The Catappult Developer Hub

Welcome to the Catappult developer hub. You'll find comprehensive guides and documentation to help you start working with Catappult as quickly as possible, as well as support if you get stuck. Let's jump right in!

Get Started    

IAP validators

In-app purchase validator: If you validate transactions on your back-end servers or use a server to server you to go through some extra steps that typically take no more than 30 min to be set up from a back-end developer.

Server Side Check (if applicable)

Many developers add an extra step of security and only confirm the in-app purchase after verifying the transaction on the developers' backend. This verification, made with a unique public key, is a crosscheck between the developer backend and the app store servers.

As in other app stores, you must add Catappult public key into your backend to validate the transactions.

Please go to your Catappult’s backoffice and find your app public key by following the next steps:

  1. Login to your Catappult account here.
  1. Should your app be in Draft status, click on your app, under Manage Apps, Draft and then click on Get my Public Key. Copy the public key to your clipboard.
  1. Should your app be in Pending Approval status or Approved status, click on the app view under Manage Apps and then Pending Approval or Approved. Then scroll down to the Monetization panel and click on Get my keys.
  1. Copy the public key and save it to your clipboard.

That’s it! You now have your unique public key that you must add to your backend to validate in-app billing transactions.

More info here.

Server to Server Check (if applicable)

HTTP request: GET

Supported Formats: JSON

Description: Webservice to validate purchase and consumption status of an inapp item.


  • package_name The package name of the application where the product was purchased
    (for example, 'com.appcoins.trivialdrivesample')
  • sku The inapp product SKU (for example, 'gas')
  • purchase_token The token provided to the user's device when the product was purchased.

Authorization (required):

This request requires Bearer authorization access token in the header. For more information please check the section below:


"kind": "androidpublisher#productPurchase",
  "purchaseTimeMillis": long,
  "purchaseState": integer,
  "consumptionState": integer,
  "developerPayload": string,
  "orderId": string,
  "purchaseType": integer,
  "acknowledgementState": integer
  • kind: Represents a productPurchase.
  • purchaseTimeMillis: The time the product was purchased in milliseconds.
  • purchaseState: The purchase state of the order. Possible values are: 0. Purchased, 1. Canceled
  • consumptionState: The consumption state of the inapp product. Possible values are: 0. Yet to be consumed, 1.Consumed
  • developerPayload: A developer-specified string that contains supplemental information about an order.
  • orderId: The order id associated with the purchase of the inapp product.
  • purchaseType: The type of purchase of the inapp product. Is only set if the purchase wasn't made using the standard in-app billing flow. Possible values are: 0. Test
  • acknowledgementState: The acknowledgement state of the inapp product. Possible values are: 0. Yet to be acknowledged, 1. Acknowledged


400, Invalid Value
401, Login Required
401, Invalid Credentials


"error": {
        "errors": [
                "domain": "global",
                "reason": "authError",
                "message": "Invalid Credentials",
                "locationType": "header",
                "location": "Authorization"
        "code": 401,
        "message": "Invalid Credentials"

How to get an access token to use on Server2Server API

Validating user credentials

HTTP Request: POST

If in China, please use

Supported Formats: JSON XML

Supported Methods: POST

Description: Public webservice to validate user credentials by returning an access token (to use in other webservices).


User email (optional)


User password in cleartext or SHA1 encoded (optional)


OAuth2 grant type: 'password' or 'refresh_token'


OAuth2 client id: 'bds'


Return format : 'xml' or 'json' (optional, default is 'xml')


Refresh token, used to obtain a new access token (optional)

Mandatory arguments:

This endpoint requires 1 of the following possible combinations of arguments:

• client_id AND grant_type ('password') AND username AND password

• client_id AND grant_type ('refresh_token') AND refresh_token



OAuth Access Token


Lifetime in seconds of the access token


OAuth access token type


The scope of the access token


OAuth Refresh Token


OAuth error code (invalid_grant, invalid_client, invalid_request)


OAuth error description


Request result status (FAIL) in case of missing/invalid parameters or system error


Errors log from the request in case of missing/invalid parameters or system error

Error Codes:




Invalid username and password combination.


Invalid client or must authenticate using a client secret.


Missing parameter: 'refresh_token' is required


Missing authentication parameter(s): user and/or password


Missing client id


Missing grant type


Invalid grant type


An unknown error occurred, please try again.


This call is not supported by the current API version.

Sample Response - error:

Sample JSON

   "error_description":"Invalid username and password combination"

Sample Response - success:

Sample JSON


Updated 3 months ago

IAP validators

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.