Hi,
We are an organisation with 40 developers working on iOS apps. Our apps contain In-App Purchases. We are using server-side validation to validate purchase receipts. This requires using a shared secret (https://developer.apple.com/documentation/appstorereceipts/requestbody).
We have a test environment which all of our developers have full access to. We would like to validate receipts in the test environment and therefore it would contain the app's shared secret. We are wondering if it would be acceptable to give all 40 of our developers read-access to this shared secret. As far as I can tell, this secret is only used for:
It would be great to get an opinion from someone with more insight, or even better an official response from Apple.
Thanks,
Alex
We are an organisation with 40 developers working on iOS apps. Our apps contain In-App Purchases. We are using server-side validation to validate purchase receipts. This requires using a shared secret (https://developer.apple.com/documentation/appstorereceipts/requestbody).
We have a test environment which all of our developers have full access to. We would like to validate receipts in the test environment and therefore it would contain the app's shared secret. We are wondering if it would be acceptable to give all 40 of our developers read-access to this shared secret. As far as I can tell, this secret is only used for:
Validating receipts using the verifyReceipt API
Verifying webhook notifications
It would be great to get an opinion from someone with more insight, or even better an official response from Apple.
Thanks,
Alex
