I'm using the following BillingClient.
implementation 'com.android.billingclient:billing:1.2.2'
Although I have issued refund as bellow
But I'm still getting the following respond from BillingClient.queryPurchases
{
"orderId": "GPA.3352-2555-5719-25534",
"packageName": "com.yocto.wenote",
"productId": "note_list_promo",
"purchaseTime": 1560501011137,
"purchaseState": 0,
"purchaseToken": "djjneabakdaenkjafajbbclo.AO-J1OzbDNn5WkobYbSqLNzoBokm1F552-CqzfLQuNXK69bhxC-TnOTqdPV1RCl9T2okpSWfRD9RrE0eFhSN8glUbsOM5XUBDRnm_yK2Ohq_uyNuU17i1dc3CBhdeEn9uZCIfD3zY4tF"
}
According to documentation of BillingClient.queryPurchases
Get purchases details for all the items bought within your app. This
method uses a cache of Google Play Store app without initiating a
network request.
This might be the reason. I try with another function - queryPurchaseHistoryAsync wouldn't help either. According to documentation
Returns the most recent purchase made by the user for each SKU, even
if that purchase is expired, canceled, or consumed.
For queryPurchaseHistoryAsync, there are no purchaseState to indicate the following purchase is cancelled!
{
"productId": "note_list_promo",
"purchaseToken": "djjneabakdaenkjafajbbclo.AO-J1OzbDNn5WkobYbSqLNzoBokm1F552-CqzfLQuNXK69bhxC-TnOTqdPV1RCl9T2okpSWfRD9RrE0eFhSN8glUbsOM5XUBDRnm_yK2Ohq_uyNuU17i1dc3CBhdeEn9uZCIfD3zY4tF",
"purchaseTime": 1560501011137,
"developerPayload": null
}
Google should really provide a non-cached version of queryPurchases.
Any idea what I have done wrong? I don't wish users can continue using paid features, after I have issued the refund.
We clear the cache in the following way
private static void clearGooglePlayStoreBillingCacheIfPossible(BillingClient billingClient) {
billingClient.queryPurchaseHistoryAsync(SkuType.INAPP, (responseCode, purchasesList) -> {
});
billingClient.queryPurchaseHistoryAsync(SkuType.SUBS, (responseCode, purchasesList) -> {
});
}
After that, we will call BillingClient.queryPurchases as usual.
Take note, such cache clearing doesn't happen immediately. It may take as long as 24 hours, for the cache to be cleared. Strangely, this important requirement isn't documented any way.
I'am using subscriptions in my application and it is working perfectly during testing. However, I didn't find a way to get user subscription history for all transactions.
Example:
-User subscribed to product id "sub1" for 3 months. (purchaseToken : "X")
-User canceled subscription for same product id "sub1"
-User resubscribed for same product id (purchaseToken : "Y")
In this scenario when querying queryPurchaseHistoryAsync() function it is returning only latest purchase. Also when using this [API][https://developers.google.com/android-publisher/api-ref/purchases/subscriptions/get] it returns only information of a specific purchase token ("Y" retreived from queryPurchaseHistoryAsync()).
Is there any other way to get user subscriptions history (Detailed transactions)
?
Any help would be greatly appreciated
After a lot of searching it turned out that there is no API that returns detailed transactions of specific subscription.
I implemented in-app billing in my mobile app. It uses auto renewing subscription. I want to check the subscription expiry date through the app. I found this link to check the subscription details : Purchases.subscriptions:get
The documentation shows that some authorization needed. I have tried but I am not able to get the result. I got client secret.json file but it does not contain client secret Id. So please help me to get the subscription expiry date.
My answer is late, but maybe it helps somebody else. See my answer here: Server side authorization with Google Play Developer API?
