I am using the public url https://api.storekit-sandbox.itunes.apple.com/inApps/v1/notifications/jwsPublicKeys to get the jwks keys to verify the signed payload for store kit payments. I am checking Apple server notifications.
const APPLE_JWKS_URL = "https://api.storekit-sandbox.itunes.apple.com/inApps/v1/notifications/jwsPublicKeys"
// Apple JWK set (cached by jose)
const appleJWKS = createRemoteJWKSet(new URL(APPLE_JWKS_URL));
const jwks = await appleJWKS();
logger.debug("Apple JWKS Keys: %O", jwks); // Log the keys
if (!signedPayload) {
// return res.status(400).json({ error: "Missing signedPayload" });
}
// Step 1: Verify JWS (signature + payload) using Apple's JWKS
const { payload, protectedHeader } = await jwtVerify(
signedPayload,
appleJWKS,
{
algorithms: ["ES256"], // Apple uses ES256 for signing
}
);