Are the Server notifications validated?

[rubanraj7]

This is probably a silly question, but does this package verify the notification with apple?

I know that in production, we are using the signed url, but is the receipt also validated against apple? Or would I have to do it manually in each of the listeners?

[imdhemy]

Good question. The App Store notification payload is signed, and the signature is verified against Apple keys.

https://github.com/imdhemy/appstore-iap/blob/3df707a6425d5bec60f4cd91d63f50bd35298cc2/src/Jws/AppStoreJwsVerifier.php#L32