And these are the steps when you would do it manually:
1.) Create credentials in your OAuth2 configuration in Google API with the following link: https://developers.google.com/mobile/add?platform=android&cntapi=signin&cnturl=https:%2F%2Fdevelopers.google.com%2Fidentity%2Fsign-in%2Fandroid%2Fsign-in%3Fconfigured%3Dtrue&cntlbl=Continue%20Adding%20Sign-In
2.) Go to your Developer API console. If you have done the first step correct, the result should look like something like that:
3.) Go to Google Play Developer Console -> All Apps -> Settings -> API Access and link the project you defined in Developer API Console (step 2, black bar top left). (If you can't link your project in Google Play, because you didn't find some, you used different google accounts for Google Developer API and Google Play Developer Console.)
4.) Invoke the following link with your callback url:
https://accounts.google.com/o/oauth2/auth?scope=https://www.googleapis.com/auth/androidpublisher&response_type=code&access_type=offline&redirect_uri=http://www.yourdomain.com/oauth2callback&client_id=[WEBAPPLICATION_ID_FROM_ABOVE.apps.googleusercontent.com]
My /oauth2callback script is a simple php script. (This is not production safe. It's just for illustration):
oauth2callback.php
<?php
print_r($_REQUEST);
?>
5.) After you invoked the url from above, you will be asked for your google account and allowance to access the api. After you confirmed, you will be redirected to your callback url and get a result which looks like this:
4/vPv_eYX-az6YucwdpBzATpJEu8129gN9aYsUIMI3qgQ
6.)¹ Get an oauth2 access token and refresh token by invoking a POST request to https://accounts.google.com/o/oauth2/token with the following headers:
grant_type=authorization_code
code=4/vPv_eYX-az6YucwdpBzATpJEu8129gN9aYsUIMI3qgQ
client_id=[YOUR_WEBAPPLICATIONID.apps.googleusercontent.com]
client_secret=[YOUR CLIENT SECRET OF THIS WEBAPPLICATION ID]
redirect_uri=http://www.yourdomain.com/oauth2callback
(The client secret can be found when you click on the Web Client ID of the OAuth2 client IDs in the Developer Console from step 2)
The result will look like this:
{
"access_token": "ya29.GdsCBbnM584k3SUzoxDgIdaY26pEM_p_AdhkIkFq3tsai8U7x8DuFKq3WEF7KquxkdLO89KHpuUFdJOgkhpGbGyDfxkD32bK1ncnsu2IkA0e_5ZayOEr86u4A1IN",
"expires_in": 3600,
"refresh_token": "1/U5HF1m0nHQwZaF2-X35f_xyFaSOofdw3SEubnkkYUQ0",
"token_type": "Bearer"
}
7.) The access token is needed to invoke the Google Developer API requests, for example: https://www.googleapis.com/androidpublisher/v2/applications/[packageName]/purchases/subscriptions/subscriptionId/tokens/[purchaseToken]?access_token=ya29.GdsCBbnM584k3SUzoxDgIdaY26pEM_p_AdhkIkFq3tsai8U7x8DuFKq3WEF7KquxkdLO89KHpuUFdJOgkhpGbGyDfxkD32bK1ncnsu2IkA0e_5ZayOEr86u4A1IN
8.) The access token expires very quickly. With the refresh you can fetch new access tokens by using the following url and headers:
POST https://accounts.google.com/o/oauth2/token
grant_type=refresh_token
client_secret=[YOUR CLIENT SECRET]
refresh_token=1/U5HF1m0nHQwZaF2-X35f_xyFaSOofdw3SEubnkkYUQ0
client_id=[YOUR_WEBAPPLICATION_ID.apps.googleusercontent.com]
Result:
{
"access_token": "ya29.GlsCBZuN7hYJILi5VaVggIsCIb1_5feGvcjvQFmJRnPYXsnhsi_w3Md87tQwGd_WXmifo4s5739c3IU5INPmby8q64k0LdDFkO2JpNRG13K9sizvU1Sc-3cWzbf8",
"expires_in": 3600,
"token_type": "Bearer"
}
HINT (1): If you don't get a refresh token from the request of step 6, attach the following query params to your request: prompt=consent
I also struggled a bit with this, but at least I found what needs to be done.
