Generate a short-lived JWT using your App Store Connect API key (Key ID, Issuer ID, and private key) with audience 'appstoreconnect-v1' and a short expiry
After the client completes a StoreKit 2 purchase, retrieve the transaction ID from the SKPaymentTransaction or Transaction object and send it to your backend
GET https://api.storekit.itunes.apple.com/inApps/v1/transactions/{transactionId} with the JWT in the Authorization header to receive a signed JWSTransaction
Decode and verify the JWSTransaction using Apple's public key (fetched from https://appleid.apple.com/auth/keys); check the bundleId, productId, and transactionId fields
Use https://api.storekit-sandbox.itunes.apple.com for the sandbox environment; never trust client-supplied receipt data without server-side verification
Known gotchas
The JWSTransaction is signed by Apple — verify the signature chain against Apple's certificates before trusting any field; do not skip signature validation
Sandbox and production use separate base URLs; a sandbox receipt sent to the production endpoint returns an error, requiring an environment check
For legacy receipt-based apps (StoreKit 1), the older /verifyReceipt endpoint is deprecated; migrate to the transaction-ID-based flow
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp