Services like Stripe require a secret key and a server to make a purchase. If it was possible to do entirely client-side, wouldn’t Stripe do it be default?
Userlevel 5
+10
Hey
I saw that you also opened a ticket with the Support team about this question. Pasting over their reply so it’s public:
The app is making API calls directly to RevenueCat, so the app needs the API key - however, there is very little risk because you're not actually making purchases with the API key but just sending the purchase to RevenueCat. The purchase has already been made on the device by that time. You do need the secret key when making purchases via the REST API. Read more about our authentication here: https://docs.revenuecat.com/docs/authentication
This is in contrast with Stripe, where the requests are proxied through the developer's server and purchases are made using Stripe.
Reply
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.