e: print(f"Error checking subscription: {e}") return False # Return False if there's an issue However, when I try to run xcrun altool --validate-app ... I get the following error message. The error reads as follows Running altool at path '/Applications/Xcode.app/Contents/SharedFrameworks/ContentDeliveryServices.framework/Frameworks/AppStoreService.framework/Support/altool'... 2025-02-16 11:02:21.089 *** Error: Validation failed for '/Users/isseyyohannes/Desktop/ALGORA Performance.app'. 2025-02-16 11:02:21.089 *** Error: Could not find the main bundle or the Info.plist is missing a CFBundleIdentifier in ‘/Users/isseyyohannes/Desktop/ALGORA Performance.app’. Unable to validate your application. (-21017) { NSLocalizedDescription = "Could not find the main bundle or the Info.plist is missing a CFBundleIdentifier in \U2018/Users/isseyyohannes/Desktop/ALGORA Performance.app\U2019."; NSLocalizedFailureReason = "Unable to validate your application."; I located the Info.plist file which had everything correct (my Bundle ID, etc.) for the python file. I am successfully able to notarize the application, just having issues submitting it. **It is worth noting I currently have a python executable calling on a file written in swift code and created in xcode. I created the python application with the following command on VS. pyinstaller --onefile --noconsole \ --icon="/Users/isseyyohannes/Downloads/E0BWowfbDkzEiEAckjsHAsYMzpdjjttT.icns" \ --codesign-identity "Developer ID Application: Issey Yohannes (GL5BCCW69X)" \ --add-binary="/Users/isseyyohannes/Library/Developer/Xcode/DerivedData/SubscriptionManager2-ezwjnnjruizvamaesqighyoxljmy/Build/Products/Debug/SubscriptionManager2:." \ --osx-bundle-identifier com.algora1 \ /Users/isseyyohannes/Desktop/ALGORA\ Performance.py Note : All steps on Apple Developer site are done (ex. Creating identifier, secret password etc)

I remember when I called Apple Support, they told me that they can only assist with refunds for orders within the last two months.

I have several ObjC based apps in the App Store and used to validate the receipt file inside the app in my code, and then reject it with exit(173) if it's invalid, which did trigger macOS to update the receipt if possible. This isn't working any more in recent macOS versions, where the user is instead just told that the app is damaged, and they need to re-install it manually. Which sucks. So I wanted to update my code. I read about SKReceiptRefreshRequest, which is supposed to re-download and install the receipt file, if I understand it correctly. I implemented the code but now have trouble verifying that it works as intended, and does this in a user friendly way. I found in my tests that macOS now caches the receipt in ~/Library/Caches/com.apple.appstoreagent/fsCachedData and then hardlinks the file into the app. BTW: Sadly, this also requires that the app is located on the startup volume or the system will refuse to install the receipt, which wasn't a requirement in past times. Now, if the receipt is already present in the cache folder, then my code works - the receipt gets re-linked. But what if the cached receipt isn't there, yet? Such as that the user had copied the app from another Mac over to a freshly installed Mac? In the past, when the user then launched the app on the new Mac, he'd be prompted to login to the MAS and if that worked, the receipt would get installed and the app launched. Basically, the question is: What if the receipt validation fails in my app and I request a new receipt, but the user has not yet logged into MAS (e.g. new computer)? To simulate this, I logging out of the MAS and TestFlight, deleting all copies of the app and then run the app that I had copied from another Mac where it was authorized with a valid receipt for that device. If I do this with the old version that uses exit(173), I get these two messages in macOS 15.2: The second one is especially terrible because it shows the translocated path, which the average user surely get quite confused, and then maybe even search in vain for the app in there and get frustrated. But that's out of my hands. Sigh. Now, that was proving that the old method with exit(173) isn't working any more and needs to be changed in my apps. Since I'm still developing (testing) this new behavior, the app is therefore not in the MAS yet - the only way for me to test this is to use TestFlight. However, running a Testflight app copied from another Mac leads to this error: That is not helpful in simulating what would happen if this app was released in the MAS. This won't let me find out what happens if my app is run on a Mac where the receipt fails and I ask it to load it via SKReceiptRefreshRequest and if the user is NOT yet logged into the MAS account for this purchased app of his/hers. That leaves only one option: Release the app with untested code and hope for the best. Contrary to this new behavior, the old method did let me test this easily because I would just use the special App Store tester account with the MAS app, i.e. the built MAS app would, when I launched it locally, request for a login and I'd provide my tester's account. But this isn't available any more, apparently. What a mess.

