How can I validate an in-app purchase JWS Representation from StoreKit2 on my backend in Node?
Its easy enough to decode the payload, but I can't find public keys that Apple uses to sign these JWS/JWTs anywhere. Any other time I've worked with JWTs, you simply used the node jsonwebtoken
library and passed in the signers public key or shared secret key, either configured or fetched from a JWK.
I do see the docs about validating the certificate chain in the x5c
field but am at a bit of a loss on how to verify that its from Apple. Anyone can create a JWT and sign one.
Thank you!
Hi, so the JWS contains a chain of certificates (x509) in its x5c
header. The first certificate contains the public key used to verify the signature of the JWS. What we need is a way to verify that the certificates are also trustworthy (i.e. signed by Apple and/or a trusted CA). You can find these certificates on their site https://www.apple.com/certificateauthority/.
All you need to do now is download them and, whenever you receive a JWS, validate them against the ones found in the x5c
header. The site has both the intermediate and the root certificates. Good luck!