Attesto

Appearance

AttestoReceipt validation, without the headache.

Drop in. Configure once. Stop thinking about JWS chains, OCSP, and OAuth.

Get started
Integrate with Attesto
View on GitHub
Attesto
Apple

Verify Apple in one call

POST a transactionId, get a verified payload. SDK-backed JWS verification with pinned roots, OCSP, and sandbox auto-detection.

Google

Verify Google in one call

Subscriptions and one-shots via the Play Developer API. OAuth + caching handled. Returns the raw response so your backend keeps full fidelity.

๐Ÿ“จ

Webhooks done right

Apple S2S V2 + Google Pub/Sub RTDN ingested, deduplicated, then forwarded to your callback with HMAC signatures and exponential-backoff retry.

๐Ÿ›ก๏ธ

Per-tenant isolation

Apple keys, Google service accounts, and webhook secrets encrypted at rest with AES-256-GCM and HKDF-derived per-context subkeys.

See it in action

One HTTP call. Verified payload back. โ€‹

No SDK, no client library. Your backend POSTs a transaction ID, Attesto signs the JWT, calls Apple, verifies the JWS chain, and returns the decoded transaction.

Request
bash
curl -X POST https://api.attesto.nossdev.com/v1/apple/verify \
  -H "Authorization: Bearer attesto_live_โ€ฆ" \
  -H "Content-Type: application/json" \
  -d '{"transactionId":"2000000123456789"}'
Response
json
{
  "valid": true,
  "environment": "production",
  "transaction": {
    "transactionId": "2000000123456789",
    "bundleId": "com.example.app",
    "productId": "premium_monthly",
    "expiresDate": "2026-05-10T14:22:10.000Z",
    "currency": "USD",
    "price": 9990,
    "rawDecodedPayload": { "...": "..." }
  }
}

Google verification has the same shape โ€” different request fields, identical envelope. See the full API reference โ†’

Thin by design

Receipt validation. Nothing else. โ€‹

Attesto answers one question well โ€” "is this transaction real and what does it say?" โ€” and leaves the interpretation to you. If you need entitlements, paywalls, or analytics, look at RevenueCat or iaptic.

Attesto does
  • Verify Apple transactionId with JWS chain + OCSP
  • Verify Google purchaseToken (subscription + product)
  • Receive Apple S2S V2 webhooks (JWS-verified)
  • Receive Google Pub/Sub RTDN (OIDC JWT-verified)
  • Forward HMAC-signed events with retry/backoff
  • Per-tenant credential vault (encrypted at rest)
  • Fail closed on every signature/auth failure
Attesto doesn't
  • Manage entitlements ("is user X premium?")
  • Track subscription state machines
  • Store purchase history as source of truth
  • Analytics, revenue tracking, dashboards
  • Offer codes, promotional logic, trials
  • A/B testing for IAPs
  • Make business decisions on your behalf

This boundary is non-negotiable. Read the full positioning โ†’

Open source

Auditable. Self-hostable. MIT. โ€‹

Every line that touches your .p8 keys and webhook secrets is reviewable today. No closed-source backend, no proprietary magic.

MIT
License โ€” fork it, host it, modify it
232
Tests โ€” unit + integration
100%
Public on GitHub โ€” every line auditable
  • SDK-backed Apple JWS verification with pinned root CAs
  • Google OIDC JWT verification with JWKS caching
  • AES-256-GCM encryption with HKDF-derived per-context subkeys
  • Cryptographic origin verification on every inbound webhook
Browse on GitHub โ†’Changelog
Two ways to run it

Self-host or let us operate it. โ€‹

Free, forever

Self-host โ€‹

Clone the repo, configure your encryption key, deploy to Fly / Docker / Kubernetes / your own infra. Full control, zero recurring cost.

Recommended if you have ops capacity and want to control your own data path.

Self-host setup โ†’

Hosted by Night Owl

Managed โ€‹

We operate Attesto for you. Apple key rotations, Google service-account management, monitoring, upstream-API change tracking โ€” all handled. You get an API key and a webhook callback URL.

Recommended for teams who'd rather ship features than operate validation infra.

Integrate with us โ†’

Get in touch

Questions about integrating Attesto? Need help onboarding? Looking for managed hosting so you don't operate it yourself? The NOSS team reads every email.

nossteam@nossdev.com