Google provides an android library google-api-services-androidpublishe that can be used to access the Purchase.Subscription.Get API.
implementation 'com.google.apis:google-api-services-androidpublisher:v3-rev74-1.25.0'
Here is a Kotlin code example:
import com.google.api.client.http.apache.ApacheHttpTransport
import com.google.api.client.json.jackson2.JacksonFactory
import com.google.api.services.androidpublisher.AndroidPublisher
...
fun retrieveSubscriptionInfo(sku: String) {
val packageName = ""
val sku = ""
val purchasedSubscriptionToken = ""
val apacheHttpTransport = ApacheHttpTransport()
val jacksonJsonFactory = JacksonFactory.getDefaultInstance()
val AndroidPublisher.Builder(apbacheHttpTransport, jacksonJsonFactory, null).build()
val request = publisher.Purchases().subscriptions().get(packageName, sku, purchasedSubscriptionToken);
return request.execute()
}
Note that before the above code is executed you must first Authorize the AndroidPublisher. You would have to request the users permission in order to be able to query the Purchase.Subscription.Get
Hope that this is helpful.
Google's documentation here is horrible, no clear examples of implementation. I finally found the answer after a LOT of Googling thanks to #Sabeeh's answer here and lots of other snippets spread out online.
1. First step is to add the dependencies:
implementation "com.google.apis:google-api-services-androidpublisher:v3-rev142-1.25.0" // Update based on latest release
implementation "com.google.auth:google-auth-library-oauth2-http:1.12.1" // Update based on latest release
2. Follow these steps to link the Google Play Console with Google Play Developer API (choose the "Use a service account", not "Use OAuth clients" and follow until "Additional information").
3. Download the services JSON file from your Google Cloud service account (click on the account that you set up in the previous step). You can find/create this file under the "Manage Keys" action or the "Keys" tab. Add the exported JSON file in your assets folder in Android
4. Then you can call the Google Play Developer API to query subscriptions like this (important to call from a Thread, didn't work from the UI thread, not sure why):
new Thread(() -> {
InputStream inputStream = context.getAssets().open("service_account_google_play.json"); // JSON file from step 3
GoogleCredentials credentials = GoogleCredentials.fromStream(inputStream)
.createScoped(AndroidPublisherScopes.ANDROIDPUBLISHER);
AndroidPublisher androidPublisher = new AndroidPublisher(
new NetHttpTransport(),
JacksonFactory.getDefaultInstance(),
new HttpCredentialsAdapter(credentials)
);
SubscriptionPurchase purchase = androidPublisher.purchases().subscriptions().get(
context.getPackageName(), subscriptionId, purchaseToken
).execute();
// Do with the purchase object what you want here
}).start();
At the risk of being overly descriptive, the subscriptionId is the ID of your subscription in the Play Console (e.g. subscription_monthly or whatever you called it), and the purchaseToken is the token you get from the Purchase token after querying the BillingClient (querying subscriptions is explained in detail here).
Let me know if anything is unclear or doesn't work yet. This took me 6 hours to figure out and I'm happy to save others that pain.
I'm implementing cordova-plugin-purchase in app for Android, I have working all but I have a one thing to fix.
In my app when I make a purchase for subscription always get the same purchase token, in my first test this token was a valid but now when I unsubscribed and subscribed again in my app get the same purchasetoken.
When I put this purchaseToken in my iap server validator the status always is 0 and is logic because I made this purchase on 18th of January.
I need made something for https://github.com/j3k0/cordova-plugin-purchase generate a new purchaseToken?
