Showing results for 
Search instead for 
Did you mean: 

Possible error in IAP S2S API documentation

Level 2

In the IAP S2S API documentation ( ), it says we need the app access token and the app id to verify entitlement of purchased items, which does not contain any user identification information.

curl -d "access_token=OC|$APP_ID|$APP_SECRET" -d "sku=$SKU"$APP_ID/verify_entitlement

I tested the API endpoint with several combination of data, and it seems we need to send the user access token instead of the app access token to check entitlement (the response says DUC related document should be filed beforehand, which is expected).

I would like to clarify two things:

1. Should we send the user access token to the IAP S2S API to verify entitlement of an item?

2. If 1 is correct, should the secure server acquire user access tokens from game clients?

Thanks in advance.