Skip to main content

When adding Service Accounts, the docs state:

 

Under 'App permissions' you need to add your app. Then under 'Account permissions', you need to grant certain permissions in order for RevenueCat to properly work.

 

Is this really necessary? It is possible to assign apps to users and manage app permissions s.t. the particular service account is only able to access one specific app instead of all apps.

The documentation currently recommends users to grant Account Permissions which means said service account would be able to access all apps in the Play Store.

Can this be avoided by just setting the correct permissions under App Permissions > Manage Permissions?

See also: https://github.com/RevenueCat/docs/pull/929 

Hey ​@s-falk,

Limiting a service account’s access to just one app is a good security practice, and Google Play Console technically supports app-scoped permissions. However, RevenueCat requires account-level permissions because of how Google’s own APIs are designed. Specifically:

  • Subscription and product APIs require account-level roles like:
    • “View financial data”
    • “Manage orders and subscriptions”
  • Real-time developer notifications use Pub/Sub, which also needs broader account access
  • Even though our calls are scoped to a single app, Google enforces these permissions at the account level

So while app-level permissions may seem sufficient in theory, in practice they’ll result in permission errors when RevenueCat tries to access the necessary endpoints.
 
We’ll keep an eye on Google’s permission model and update our guidance if more granular scoping becomes possible.
 
Best,


I understand - thank you for providing those details.

I wasn’t able to fully test my purchases yet which is why I didn’t ran into any issues yet. I have just tried to set App Permissions for now.

These permissions seem to be sufficient to retrieve the status:

 

But, as you mentioned, this probably won’t work when it comes to actual purchases. 


Hey ​@s-falk ,

From the screenshot that seems like it’s pulling the correct Status from the store - to check if it works as expected I’d suggest running a couple of tests (using Sandbox testing) and see how it behaves. 

Best,


I will give it a try. :) 

 

Currently trying to create iOS IAPs - not as simple as creating Android SKUs .. :’)


Hi ​@s-falk,

No worries, let us know if you have questions!

Best,

 

 


Reply