Always I get this in app when I subscribed:
{
"data": "{\"packageName\":\"com.rubeapp.padres\",\"productId\":\"premium\",\"purchaseTime\":1453157722465,\"purchaseState\":0,\"purchaseToken\":\"pdocnplgcbeoafhgimgkdmhj.AO-J1OxGqkmERQbgjQpcBZy6iaG8UCMzz-lHIYOc0fPwRFJLdAiVljZ31S-x904LUYFrUrQ-40qhIyGHRjIPhECB3e6VMIQukoVtbFLMrmsIpGfAmsImfjs\",\"autoRenewing\":false}",
"signature":"jRTGPHwIX8WCspBMZGIk0PHEIFavKJ0NjXHh6MiHHOl4ZDtbAvHCXrKhP6j99fRtNzpynt5gxDsdI9schL4ed2G2pUJvVIwD/0Lf9p90gt/wuIaKrYxTe+A35i/4smafnYQTikhFv8F5c5/ckVL3ihdDwHLtd1ihOJpvF3z2t+vhNvFZ+f6ZRa2gWO5ucfLWvDV3rA/KK1PS3vXtW10NL+K73IbySXiFycqW8jK4N93eNnrifVGxgM1tkGv0nRSjqqZSD8Imb68LGb0GyPd1EOffMNgLHHEJ4iRR0+LN/ZgONK1dLxrGsmN+49OqJooyDKAWhCwMNCJGecuSc0ahaA=="
}
And this is test response in my iap validator:
{"response":{"packageName":"com.rubeapp.padres","productId":"premium","purchaseTime":1453157722465,"purchaseState":0,"purchaseToken":"pdocnplgcbeoafhgimgkdmhj.AO-J1OxGqkmERQbgjQpcBZy6iaG8UCMzz-lHIYOc0fPwRFJLdAiVljZ31S-x904LUYFrUrQ-40qhIyGHRjIPhECB3e6VMIQukoVtbFLMrmsIpGfAmsImfjs","autoRenewing":false,"status":0,"service":"google"}}
Fixed the problem is purchase have a time of life, while the suscription is live in playstore you get always the same purchasetoken.
In test you must wait the suscription expired to get a new purchasetoken.
I have a simple app (needs user login with account). I provide some premium features for paid users, like more news content.
I need to record if the user has bought this item in my server database. When I provide data content to user's device, I can then check the user's status, and provide different content for paid user.
I checked the official Trivialdrive sample provided by Google, it does not provide any sample code for server-side verification, here are my questions.
I found the sample use my app's public key inside to verify purchase, it looks not good, I think I can just move the verification process to my server combined with user login credentials to see whether the user purchase completed, and then update the database.
Also there is purchase API I can use to query, what I need is to pass the user's purchaseToken into server.
I am not sure what method I should take to verify the user's purchase, and mark the user's status in my database, maybe both?
And I am afraid there is a situation, if a user bought this item from google play, but for some reason, just in that time, when my app launched verification to my server, the network connection is down or my own server is down, user just paid the money in google play but I did not record the purchase in my server? What should I do, How can I deal with this situation.
It sounds what you're looking for is a way to check if the user has premium features enabled on their account, so this is where I would start;
Ensure there is a flag of some sort on your database indicating if the user has premium features and include that in the API response payload when requesting account info. This flag will be your primary authority for "premium features".
When a user makes an in-app purchase, cache the details (token, order id, and product id) locally on the client (i.e the app) then send it to your API.
Your API should then send the purchaseToken to the Google Play Developer API for validation.
A few things might happen from here:
The receipt is valid, your API responds to the client with a 200 Ok status code
The receipt is invalid, your API responds to the client with a 400 Bad Request status code
Google Play API is down, your API responds with a 502 Bad Gateway status code
In the case of 1. or 2. (2xx or 4xx status codes) your client clears the cache of purchase details because it doesn't need it anymore because the API has indicated that it has been received.
Upon a successful validation (case 1.), you should set the premium flag to true for the user.
In the case of 3. (5xx status code) or a network timeout the client should keep trying until it receives a 2xx or 4xx status code from your API.
Depending on your requirements, you could make it wait a few seconds before sending again or just send the details to your API when ever the app is launched again or comes out of background if the purchase details are present on the app cache.
This approach should take care of network timeouts, servers being unavailable, etc.
There are now a few questions you need to consider:
What should happen immediately after a purchase? Should the app wait until validation is successful before providing premium content or should it tentatively grant access and take it away if the validation fails?
Granting tentative access to premium features smooths the process for a majority of your users, but you will be granting access to a number of fraudulent users too while your API validates the purchaseToken.
To put this in another way: Purchase is valid until proven fraudulent or; fraudulent until proven valid?
