Embedding API Key in App

I apologize for asking a similar question to one I asked recently here, but if possible, I would very much appreciate someone from the Roku team to chime in with an answer.

I'm currently updating my app to include the first paid subscription. According to the documents, I should use the validate-transaction API within the app. This requires embedding our API key within the app itself.

Is embedding this key within the app itself considered safe?

It would seem from the documentation that the answer would be yes. Roku even provides a sample app that has a placeholder for the API key:

https://github.com/rokudev/on-device-authentication/blob/75a0c69a7b68e00c466b1bef43e9d2f7710a5c17/components/MainScene.brs#L54

So why am I still asking this question?

I've never embedded such a key within any app I've ever developed on any platform. Any sensitive key like this remains on the server where it's safe or at least can be switched out quickly if it gets compromised. Embedding a value like this into an app means an app update if it needs to be changed.

But all of the Roku Pay docs seem to point to using the validate-transaction API within the app for validation purposes. Unless I've misunderstood something fundamental, in which case I would welcome being corrected.

Thanks for your time.

Roku Developer Program

Forum Discussion

Embedding API Key in App

Recent Discussions

DoRecovery API

Developing a personal/private media player

Anyone experiencing trouble adding new products?

Consumable Product?

Bif file creator