My question is simple, I do not have much experience in writing swift code, I am only doing it to create a small executable that I can call from my python application which completes Subcription Management. I was hoping someone with more experience could point out my flaws along with giving me tips on how to verify that the check is working for my applicaiton. Any inight is appreciated, thank you. import Foundation import StoreKit class SubscriptionValidator { static func getReceiptURL() -> URL? { guard let appStoreReceiptURL = Bundle.main.appStoreReceiptURL else { print("No receipt found.") return nil } return appStoreReceiptURL } static func validateReceipt() -> Bool { guard let receiptURL = getReceiptURL(), let receiptData = try? Data(contentsOf: receiptURL) else { print("Could not read receipt.") return false } let receiptString = receiptData.base64EncodedString() let validationResult = sendReceiptToApple(receiptString: receiptString) return validationResult } static func sendReceiptToApple(receiptString: String) -> Bool { let isSandbox = Bundle.main.appStoreReceiptURL?.lastPathComponent == "sandboxReceipt" let urlString = isSandbox ? "https://sandbox.itunes.apple.com/verifyReceipt" : "https://buy.itunes.apple.com/verifyReceipt" let url = URL(string: urlString)! let requestData: [String: Any] = [ "receipt-data": receiptString, "password": "0b7f88907b77443997838c72be52f5fc" ] guard let requestBody = try? JSONSerialization.data(withJSONObject: requestData) else { print("Error creating request body.") return false } var request = URLRequest(url: url) request.httpMethod = "POST" request.httpBody = requestBody request.setValue("application/json", forHTTPHeaderField: "Content-Type") let semaphore = DispatchSemaphore(value: 0) var isValid = false let task = URLSession.shared.dataTask(with: request) { data, response, error in guard let data = data, error == nil, let jsonResponse = try? JSONSerialization.jsonObject(with: data) as? [String: Any], let status = jsonResponse["status"] as? Int else { print("Receipt validation failed.") semaphore.signal() return } if status == 0, let receipt = jsonResponse["receipt"] as? [String: Any], let inApp = receipt["in_app"] as? [[String: Any]] { for purchase in inApp { if let expiresDateMS = purchase["expires_date_ms"] as? String, let expiresDate = Double(expiresDateMS) { let expiryDate = Date(timeIntervalSince1970: expiresDate / 1000.0) if expiryDate > Date() { isValid = true } } } } semaphore.signal() } task.resume() semaphore.wait() return isValid } }

I'm using Transaction.environment to determine server behavior. https://developer.apple.com/documentation/storekit/apptransaction/environment https://developer.apple.com/documentation/storekit/appstore/environment I gather this information on the app using StoreKit and then send it to the server: originalTransactionId = transaction.originalID originalTransactionEnvironment = transaction.environment When testing within Xcode, on a simulator, the value sent to the server for originalTransactionEnvironment is Xcode - as expected. When testing on a device using a TestFlight build, the value sent to the server for originalTransactionEnvironment is undefined/nil. I expected it to be Sandbox - and later in production it should be Production. Most importantly, the value sent to the server for originalTransactionId in the TestFlight version is not undefined/nil - it is the value I expected it would be. The transaction was originally for a subscription purchase, if that makes a difference. So the transaction is available, and information like originalID is also available. Why is transaction.environment not available? What is the behavior in production?

We use the Transaction Info API for Apple Pay verification, but due to a surge in player payment requests during major game version updates, we've encountered a large backlog of orders and are unable to process all verifications in time. We're wondering if anyone knows the process for requesting an increase in the QPS limit? QAQ

I am testing the subscription flow in my iOS app. Initially, everything was working fine when following the official StoreKit and sandbox testing documentation. After a successful subscription, the “You’re all set” popup always displayed the environment as “sandbox.” However, after some changes, possibly upgrading macOS to the latest version, upgrading Xcode, or regenerating certificates, I can no longer connect to the sandbox testing environment. The subscription success popup now always shows the environment as “xcode.” By default, the iOS app should run in the sandbox on macOS, so I didn’t set the “Enable App Sandbox” option to “Yes” in the Xcode build settings. When I try enabling it, Xcode throws the following error: “Failed to verify code signature of /var/installd/Library/Caches/com.apple.mobile.installd.staging/temp.n3J0tr/extracted/Payload/XXXX.app : 0xe8008015 (A valid provisioning profile for this executable was not found.) Please ensure that your app is signed by a valid provisioning profile.” Additionally, if “Enable App Sandbox” is set to “No,” the app installs successfully on a real device, but there is no prompt to trust an untrusted developer certificate, which usually appears for such certificates. I’m not sure if this information will be useful to others, but I’ve been stuck on this issue for a while, and it’s preventing me from moving forward with my work. Any help to resolve this would be greatly appreciated. Thank you!

I am currently using StoreKit2 to set up the in-app purchase subscription flow, and I have already configured the subscription products in App Connect. I created a StoreKit Configuration file in Xcode and used it in the scheme. However, after completing the purchase, the transaction.jsonRepresentation data returns a transactionId of 0. After checking the documentation, I found that I need to disable the StoreKit Configuration and enable Sandbox Testing. But after disabling the StoreKit Configuration, I can't retrieve the real product data using Product.products(for: productIds). I can confirm that the ProductId I provided is real and matches the data configured in App Connect. Could you please help me identify the issue?

Hello, Apple App Store Server API Team! I have one questions about the identifiers provided by Apple App Store Server API. Could you please answer? We are running an iOS App. In our app, the transactionId we get from Apple App Store Server API is called T1. (Example) Q1. Is it correct that other iOS apps cannot get T1 for transactionId from Apple App Store Server API? (I'm wondering if the transactionId is globally unique across apps.) Thank you!