In order to identify if the user still has a valid subscription when their subscription period comes up for renewal, you will need to schedule a re-validation on the purchaseToken to run at the expiryTimeMillis that was returned in the result.
If the expiryTimeMillis is in the past, you can set the premium flag to false. If it's in the future, re-schedule it again for the new expiryTimeMillis.
Lastly, to ensure the user has premium access (or not), your app should query your API for the users details on app launch or when it comes out of background.
The documentation on this is confusing and weirdly verbose with the things that are almost inconsequential while leaving the actually important documentation almost unlinked and super hard to find. This should work great on most popular server platform that can run the google api client libraries, including Java, Python, .Net, and NodeJS, among others. Note: I've tested only the Python api client as shown below.
Necessary steps:
Make an API project, from the API Access link in your Google Play console
Make a new service account, save the JSON private key that gets generated. You'll need to take this file to your server.
Press Done in the Play console's service account section to refresh and then grant access to the service account
Go get a google api client library for your server platform from https://developers.google.com/api-client-library
Use your particular platform's client library to build a service interface and directly read the result of your purchase verification.
You do not need to bother with authorization scopes, making custom requests calls, refreshing access tokens, etc. the api client library takes care of everything. Here's a python library usage example to verify a subscription:
First, install the google api client in your pipenv like this:
$ pipenv install google-api-python-client
Then you can set up api client credentials using the private key json file for authenticating the service account.
credentials = service_account.Credentials.from_service_account_file("service_account.json")
Now you can verify subscription purchases or product purchases using the library, directly.
#Build the "service" interface to the API you want
service = googleapiclient.discovery.build("androidpublisher", "v3", credentials=credentials)
#Use the token your API got from the app to verify the purchase
result = service.purchases().subscriptions().get(packageName="your.app.package.id", subscriptionId="sku.name", token="token-from-app").execute()
#result is a python object that looks like this ->
# {'kind': 'androidpublisher#subscriptionPurchase', 'startTimeMillis': '1534326259450', 'expiryTimeMillis': '1534328356187', 'autoRenewing': False, 'priceCurrencyCode': 'INR', 'priceAmountMicros': '70000000', 'countryCode': 'IN', 'developerPayload': '', 'cancelReason': 1, 'orderId': 'GPA.1234-4567-1234-1234..5', 'purchaseType': 0}
The documentation for the platform service interface for the play developer API is not linked in an easy to find way, for some it is downright hard to find. Here are the links for the popular platforms that I found:
Python | Java | .NET | PHP | NodeJS (Github TS) | Go (Github JSON)
Complete example of using Google API Client Library for PHP:
Setup your Google Project and access to Google Play for your service account as described in Marc's answer here https://stackoverflow.com/a/35138885/1046909.
Install the library: https://developers.google.com/api-client-library/php/start/installation.
Now you are able to verify your receipt the following way:
$client = new \Google_Client();
$client->setAuthConfig('/path/to/service/account/credentials.json');
$client->addScope('https://www.googleapis.com/auth/androidpublisher');
$service = new \Google_Service_AndroidPublisher($client);
$purchase = $service->purchases_subscriptions->get($packageName, $productId, $token);
After that $purchase is instance of Google_Service_AndroidPublisher_SubscriptionPurchase
$purchase->getAutoRenewing();
$purchase->getCancelReason();
...
You can try using Purchases.subscriptions: get server-side. It takes packageName, subscriptionId and token as paramaters and requires authorization.
Checks whether a user's subscription purchase is valid and returns its
expiry time.
If successful, this method returns a Purchases.subscriptions resource in the response body.
I answer to this concern
the network connection is down or my own server is down, user just
paid the money in google play but I did not record the purchase in my
server? What should I do, How can I deal with this situation.
The situation is:
User purchases 'abc' item using google play service -> return OK -> fail to verify with server for some reasons such as no Internet connection.
Solution is:
On the client side, before showing the 'Google Wallet' button, you check if the 'abc' item is already owned.
if yes, verify with server again
if no, show the 'Google Wallet' button.
