How to verify Google Play In-app purchase: Part 1
We'll take a look at the setup needed before we can dive into code.
Google provides receipt validation through the Google Play Developer API, within the API are two endpoints you will be most interested in: Purchases.products: get and Purchases.subscriptions: get.
Purchases.products: get
is used to verify a non-auto-renewing product purchase,and Purchases.subscription: get
is used to verify and re-verifiying auto-renewing product subscriptions.
To use either, you must have the packageName
, productId
, purchaseToken
. When an in app purchase is made, these three are part of the response. And more importantly, you need an access_token
, which you get from creating a service account.
Getting Started: Creating a Service Account
Open the Settings > Developer account menus and select API access
- Select Link to connect your Play account to a Google Developer Project
- Agree to the terms and conditions
Create Service Account
Next, we need to create a service account. This is done from the Google API Console.
- Select Create Service Account
- Next on the pop up click Google Cloud Platform, a new tab will spawn
If you get a permissions error make sure you're in the correct Gmail account. Select the relevant project
- Click Create Service Account
- Enter details for service account
Give it
Owner
privileges
Once done you will notice that after creating the service account it say no keys
. Click the service account. In the service account, on the tabs, click keys > then click > Add Key > Create New Key
- Download your JSON credential:
This key can only be downloaded once, so keep it safe in a cloud ☁️ drive. This is the key that we will use in our code, but before we can do so we need to grant it access to our Google Play Console.
Grant Access
- In Play Console, click done, your newly created service account will be shown once it refreshes then select Grant Access.
- Grant the following permissions:
Now we’re good 👍 to go. You might have to wait for 48 hours to allow Google to propagate all access rights for APIs.