5

When I test an in-app purchase with the sandbox the post request to the sandbox url https://sandbox.itunes.apple.com/verifyReceipt returns

 data: { environment: 'Sandbox', status: 21003 }

The 21003 status code means that the receipt could not be authenticated. https://developer.apple.com/documentation/appstorereceipts/status?language=objc

Is this expected? I'd assumed my test receipt would be considered valid for the sandbox environment and return a status of 0.

mahal tertin
  • 3,239
  • 24
  • 41
Gwater17
  • 2,018
  • 2
  • 19
  • 38
  • Does this answer your question? ["The receipt could not be authenticated" - should it be checked again?](https://stackoverflow.com/questions/58615404/the-receipt-could-not-be-authenticated-should-it-be-checked-again) – Abdurrahman I. Jul 28 '21 at 15:55
  • We’ve been receiving the same error with sandbox receipts from App Review for our macOS app for the last week. When verifying the receipts without a password they return a valid receipt JSON, so the receipt data seems to be ok. The issue in this case seems to be on Apple’s side and we’ve opened a DTS incident to try to get this resolved. – Frederik Apr 05 '22 at 10:01

3 Answers3

4

You report that when you send the appStoreReceipt to the verifyReceipt endpoint that you are seeing the status result 21003. This status indicates that the appStoreReceipt was malformed, incomplete, or incorrectly encoded. Can you capture the base64 encoded appStoreReceipt and send me the contents as a text file for me to manually validate the contents. If you app process sells an auto-renewing subscription item, please include the app's shared secret. I use the following curl command line tool to validate appStoreReceipts.

For sandbox receipts:

curl -d '{ "exclude-old-transactions": true "password":"yyyy" "receipt-data": "xxxx"}' https://sandbox.itunes.apple.com/verifyReceipt

For production receipts:

curl -d '{ "exclude-old-transactions": true "password":"yyyy" "receipt-data": "xxxx"}' https://buy.itunes.apple.com/verifyReceipt

Where exclude-old-transactions is used to limit the contents of the latest_receipt_info to only the most recent entry and

"password" is the request key to indicate the shared-secret that is required when the content is an auto-renewing subscription.

yyyy - is the shared-secret and
xxxx - is the base64 encoded content of the appStoreReceipt.

Reza Rahemtola
  • 1,182
  • 7
  • 16
  • 30
欧阳荣
  • 41
  • 3
3

No its not expected. I needed to provide a valid code in the password field even though the in-app purchase was not for an auto-renewable subscription.

Gwater17
  • 2,018
  • 2
  • 19
  • 38
0

Maybe someone need a bash script I have wrote for this.

#!/bin/bash
clear

green='\033[0;32m'
cyan='\033[0;36m'
noColor='\033[0m' # No Color

sig=$1
mode=$2

if [ -z "$mode" ];
  then
    PS3="Please select a mode: "
    options=("Sandbox" "Production")
    select opt in "${options[@]}"
    do
        case $opt in
            "Sandbox") break;;
            "Production") break;;
            *) echo -e ${red}"\ninvalid option" \"$REPLY\"${noColor};;
          esac
        done
    else
      opt=$mode
fi

if [[ "$opt" == "Production" ]]
then
  echo -e ${green}"Production selected"${noColor}
  commandToExecute="curl -d '{\"receipt-data\":\"$sig\"}' https://buy.itunes.apple.com/verifyReceipt"
else
  echo -e ${cyan}"Sandbox selected"${noColor}
  commandToExecute="curl -d '{\"receipt-data\":\"$sig\"}' https://sandbox.itunes.apple.com/verifyReceipt"
fi

eval $commandToExecute

Call it like ./scriptName signatureToValidate

user3445541
  • 73
  • 1
  • 6