Skip to main content

Trusted Entitlements

RevenueCat uses strong SSL to secure communications against interception. But the user is in control of the client device, and, while not an easy process, they can configure it to allow and execute MiTM attacks to grant themselves entitlements without actually paying you.

To prevent this, in addition to SSL for secure communications, our native (iOS/Android) SDKs, together with our backend, will verify responses integrity by checking a cryptographic signature.


Trusted Entitlements is supported in iOS SDK version 4.25.0 and up, and Android SDK version 6.6.0 and up.



SDKs can be configured in one of 3 EntitlementVerificationMode's:

  • Disabled (default): equivalent to no verification. Susceptible to request tampering.
  • Informational (beta): No behavior change, but the result of verification is included in EntitlementInfos / EntitlementInfo.
  • Enforced (coming soon): verification failures result in ErrorCode.signatureVerificationFailed error being thrown.
with: Configuration.Builder(withAPIKey: <api_key>)
.with(entitlementVerificationMode: .informational)


When configuring the SDK with EntitlementVerificationMode.informational, EntitlementInfo contains the verification result:

let user = try await Purchases.shared.customerInfo()

switch user.entitlements.verificationResult {
/// No verification was done.
/// This can happen for multiple reasons:
/// 1. Verification is not enabled in ``Configuration``
/// 2. Verification can't be performed prior to iOS 13.0
case .notRequested:

/// Entitlements were verified with our server.
case .verified:

/// Entitlements were created and verified on device through `StoreKit 2`.
case .verifiedOnDevice:

/// Entitlement verification failed, possibly due to a MiTM attack.
case .failed:

Additionally, verification errors are always forwarded to Purchases.errorHandler.

Edge cases

Cache invalidation

Transitioning an app from EntitlementVerificationMode.disabled to EntitlementVerificationMode.informational means that cached data would not be verified. In order for a user to be able to rely on this new behavior, the SDKs invalidate caches when this change is detected, so that all subsequent data requests are guaranteed to have validation information.

Key replacement

We use intermediate keys that are rotated frequently. These are signed by a root key. In the very unlikely event that the root key is compromised and needs to be replaced, this would be the process:

  • The old pair would be considered insecure
  • A new version of API endpoints would be added
  • A new version of the SDK that uses the new set of endpoints and the new public key would be rolled out

In this way, apps using the old version of the SDK would continue to work, but they would have to be updated to the new set of keys if they want to continue being secure against tampering.


  • Android 4.4+
  • iOS 13.x+