The Catappult Developer Hub

Welcome to the Catappult developer hub. You'll find comprehensive guides and documentation to help you start working with Catappult as quickly as possible, as well as support if you get stuck. Let's jump right in!

Get Started    

IAP validators

In-app purchase validator: If you validate transactions on your back-end servers or use a server to server you to go through some extra steps that typically take no more than 30 min to be set up from a back-end developer.

Server Side Check (if applicable)

Many developers add an extra step of security and only confirm the in-app purchase after verifying the transaction on the developers' backend. This verification, made with a unique public key, is a crosscheck between the developer backend and the app store servers.

As in other app stores, you must add Catappult public key into your backend to validate the transactions.

Please go to your Catappult’s backoffice and find your app public key by following the next steps:

  1. Login to your Catappult account here.
  1. Should your app be in Draft status, click on your app, under Manage Apps, Draft and then click on Get my Public Key. Copy the public key to your clipboard.
  1. Should your app be in Pending Approval status or Approved status, click on the app view under Manage Apps and then Pending Approval or Approved. Then scroll down to the Monetization panel and click on Get my keys.
  1. Copy the public key and save it to your clipboard.

That’s it! You now have your unique public key that you must add to your backend to validate in-app billing transactions.

More info here.

Server to Server Check (if applicable)

HTTP request: GET

Supported Formats: JSON

Description: Webservice to validate purchase and consumption status of an inapp item.

Parameters:

  • package_name The package name of the application where the product was purchased
    (for example, 'com.appcoins.trivialdrivesample')
  • sku The inapp product SKU (for example, 'gas')
  • purchase_token The token provided to the user's device when the product was purchased.

Authorization (required):

This request requires Bearer authorization access token in the header. For more information please check the section below:

Response:

{
"kind": "androidpublisher#productPurchase",
  "purchaseTimeMillis": long,
  "purchaseState": integer,
  "consumptionState": integer,
  "developerPayload": string,
  "orderId": string,
  "purchaseType": integer,
  "acknowledgementState": integer
}
  • kind: Represents a productPurchase.
  • purchaseTimeMillis: The time the product was purchased in milliseconds.
  • purchaseState: The purchase state of the order. Possible values are: 0. Purchased, 1. Canceled
  • consumptionState: The consumption state of the inapp product. Possible values are: 0. Yet to be consumed, 1.Consumed
  • developerPayload: A developer-specified string that contains supplemental information about an order.
  • orderId: The order id associated with the purchase of the inapp product.
  • purchaseType: The type of purchase of the inapp product. Is only set if the purchase wasn't made using the standard in-app billing flow. Possible values are: 0. Test
  • acknowledgementState: The acknowledgement state of the inapp product. Possible values are: 0. Yet to be acknowledged, 1. Acknowledged

Errors:

400, Invalid Value
401, Login Required
401, Invalid Credentials

Example:

{
"error": {
        "errors": [
            {
                "domain": "global",
                "reason": "authError",
                "message": "Invalid Credentials",
                "locationType": "header",
                "location": "Authorization"
            }
        ],
        "code": 401,
        "message": "Invalid Credentials"
}

How to get an access token to use on Server2Server API

Validating user credentials

HTTP Request: POST

https://webservices.aptoide.com/webservices/3/oauth2Authentication

If in China, please use https://webservices.catappult.cn/webservices/3/oauth2Authentication

Supported Formats: JSON XML

Supported Methods: POST

Description: Public webservice to validate user credentials by returning an access token (to use in other webservices).

username

User email (optional)

password

User password in cleartext or SHA1 encoded (optional)

grant_type

OAuth2 grant type: 'password' or 'refresh_token'

client_id

OAuth2 client id: 'bds'

mode

Return format : 'xml' or 'json' (optional, default is 'xml')

refresh_token

Refresh token, used to obtain a new access token (optional)

Mandatory arguments:

This endpoint requires 1 of the following possible combinations of arguments:

• client_id AND grant_type ('password') AND username AND password

• client_id AND grant_type ('refresh_token') AND refresh_token

Response:

access_token

OAuth Access Token

expires_in

Lifetime in seconds of the access token

token_type

OAuth access token type

scope

The scope of the access token

refresh_token

OAuth Refresh Token

error

OAuth error code (invalid_grant, invalid_client, invalid_request)

error_description

OAuth error description

status

Request result status (FAIL) in case of missing/invalid parameters or system error

errors

Errors log from the request in case of missing/invalid parameters or system error

Error Codes:

Name

Description

invalid_grant

Invalid username and password combination.

invalid_client

Invalid client or must authenticate using a client secret.

invalid_request

Missing parameter: 'refresh_token' is required

MARG-201

Missing authentication parameter(s): user and/or password

MARG-203

Missing client id

MARG-204

Missing grant type

IARG-203

Invalid grant type

SYS-1

An unknown error occurred, please try again.

SYS-4

This call is not supported by the current API version.

Sample Response - error:

Sample JSON

{
   "error":"invalid_grant",
   "error_description":"Invalid username and password combination"
}

Sample Response - success:

Sample JSON

{
   "access_token":"e05b1917b9ec3a1c178297d099a37b3febf34aa5",
   "expires_in":60,
   "token_type":"Bearer",
   "scope":null,
   "refresh_token":"6a8c8ecd311117f14b82ed353f3c1347afda424f"
}

IAP validators


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.