On the game client, obtain the transaction ID and the signed transaction (JWS string) from StoreKit 2 after a successful purchase
On your server, verify the JWS-signed transaction by decoding the JWT and validating the Apple certificate chain in the header against Apple's root CA — do not trust unverified client-supplied data
Use the App Store Server API (authenticated with a JWT signed with your App Store Connect API key) to call the Get Transaction History or Get All Subscription Statuses endpoints to retrieve server-authoritative transaction records
Configure App Store Server Notifications V2 by registering your server URL in App Store Connect; Apple will POST signed JWS notification payloads to your endpoint for events such as purchases, renewals, expirations, and refunds
On receiving a notification, decode and verify the outer signedPayload JWS and then the nested signedTransactionInfo and signedRenewalInfo fields to extract event details
Reconcile notification events with your entitlement database, granting or revoking access based on the transaction type and the inAppOwnershipType field
Known gotchas
The legacy verifyReceipt endpoint is deprecated; new integrations must use the App Store Server API and StoreKit 2 JWS transactions — mixing old and new validation approaches causes inconsistent entitlement state
All JWS fields (signedPayload, signedTransactionInfo, signedRenewalInfo) must each be independently verified against Apple's certificate chain; verifying only the outer payload and trusting inner fields is a security vulnerability
Refund notifications arrive asynchronously and may come long after the original purchase; entitlement systems that do not handle REFUND notification types will continue granting access after Apple approves a refund
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp