HomeTechnologyValidate AppStore in-app purchases | receipt verification with JWT PHP 2023 |...

Validate AppStore in-app purchases | receipt verification with JWT PHP 2023 | Part 1

Verify in-app purchase receipt with JWT & PHP | 2023

Validate Appstore in-app purchases: I guess if you are here, you have definitely facing problem with In-app purchase validation. We have implemented these steps yesterday and we face too much trouble finding the exact solution, so here we are with the exact and to the point solution for Apple in-app purchase receipt validation.

Set Up JWT Library Install the Firebase JWT library for PHP. You can use Composer to install it by running the following command in your project directory:

composer require firebase/php-jwt

To prepare JWT token you need: 1. KEY_ID, 2. ISSUER_ID, 3. PRIVATE_KEY p8 file.

To get the KEY_ID, ISSUER_ID, and p8 KEY for authenticating with Apple’s App Store Connect API and generating JSON Web Tokens (JWTs), follow these steps:

1. Log in to App Store Connect: Go to https://appstoreconnect.apple.com/ and log in with your Apple Developer account credentials.

2. Navigate to Users and Access: Click on “Users and Access” in the main menu.

3. Create an API Key:
a. Click on the “Keys” tab in the left-hand sidebar.
b. Click on the “+” button to create a new API Key.
c. Provide a name for the key and select the “Access to Certificates, Identifiers & Profiles” option.
d. Click “Generate” to create the key.

4. Download the p8 Key:
a. After generating the API Key, you’ll be redirected to a page showing your new API Key information.
b. Click the “Download Key” button to download the p8 key file. This file contains your private key, and it’s important to keep it secure.

5. Get KEY_ID and ISSUER_ID:
a. On the API Key information page, you will see the KEY_ID, which is a unique identifier for your API Key.
b. The ISSUER_ID is typically your 10-digit Apple Developer Team ID. You can find this ID in the Membership section of your Apple Developer account.

Keep the p8 key file secure and never share it publicly or expose it in your code repository. You will use the KEY_ID, ISSUER_ID, and the p8 key file to generate JWTs for authentication with the App Store Connect API when making requests.

Now generate JWT Token for API Requests

//Include JWT Library
// Load Composer's autoloader
require 'vendor/autoload.php';

use Firebase\JWT\JWT;

$algo       = 'ES256';
$authKey    = APPLE_KEY_ID; //Apple Store User Key ID
$privateKey = file_get_contents(APPPATH.'third_party/APPLE_PRIVATEKEY.p8');
//Prepare the JWT header
$head = [
    'alg' => $algo,
    'kid' => $authKey,
    'typ' => 'JWT',
// Prepare the JWT payload
$timeStart = time();
$timeExpiry = $timeStart + 60 * 5; //adding 5 minutes OR + 3600000; //adding one hour
$payload = [
    "iss"   => APPLE_ISSUER_ID, //
    "iat"   => $timeStart,
    "exp"   => $timeExpiry,
    "aud"   => "appstoreconnect-v1",
    "bid"   => "YOUR_BUNDLE_ID", //Get Bundle ID from App Store Developer Account
//Generate the JWT
    $jwtToken = JWT::encode($payload, $privateKey, $algo, $authKey);
} catch (\Exception $e) {
    echo "Token error: ' . $e->getMessage();

Q: Where to get “app’s BUNDLE_ID”?

To find your app’s bundle ID in App Store Connect, follow these steps:

1. Sign in to your Apple Developer account at https://appstoreconnect.apple.com/.

2. On the main dashboard, click on “My Apps” in the top-left corner.

3. You will see a list of all your apps. Click on the app for which you want to find the bundle ID.

4. Once you are inside the app’s details page, click on the “App Information” tab in the top navigation.

5. Scroll down the page, and you’ll find a section called “General Information.” The first item in this section is the “Bundle ID.”

The Bundle ID is a unique identifier for your app, and it is used to uniquely identify your app on the Apple App Store and other Apple services. It is usually in the format: “com.yourappname”.

Get Transaction Info:

Now you need to call PHP CURL to Get information about a single transaction.

Production URL: https://api.storekit.itunes.apple.com/inApps/v1/transactions/{transactionId}

Sandbox URL: https://api.storekit-sandbox.itunes.apple.com/inApps/v1/transactions/{transactionId}

Pass your “$jwtToken” as “Authorization: Bearer” to this CURL method to get single transaction Data

$curl = curl_init();
curl_setopt_array($curl, array(
        'Authorization: Bearer '.$jwtToken
$response = curl_exec($curl);

You will get Receipt Data from the App Store after an in-app purchase. The receipt data is usually in base64-encoded format.

In the Next Article, you will learn how you can Decode Receipt Data using JWT Library.

Read Part-2



Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Popular

Recent Comments