# In-game purchases JWT Verification

### 1. **What happens during a purchase**

* When a player makes a purchase through the **Playgama platform**, the SDK (or platform API) gives you back a **purchase object**.
* This object contains typical purchase details (product ID, amount, currency, etc.) *plus* an additional property:

  `purchase["jwt"]`
* That JWT (JSON Web Token) is a signed token issued by Playgama. It encodes:
  * `orderId` → Playgama’s internal unique ID for this purchase.
  * `externalId` → The identifier you passed when starting the purchase (for example, your own item or transaction ID).

***

### 2. **What is JWKS and why do you need it**

* JWTs are cryptographically signed to prevent tampering.
* Playgama provides a **JWKS (JSON Web Key Set)** endpoint here:

  `https://playgama.com/.well-known/jwks.json`
* This endpoint contains the public keys needed to verify that the `purchase["jwt"]` is valid and really issued by Playgama.
* Your backend can download these keys and use them to check the token’s signature.

***

### 3. **How to verify the purchase**

There are two ways you can validate:

#### **A. Validate JWT locally (backend)**

1. Receive the `purchase["jwt"]` from your client after purchase.
2. Use the keys from Playgama’s JWKS endpoint to verify the JWT signature.
3. Extract the `orderId` and `externalId` inside.
4. If valid, you can trust that Playgama issued it.

#### **B. Double-check with Playgama Verification API**

* Playgama also gives you a verification endpoint:

  `GET https://playgama.com/api/v1/payments/verify?orderId=<ORDER_ID>&externalId=<EXTERNAL_ID>`
* You send:
  * `orderId` (from the JWT)
  * `externalId` (the value you passed during purchase initiation)
* Playgama replies with the verification result, confirming whether the purchase is real and completed.

***

### 4. **Why both steps matter**

* **JWT check** → Ensures the data wasn’t faked/modified on the client side.
* **API verification** → Confirms that Playgama actually processed the payment successfully (in case of chargebacks, pending payments, etc.).

Together, they give you:

* **Integrity** (JWT is valid).
* **Final confirmation** (API says it’s paid).

***

**In practice**:

* Your game client → gets the JWT from Playgama.
* Client → sends JWT to your backend.
* Backend → verifies JWT using JWKS.
* Backend → calls Playgama verify API with `orderId` + `externalId`.
* If verification passes → backend grants the in-game item.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://wiki.playgama.com/playgama/in-game-purchases/in-game-purchases-jwt-verification.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.