The iOS app Shared Secret, also known as the App Store Connect Shared Secret, is a 32 character hexadecimal string. It is used for server-side receipt validation. Specifically, the Shared Secret is sent to Apple in the request payload. This provides added security for receipts with auto-renewable subscriptions.
Receipt verification is a process app developers use to verify purchases. Specifically, this process if for purchases made using Apple’s App Store payments mechanism (aka StoreKit). The receipt provides a complete list of all the purchases made by an app’s user. The receipt includes both in-app purchases and subscriptions.
Apple recommends that app developers validate a receipt for security and piracy reasons. In fact, property security requires a secure backend.
The Shared Secret is allows you to receive the decoded form of a receipt. In addition, its included in the payload of App Store Server Notifications. You can check that the password key’s value matches the known Shared Secret verify the authenticity of the notification.
There are two flavors of Shared Secret that can be generated through App Store Connect.
The App-Specific Shared Secret is a good idea if you want app-level security. Perhaps plan to transfer an app to another Apple Developer. For instance, if you sell an app to another party on a marketplace like Flippa.
To generate either type of Shared Secret requires an App Store Connect account with either Account Holder or Admin role.
To generate (or re-generate) a Primary Shared Secret, follow these steps:
To generate (or re-generate) an App-Specific Shared Secret, follow these steps:
StoreKit 2 refinements, App Store Server API notification history, IAP testing improvements, benchmarks in app analytics, and Apple Pay improvements. Everything you need to know about IAP payments and monetization from WWDC 2022.
Google Play Billing Library v5, subscription offers, LiveOps events, prepaid subscriptions & everything you need to know about IAPs and from Google I/O.