Receipts and Validation

A purchase receipt is a secure, digital record from an app store that serves as proof of a successful transaction. After a user completes a purchase, your application receives this receipt.

The receipt consists of a unified structure provided by Unity IAP and a store-specific payload containing the detailed transaction data. After receiving a receipt, you should verify its authenticity to prevent fraud. This process is known as transaction verification.

The Purchase Receipt Structure

Unity IAP formats the receipt into a JSON object with a consistent structure, making it easier to handle data from different stores.

The following are the key fields:

KeyValue
StoreThe name of the store where the purchase occured, such as GooglePlay or AppleAppStore.
TransactionIDThe unique identifier for this transaction, provided by the store.
PayloadThe raw, store-specific receipt data. This is the most important field, as it contains the information you need for transaction verification.

Transaction verification

Transaction verification is a critical security measure to prevent users from accessing content they have not legitimately purchased. Without it, you cannot reliably trust that a purchase is legitimate.

Verification protects your application from common forms of fraud, such as:

  • Forged receipts: A malicious user could attempt to create a fake receipt to unlock content without paying.
  • Replay attacks: A user could try to reuse a single, valid receipt for multiple accounts or to claim the same non-consumable item repeatedly.

By verifying the receipt with the original app store, you confirm that the transaction is authentic and associated with the correct user and product before granting content.

Points of validation

You can validate a receipt either on the user's device (local validation) or on a secure server you control (remote validation).

  • Local validation: For content that is already included in your application (such as unlocking a character or enabling a feature), you can perform validation directly on the device.

Important: Local validation is less secure because a malicious user can more easily tamper with code on their own device to bypass the check.

  • Remote (server-side) validation: The recommended best practise for all transactions, and it is essential for content that is delivered from a server (such as granting virtual currency or downloadable items). In this model, your application sends the receipt Payload to your backend server. Your server then securely communicates with the app store's verification service (for example, Apple or Google) to confirm the receipt's authenticity before releasing the content. While Unity IAP does not provide a built-in remote validation service, you can implement your own or use third-party libraries.
Unity logo Documentation
Copyright © 2025 Unity Technologies
"Unity", Unity logos, and other Unity trademarks are trademarks or registered trademarks of Unity Technologies or its affiliates in the U.S. and elsewhere (more info here). Other names or brands are trademarks of their respective owners.