Group Group Group Group Group Group Group Group Group

In-App Purchases: Receipt Validation Tutorial |


In this tutorial, you’ll learn how receipts for In-App Purchases work and how to validate them to ensure your users have paid for the goodies you give them.

This is a companion discussion topic for the original entry at


Hi @bmorefield, thanks for this tutorial! I have yet to implement IAP in my app but 2019 is the year I’ll make it happen :slight_smile:

Question for you: In the second block of code under Loading the Receipt,

private func loadReceipt() -> UnsafeMutablePointer? {
// Load the receipt into a Data object
let receiptUrl = Bundle.main.appStoreReceiptURL,
let receiptData = try? Data(contentsOf: receiptUrl)
else {
receiptStatus = .noReceiptPresent
return nil

Is there a return statement missing? I’m getting compile errors. I tried putting return receiptData after the guard, but it complained about converting Data to UnsafeMutablePointer.


@bmorefield Can you please help with this when you get a chance? Thank you - much appreciated! :]


There is no sens to validate receipt on the client. The only reasonable way to do that is on the server and then the server can deliver some premium content or not. If you do validation on client anyone can modify your application code and then omit this validation.


Hi @tomasstraus, are there any estimates on how big of a problem this is? Any ideas?


@afinque Those lines are the start of the method. You’ll continue it with more code in the next two blocks of code.


@tomasstraus @afinque You’re right that for some apps, doing receipt validation can be more secure. If you already have a custom server infrastructure in place, then it can be another process running on it. But server validation does require you to build and maintain a server infrastructure (or outsource that infrastructure at additional cost).

For some apps that may not be worth the upkeep, and client validation provides additional protection. Adding an on device check in addition to a server check also increases the difficulty. In the end, a determined and skilled hacker can often figure out a way to beat the system. The goal is to make it more difficult and how difficult it needs to be varies depending on the app’s user base, type, popularity, and similar factors.


This ‘not continuing to read’ thing nabs me every once in a while, and once again it’s time, I suppose. Thanks, and sorry for the noise!