Receipt validation

Understand how Unity IAP handles purchase receipts, their structure, and the secure transaction verification methods to prevent fraud.

A purchase receipt is a secure, digital record from an app store that serves as proof of a successful transaction. When a user completes a purchase, your application receives this receipt.

Unity IAP provides a unified receipt structure, which includes a store-specific payload with detailed transaction data. When you receive a PendingOrder from OnPurchasePending, you should verify its authenticity to prevent fraud. This process is known as transaction verification.

Receipt structure

Unity IAP formats the receipt into a JSON object with a consistent structure across different stores.

The following are the key fields:

KeyValue
StoreThe name of the store where the purchase occurred, such as GooglePlay or AppleAppStore.
TransactionIDThe unique identifier for this transaction, provided by the store.
PayloadThe raw, store-specific receipt data. This is the most important field, as it contains the information you need for transaction verification.

Transaction verification

Transaction verification ensures that purchases are legitimate. This ensures users can only access content they have actually purchased.

Verification protects your application from the following common types of fraud:

  • Forged receipts: A malicious user could attempt to create a fake receipt to unlock content without paying.
  • Replay attacks: A user could try to reuse a single, valid receipt for multiple accounts or to claim the same non-consumable item repeatedly.

By verifying the receipt with the original app store, you can confirm that the transaction is authentic and associated with the correct user and product before granting access to content.

Validation methods

You can validate a receipt either on the user's device (local validation) or on a secure server you control (remote validation).

  • Local validation

    • Perform validation directly on the device.
    • Suitable for content included in your application (such as unlocking a character or enabling a feature).

    • Important: Local validation is less secure because a malicious user can more easily tamper with code on their own device to bypass the check.

    • Note: Local validation is done automatically by StoreKit 2.

  • Remote (server-side) validation

    • Recommended for all transactions, and essential for server-delivered content such as granting virtual currency or downloadable items.
    • Your app sends the receipt Payload to your backend server.
    • Your server securely communicates with the app store's verification service (for example, Apple or Google) to confirm the receipt's authenticity before releasing content.

    Note: Unity IAP doesn't provide a built-in remote validation service, but you can implement your own or use third-party solutions.

    • Google: Use the receipt Payload for server-side validation.
    • Apple: Traditionally, the receipt Payload was used for validation, but this method is now deprecated by Apple. However, Payload is still required for StoreKit 1 and must be retained for now.
    • Apple (new method): For new implementations, use OrderInfo.Apple.jwsRepresentation for server-side validation.

Note: Move from StoreKit 1 receipts to StoreKit 2 jwsRepresentation as soon as possible to improve reliability, security, performance, and ultimately deliver a better experience for your users.

Note: Use OrderInfo.Apple.jwsRepresentation for server-side validation.

Unity logo Documentation
Copyright © 2025 Unity Technologies
"Unity", Unity logos, and other Unity trademarks are trademarks or registered trademarks of Unity Technologies or its affiliates in the U.S. and elsewhere (more info here). Other names or brands are trademarks of their respective owners.