Implementing Roku Pay - Workflow questions
I'm currently implementing a pre/mid-roll ad-free subscription option to our Roku app using Roku Pay. Everything is working well in testing, but I'm a little confused about the workflow described here:
https://developer.roku.com/docs/developer-program/roku-pay/implementation/overview.md
The sequence diagram above shows calling getAllPurchases to get the currently logged in (Roku) user's purchases. It then shows a call to the validate-transaction service.
My first question is why is the call to the validate-transaction service necessary since you get all the info you need from the call to getAllPurchases?
getAllPurchases includes a status field which tells you if the purchase is in a valid or invalid state. Isn't this enough to determine whether or not to let the user access the purchases features?
Secondly, it's implied that the call to the validate-transaction service is done within the app. That call requires an API key; it seems risky to embed that within the app itself. Or is this concern not valid?
I can understand the use for the validate-transaction service on the server side. For example, the documentation here describes the logic to be implemented server side:
Thanks for any clarification.