Clarification on how to verify Google In App Purchase purchase token on the server?

Question

Given that my server end point has received a Purchase Token relating to a Google In App Billing purchase, how do I go about programmatically verifying it and gaining access to its contents?

I can already verify a Google Sign-In token using php

$client = new Google_Client(['client_id' => $client_id]);

$payload = $client->verifyIdToken($token);

if ($payload)
    return $payload['sub'];

But how would I use the Google_Client to verify a purchase token and gain access to its contents.

Is it really just a case of sending a GET to the Google server much like in the following Ruby example ?

Or is their a specific Google_Client command I should be calling?

I'm beginning to think it's a case of replicating the mentioned Ruby code in php using OAuth2 or something since the Google Docs do actually say that once the server has the purchase token to:

Use the Subscriptions and In-App Purchases portion of the Google Play Developer API to perform a GET request to retrieve the purchase details from Google Play (Purchases.products for a one-time product purchase or Purchases.subscriptions for a subscription). The GET request includes the app package name, product ID, and a token (purchase token).

Just wanted some clarification if possible? Thanks.

Answer 1

To verify and obtain the details of a purchase token resulting from a Google in app purchase in your client app, use the following code PHP:

putenv('GOOGLE_APPLICATION_CREDENTIALS=/home/mydir/credentials.json');
$client = new Google_Client();
$client->useApplicationDefaultCredentials();
$client->addScope('https://www.googleapis.com/auth/androidpublisher');
$service = new Google_Service_AndroidPublisher($client);
$purchase = $service->purchases_products->get($packageName, $skuID, $purchaseToken);

You can then access all the information you need by the usual ways, e.g.

echo $purchase['orderId'];

A full list of accessor names can be found in the Google Docs here https://developers.google.com/android-publisher/api-ref/purchases/products

The packageName is the name of your application package, the skuID is the string SKU ID of the managed product, which you can create in the Google Developer Console. The purchase token is that which is returned to you within your client application on a successful in app purchase result, so you'll need to send that to your server end point via a POST command over HTML. Don't forget to use SSL/TLS to do this.

The credentials.json file is downloaded automatically from the Google Developer Consoler when you create a new Service Account under Settings/API access.

---

And here is the JavaScript version too:

const { google } = require('googleapis');

const auth = new google.auth.GoogleAuth({
    keyFile: path.join(__dirname, 'credentials.json'),
    scopes: 'https://www.googleapis.com/auth/androidpublisher',
  });
const client = await auth.getClient();
google.options({auth: client});

const androidpublisher = google.androidpublisher({ version: 'v3' });

const res = await androidpublisher.purchases.products.get({
    packageName: 'your.package.name',
    productId: ‘your_sku_id',
    token: your_purchase_token,
  });

console.log(res.data);

Refer to the Google API documentation (and here too for example) for general details on API access (the above code can be easily adapted to work with their other API's).