Purchase purchase = mInventory.getPurchase('abc');
if (purchase != null) // Verify with server
else // show Google Wallet button
https://developer.android.com/google/play/billing/billing_reference.html#getSkuDetails
Marc Greenstock's answer is definitely enlightening, a few things to pay attention though which took me a long time to figure out (at least way more time than I expected):
I had to check "Enable G Suite Domain-wide Delegation" on Service Account settings. Without this I kept getting this error: "The current user has insufficient permissions to perform the requested operation"
Image with Enable G Suite Domain-wide Delegation option checked
For testing purposes you can create a JWT token for your service account here, just don't forget to select RS256 Algorithm.
The public key is the "private_key_id" from your downloaded JSON file. It also has the following format:
-----BEGIN PUBLIC KEY-----
{private_key_id}
-----END PUBLIC KEY-----
The private key is the "private_key" from your downloaded JSON file
The required claims for the JWT generation are described here.
Confused about what exactly a JWT Token is and how it is assembled? Don't be ashamed, check this link. Odds are you are just like me and took a long time to bother looking for what exactly it is, it is (way) simpler than it looks.
I had some serious problems using the suggested google API python library, but implementing the communication from scratch is not so hard.
First of all you have to create a service account at Google Play Console as described in all answers and get the JSON file containing the private key. Save it to your server.
Then use the following code. No need to obtain the google API client library. You only need the following (very common) python libraries Requests and Pycrypto
import requests
import datetime
import json
import base64
from Crypto.Signature import PKCS1_v1_5 as Signature_pkcs1_v1_5
from Crypto.Hash import SHA256
from Crypto.PublicKey import RSA
jwtheader64 = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9"
#SERVICE_ACCOUNT_FILE: full path to the json key file obtained from google
with open(SERVICE_ACCOUNT_FILE) as json_file:
authinfo = json.load(json_file)
packageName = #your package name
product = #your inapp id
token = #your purchase token
#create the JWT to use for authentication
now = datetime.datetime.now()
now1970 = (now - datetime.datetime(1970,1,1)).total_seconds()
jwtclaim = {"iss":authinfo["client_email"],"scope":"https://www.googleapis.com/auth/androidpublisher","aud": "https://oauth2.googleapis.com/token","iat":now1970,"exp":now1970+1800,"sub":authinfo["client_email"]}
jwtclaimstring = json.dumps(jwtclaim).encode(encoding='UTF-8')
jwtclaim64 = base64.urlsafe_b64encode(jwtclaimstring).decode(encoding='UTF-8')
tosign = (jwtheader64+"."+jwtclaim64).encode(encoding='UTF-8')
#sign it with your private key
private = authinfo["private_key"].encode(encoding='UTF-8')
signingkey = RSA.importKey(private)
signer = Signature_pkcs1_v1_5.new(signingkey)
digest = SHA256.new()
digest.update(tosign)
signature = signer.sign(digest)
res = base64.urlsafe_b64encode(signature).decode(encoding='UTF-8')
#send it to Google authentication server to obtain your access token
headers = {'Content-Type': 'mapplication/x-www-form-urlencoded'}
payload = "grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion="+jwtheader64+"."+jwtclaim64+"."+res
r = requests.post("https://oauth2.googleapis.com/token",headers=headers,data=payload)
if r.status_code == 200:
authdata = json.loads(r.text)
accesstoken = authdata['access_token']
bearerheader = {'Authorization':'Bearer '+authdata['access_token']}
#Now you have at last your authentication token, so you can use it to make calls. In this example we want to verify a subscription
url = "https://androidpublisher.googleapis.com/androidpublisher/v3/applications/"+packageName+"/purchases/subscriptions/"+product+"/tokens/"+token
subscription = requests.get(url,headers=bearerheader)
the network connection is down or my own server is down,
You don't have to think like this.
Client knows own's consume product. so, client can send all tokens back to the server.
Just re-check token with produce id and transaction id.
And Server checks consume product.
if you fail check
make UI button client can re-send token.
server re-check token for items.
It's done.