Hello!
I would like to check the validity of the POST call that we will receive on the Production Server URL, before actually verifying the signature and decoding the payload.
But I can't find anywhere in the documentation a way to check that those calls are in fact from Apple. Any particular headers we should check for, any IPs that should be whitelisted?
Thanks in advance!
If your server needs hostnames or IP address allowlist to receive App Store Server Notifications, you can add hostname dps.iso.aple.com and IP addresses 17.58.0.0/18 and 17.58.192.0/18 to allow list. These IP address are same for Sandbox and Production
Thank you for the information. Considering future maintenance, if there is a document containing this information, could you please tell me the URL etc.?