Server side verification of Google Play in-app billing version 3 purchase (part 2)

Question

So I thought I understood how in-app billing and server-side verification works thanks to an answer to a previous question of mine but now that I think of it I\'m still lost...<

Answer 1

Since June 2013, you can verify the purchases directly with Google Play on server-side using Purchase Status API and Google APIs Client Libraries.

Answer 2

I hate to answer my own question, but hey, nobody else did! Me and my colleagues took another look at the problem again this morning. The solution to my problem finally occurred to me after taking another look at how the client side verification works in the TrivialDrive example. Man, did I feel like putting on my "stupid-hat", when I understood what was wrong.

I thought that it was the purchaseToken and the signature that was used to verify the purchase, but that way there was no means of verifying if it was item A or item B that was purchased.

If you want to do server-side verification (or any kind of verification for that matter) before making content available to the buyer it's actually the original JSON data (if you use the IabHelper classes, you get the original JSON from the Purchase class) that you're supposed to use together with the signature and the public key. And since it's the original JSON data you're passing along to your server it also contains all the information about the purchase (such as SKU id etc).

It's also important to set the developer payload to something that uniquely identifies your user (not the device!). In our case each user has an account on the server and I use the unique user id as developer payload.

/Mr.Stupid signing off!