Receipt validation

Verify the authenticity of purchase receipts to prevent fraud and ensure secure transactions.

Read time 2 minutes

Last updated 15 hours ago

A purchase receipt is a secure, digital record from an app store that serves as proof of a successful transaction. When a user completes a purchase, your application receives this receipt. Unity IAP provides a unified receipt structure, which includes a store-specific payload with detailed transaction data. When you receive a

PendingOrder

from

OnPurchasePending

, you should verify its authenticity to prevent fraud. This process is known as transaction verification.

Receipt structure

Unity IAP formats the receipt into a JSON object with a consistent structure across different stores. The following are the key fields:

Key	Value
`Store`	The name of the store where the purchase occurred, such as `GooglePlay` or `AppleAppStore` .
`TransactionID`	The unique identifier for this transaction, provided by the store.
`Payload`	The raw, store-specific receipt data. This is the most important field, as it contains the information you need for transaction verification.

Transaction verification

Transaction verification ensures that purchases are legitimate. This ensures users can only access content they have actually purchased. Verification protects your application from the following common types of fraud:

Forged receipts: A malicious user could attempt to create a fake receipt to unlock content without paying.
Replay attacks: A user could try to reuse a single, valid receipt for multiple accounts or to claim the same non-consumable item repeatedly.

By verifying the receipt with the original app store, you can confirm that the transaction is authentic and associated with the correct user and product before granting access to content.

Validation methods

You can validate a receipt either on the user's device (local validation) or on a secure server you control (remote validation).

Local validation
- Perform validation directly on the device.
- Suitable for content included in your application (such as unlocking a character or enabling a feature).
- Important
  Local validation is less secure because a malicious user can more easily tamper with code on their own device to bypass the check.
- Note
  Local validation is done automatically by StoreKit 2.
Remote (server-side) validation
- Recommended for all transactions, and essential for server-delivered content such as granting virtual currency or downloadable items.
- Your app sends the receipt
```
Payload
```
  to your backend server.
- Your server securely communicates with the app store's verification service (for example, Apple or Google) to confirm the receipt's authenticity before releasing content.
Note
Unity IAP doesn't provide a built-in remote validation service, but you can implement your own or use third-party solutions.

Google: Use the receipt
Payload
for server-side validation.

Apple: Traditionally, the receipt
Payload
was used for validation, but this method is now deprecated by Apple. However,
Payload
is still required for StoreKit 1 and must be retained for now.

Apple (new method): For new implementations, use
OrderInfo.Apple.jwsRepresentation
for server-side validation.

Note

Move from StoreKit 1 receipts to StoreKit 2 jwsRepresentation as soon as possible to improve reliability, security, performance, and ultimately deliver a better experience for your users.

Note

Use OrderInfo.Apple.jwsRepresentation for server-side validation.

Documentation

Engine

Services

Grow

Industry

Support

In-App Purchasing

In-App Purchasing

Receipt validation

Receipt structure

Key

Value

Transaction verification

Validation methods