Receipt validation

The Receipt validation page explains how Unity IAP handles purchase receipts, their structure, and the secure transaction verification methods to prevent fraud.

A purchase receipt is a secure, digital record from an app store that serves as proof of a successful transaction. After a user completes a purchase, your application receives this receipt.

Unity IAP provides a unified receipt structure, which includes a store-specific payload with detailed transaction data. After receiving a receipt, you should verify its authenticity to prevent fraud. This process is known as transaction verification.

Receipt structure

Unity IAP formats the receipt into a JSON object with a consistent structure across different stores.

The following are the key fields:

KeyValue
StoreThe name of the store where the purchase occured, such as GooglePlay or AppleAppStore.
TransactionIDThe unique identifier for this transaction, provided by the store.
PayloadThe raw, store-specific receipt data. This is the most important field, as it contains the information you need for transaction verification.

Transaction verification

Transaction verification is critical to prevent users from accessing content they haven't legitimately purchased. Without it, you can't reliably trust that a purchase is legitimate.

Verification protects your application from the following common forms of fraud:

  • Forged receipts: A malicious user could attempt to create a fake receipt to unlock content without paying.
  • Replay attacks: A user could try to reuse a single, valid receipt for multiple accounts or to claim the same non-consumable item repeatedly.

By verifying the receipt with the original app store, you can confirm that the transaction is authentic and associated with the correct user and product before granting access to content.

Validation methods

You can validate a receipt either on the user's device (local validation) or on a secure server you control (remote validation).

  • Local validation

    • Perform validation directly on the device.
    • Suitable for content included in your application (such as unlocking a character or enabling a feature).

    • Important: Local validation is less secure because a malicious user can more easily tamper with code on their own device to bypass the check.

  • Remote (server-side) validation

    • Recommended for all transactions, and essential for server-delivered content such as granting virtual currency or downloadable items.
    • Your app sends the receipt Payload to your backend server.
    • Your server securely communicates with the app store's verification service (for example, Apple or Google) to confirm the receipt's authenticity before releasing content.

    Note: Unity IAP doesn't provide a built-in remote validation service, but you can implement your own or use third-party solutions.

    • Google: Use the receipt Payload for server-side validation.
    • Apple: Traditionally, the receipt Payload was used for validation, but this method is now deprecated by Apple. However, Payload is still required for StoreKit 1 and must be retained for now.
    • Apple (new method): For new implementations, use OrderInfo.Apple.jwsRepresentation for server-side validation.
Unity logo Documentation
Copyright © 2025 Unity Technologies
"Unity", Unity logos, and other Unity trademarks are trademarks or registered trademarks of Unity Technologies or its affiliates in the U.S. and elsewhere (more info here). Other names or brands are trademarks of their respective owners.