Verifying in-app purchases RRS feed

  • Question

  • I'm building a Windows Store app that provides in-app purchases. I do not understand from the available documentation how does this work with multiple installations or devices. 

    Here is an excerpt from Using receipts to verify purchases:

    In some situations, you may need to verify that a user purchased your app, or has made in-app content purchases. For example, imagine a game that offers downloaded content. If the user who purchased the game content wants to play it on a different Windows 8 device, you need to verify that the user already owns the content.

    Does this mean I have to store the receipt of each purchase and verify it? Verify it when? When the app starts?

    I was the impression the CurrentApp class provides information about the app and the product licencing and purchases and this info is carried automatically across devices or multiple installations. The market has this info, for each app, associated with the user account, so why is the receipt verification necessary?

    Thank you.

    Microsoft MVP VC++ | www.mariusbancila.ro/blog | www.codexpert.ro

    • Moved by Jonathan S - MSFT Thursday, February 13, 2014 8:11 PM Moved to Building Windows Store apps with C# or VB for development question
    Monday, February 3, 2014 10:00 AM

All replies

  • The CurrentApp will provide the information about the app and licencing on the current system. If you need to verify this on your server then you can request the receipt from the CurrentApp, send that to the server, and validate it before providing information from the server back to the client.


    Tuesday, February 4, 2014 5:30 AM
  • Sorry, but this does not answer my question. I don't have a server. I don't want to keep this info. I want the market to provide me the info about the IAPs. So that if the user bought the IAPs and then re-installs the app or installs it on another device he can continue to use them without re-purchasing. 

    So, the product licensing info provided by the CurrentApp is enough for this? Or do I have to setup a server, store receipts and validate them later. That sounds totally unnecessary for me, but the documentation is not clear at all on this.

    Microsoft MVP VC++ | www.mariusbancila.ro/blog | www.codexpert.ro

    Tuesday, February 4, 2014 8:28 AM
  • If you don't have a server then you don't need to verify anything on your server. That would only apply if your server needs to know if the user has made specific purchases.

    If you just care within your app itself then CurrentApp is all you need.


    Tuesday, February 4, 2014 4:32 PM
  • I found this incredibly confusing too. After re-reading the docs recently, I believe I understand it now. Someone correct me if I'm wrong.

    Marius, your impression is correct. The CurrentApp class gives you everything you need. If I buy an IAP and then go to a different device and install your app I will have rights to the IAP on that device as well.

    The Receipts thing is a way to validate outside the scope of the app whether a user is licensed for something. The only obvious example scenario I can see for this is if you had n additional product or service that your user has a right to once they've bought the IAP, and you need to verify their purchase is legit. Maybe you also have an iOS version of your app and if someone has purchased the Windows Store IAP then you also will give them a unique code to unlock the IAP on iOS. That code would have to come from your sever, somewhere, right?

    Unfortunately you can't really trust incoming requests to your server directly from your App because they could easily be spoofed. So what you do is have your App get the Receipt object, send that to your server, then your server sends that to Microsoft which validates it's authenticity. Now your server knows for certain that the user legitimately owns the IAP and now you can confidently grant them whatever they may be entitled to.

    This doesn't apply to 99% of us where the IAP only entitles the user to something within the App itself. For that, all you need to do is check CurrentApp.

    • Edited by brs_kurt Tuesday, February 4, 2014 9:27 PM grammar
    Tuesday, February 4, 2014 9:24 PM
  • Right. Receipts are needed to validate purchases outside of the app. This typically occurs if you have a server-side component. The example mentioned in Using receipts to verify purchases is a good one: if you have a game with downloadable content then your game server needs to know who can download that content. The user can use an in-app purchase to buy the content and then the app can pass the receipt to the server so the server can validate the purchase and return the purchased content. Without the receipt then somebody could connect directly to the server and request the content and the server would have know way to know if it was purchased or if the client was being spoofed.


    Thursday, February 6, 2014 9:51 PM