In-game purchases JWT Verification

JWT Verification information for In-game purchases

1. What happens during a purchase

  • When a player makes a purchase through the Playgama platform, the SDK (or platform API) gives you back a purchase object.

  • This object contains typical purchase details (product ID, amount, currency, etc.) plus an additional property:

    purchase["jwt"]

  • That JWT (JSON Web Token) is a signed token issued by Playgama. It encodes:

    • orderId → Playgama’s internal unique ID for this purchase.

    • externalId → The identifier you passed when starting the purchase (for example, your own item or transaction ID).

2. What is JWKS and why do you need it

  • JWTs are cryptographically signed to prevent tampering.

  • Playgama provides a JWKS (JSON Web Key Set) endpoint here:

    https://playgama.com/.well-known/jwks.json

  • This endpoint contains the public keys needed to verify that the purchase["jwt"] is valid and really issued by Playgama.

  • Your backend can download these keys and use them to check the token’s signature.

3. How to verify the purchase

There are two ways you can validate:

A. Validate JWT locally (backend)

  1. Receive the purchase["jwt"] from your client after purchase.

  2. Use the keys from Playgama’s JWKS endpoint to verify the JWT signature.

  3. Extract the orderId and externalId inside.

  4. If valid, you can trust that Playgama issued it.

B. Double-check with Playgama Verification API

  • Playgama also gives you a verification endpoint:

    GET https://playgama.com/api/v1/payments/verify?orderId=<ORDER_ID>&externalId=<EXTERNAL_ID>

  • You send:

    • orderId (from the JWT)

    • externalId (the value you passed during purchase initiation)

  • Playgama replies with the verification result, confirming whether the purchase is real and completed.

4. Why both steps matter

  • JWT check → Ensures the data wasn’t faked/modified on the client side.

  • API verification → Confirms that Playgama actually processed the payment successfully (in case of chargebacks, pending payments, etc.).

Together, they give you:

  • Integrity (JWT is valid).

  • Final confirmation (API says it’s paid).

In practice:

  • Your game client → gets the JWT from Playgama.

  • Client → sends JWT to your backend.

  • Backend → verifies JWT using JWKS.

  • Backend → calls Playgama verify API with orderId + externalId.

  • If verification passes → backend grants the in-game item.

PreviousStep-by-step IAP integration guide for UnityNextFAQ

Last updated