# In-game purchases JWT Verification

### 1. **What happens during a purchase**

* When a player makes a purchase through the **Playgama platform**, the SDK (or platform API) gives you back a **purchase object**.
* This object contains typical purchase details (product ID, amount, currency, etc.) *plus* an additional property:

  `purchase["jwt"]`
* That JWT (JSON Web Token) is a signed token issued by Playgama. It encodes:
  * `orderId` → Playgama’s internal unique ID for this purchase.
  * `externalId` → The identifier you passed when starting the purchase (for example, your own item or transaction ID).

***

### 2. **What is JWKS and why do you need it**

* JWTs are cryptographically signed to prevent tampering.
* Playgama provides a **JWKS (JSON Web Key Set)** endpoint here:

  `https://playgama.com/.well-known/jwks.json`
* This endpoint contains the public keys needed to verify that the `purchase["jwt"]` is valid and really issued by Playgama.
* Your backend can download these keys and use them to check the token’s signature.

***

### 3. **How to verify the purchase**

There are two ways you can validate:

#### **A. Validate JWT locally (backend)**

1. Receive the `purchase["jwt"]` from your client after purchase.
2. Use the keys from Playgama’s JWKS endpoint to verify the JWT signature.
3. Extract the `orderId` and `externalId` inside.
4. If valid, you can trust that Playgama issued it.

#### **B. Double-check with Playgama Verification API**

* Playgama also gives you a verification endpoint:

  `GET https://playgama.com/api/v1/payments/verify?orderId=<ORDER_ID>&externalId=<EXTERNAL_ID>`
* You send:
  * `orderId` (from the JWT)
  * `externalId` (the value you passed during purchase initiation)
* Playgama replies with the verification result, confirming whether the purchase is real and completed.

***

### 4. **Why both steps matter**

* **JWT check** → Ensures the data wasn’t faked/modified on the client side.
* **API verification** → Confirms that Playgama actually processed the payment successfully (in case of chargebacks, pending payments, etc.).

Together, they give you:

* **Integrity** (JWT is valid).
* **Final confirmation** (API says it’s paid).

***

**In practice**:

* Your game client → gets the JWT from Playgama.
* Client → sends JWT to your backend.
* Backend → verifies JWT using JWKS.
* Backend → calls Playgama verify API with `orderId` + `externalId`.
* If verification passes → backend grants the in-game item.