12-08-2022 03:17 AM
In the IAP S2S API documentation ( https://developer.oculus.com/documentation/unity/ps-iap-s2s/ ), it says we need the app access token and the app id to verify entitlement of purchased items, which does not contain any user identification information.
curl -d "access_token=OC|$APP_ID|$APP_SECRET" -d "sku=$SKU" https://graph.oculus.com/$APP_ID/verify_entitlement
I tested the API endpoint with several combination of data, and it seems we need to send the user access token instead of the app access token to check entitlement (the response says DUC related document should be filed beforehand, which is expected).
I would like to clarify two things:
1. Should we send the user access token to the IAP S2S API to verify entitlement of an item?
2. If 1 is correct, should the secure server acquire user access tokens from game clients?
Thanks in advance.
09-05-2023 03:03 AM
yes, it is wrong, and I tried this like below, it works:
curl -d "access_token=OC|$APP_ID|$APP_SECRET" -d "sku=$SKU" -d "user_id=$user_id" https://graph.oculus.com/$APP_ID/verify_entitlement
the request must post user id.