Home/ Questions/Q 8407627
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-09T23:25:06+00:00

When you verify signed JSON which comes when a user has completed transaction there

  • 0

When you verify signed JSON which comes when a user has completed transaction there is obvious need to verify that this particular purchase was made by a particular user. It especially important to prevent the possibility of changing the userId when you send for example userId and signed JSON to your server for verification purposes. But there are no such fields in signed JSON.

So is it OK to place some userId in developerPayload field ?

{ "nonce" : 1836535032137741465,
  "orders" :
    [{ "notificationId" : "android.test.purchased",
       "orderId" : "transactionId.android.test.purchased",
       "packageName" : "com.example.dungeons",
       "productId" : "android.test.purchased",
       "developerPayload" : "bGoa+V7g/yqDXvKRqq+JTFn4uQZbPiQJo4pf9RzJ",
       "purchaseTime" : 1290114783411,
       "purchaseState" : 0,
       "purchaseToken" : "rojeslcdyyiapnqcynkjyyjh" }]
}
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Yes. It is OK to place some user identity in the developer payload. When you receive that back in the PURCHASE_STATE_CHANGED broadcast you can then send this on to your own server.

    This is especially relevant to unmanaged items where you need to maintain purchase and use of those items per user on your own server.

    The real question is what user identity are you going to send and where are you going to get it from. It can’t be device specific because a user may have multiple devices. It really needs to be an identity provided by Google Play. But I don’t know how to find that.

    • 0