Hey ​@s-falk,

Limiting a service account’s access to just one app is a good security practice, and Google Play Console technically supports app-scoped permissions. However, RevenueCat requires account-level permissions because of how Google’s own APIs are designed. Specifically:

• Subscription and product APIs require account-level roles like:
  • “View financial data”
  • “Manage orders and subscriptions”
• Real-time developer notifications use Pub/Sub, which also needs broader account access
• Even though our calls are scoped to a single app, Google enforces these permissions at the account level

So while app-level permissions may seem sufficient in theory, in practice they’ll result in permission errors when RevenueCat tries to access the necessary endpoints.
 
We’ll keep an eye on Google’s permission model and update our guidance if more granular scoping becomes possible.
 
Best,

I understand - thank you for providing those details.

I wasn’t able to fully test my purchases yet which is why I didn’t ran into any issues yet. I have just tried to set App Permissions for now.

These permissions seem to be sufficient to retrieve the status:

But, as you mentioned, this probably won’t work when it comes to actual purchases. 

Hey ​@s-falk ,

From the screenshot that seems like it’s pulling the correct Status from the store - to check if it works as expected I’d suggest running a couple of tests (using Sandbox testing) and see how it behaves. 

Best,

I will give it a try. :) 

Currently trying to create iOS IAPs - not as simple as creating Android SKUs .. :’)

Hi ​@s-falk,

No worries, let us know if you have questions!

Best,