Hello,
I am using webhooks to store all webhook events that RC sends me in a postgres database. I noticed on the webhook documentation that I should be requesting the `/subscriber` endpoint on every subscription webhook event that comes in in order to “sync” the state of the database to the RC api source of truth.
My question is - from a server, should I be using the apple API key or the google API key when requesting subscriber attributes from my server? My working assumption is that I can use this api to ultimately tell if a user is subscribed, so I am going to use that to unlock subscriptions / determine backend authorization for certain endpoints. Is this the correct approach here? If so, which key should I be using or does it not matter from the server (will using the apple and google api keys against the /subscriber endpoint return the same data?)
Another question I have is about latency. Will the webhook event come in before the revenue cat api is updated? Also is this a bad approach moving forward to be checking the RC api for a users’ subscription status (on every authorized request) if there is some rate limiting that I am unaware of? I’m assuming that the normal flow is the api is only used on subscriber related webhook requests to sync some table that we create which ultimately determines if the user is currently subscribed or not. I can do that too, but I haven’t quite set up my infrastructure like that. I want to instead just store all revenue cat webhook events (already doing this), and then just use the RC api every time an auth’d request comes in, and use DB as a fallback option.
Thanks,
Carl
Hey there!
I’d recommend using a Secret Key from your server to fetch subscription status: https://www.revenuecat.com/docs/authentication
You can read more about the endpoint here: https://www.revenuecat.com/reference/subscribers
You can also assume that when you receive the webhook notification, the GET /subscriber endpoint will also include the latest up-to-date information about the subscriber. It’s safe to fetch this when you need it.
Just incase anyone finds this in the future, the solution was, at least for me, to not send the X-Platform header in the request from my server. Once I made the request without that header I stopped seeing the “Secret API keys should not be used in your app” error message.
Reply
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.