Securely detecting asset purchases and their details

Currently the only API we have available for detecting when a third party asset is purchased is with the MarketplaceService.PromptPurchaseFinished signal. Unfortunately this API is exploitable because it is based on what clients report to the server.

My team is having trouble with this because two of our games use a donation system which tracks purchases of classic clothing items and players’ gamepasses. There are two main problems:

  • We need to manually check if a purchase actually got processed successfully by Roblox using MarketplaceService:PlayerOwnsAsset() and MarketplaceService:UserOwnsGamePassAsync(), but these are not ideal because they’re an extra point of failure and potential source of delays.

  • The price of a purchase also cannot be verified. We can query the current price using MarketplaceService:GetProductInfo() but the result will be cached which makes it very easy to exploit and even if it wasn’t cached it’s not guaranteed to be the price that was used for the purchase. To avoid the caching we need to use the following APIs instead:

    • https://apis.roblox.com/game-passes/v1/game-passes/GAME_PASS_ID/product-info
    • https://economy.roblox.com/v2/assets/ASSET_ID/details

Related:

6 Likes

This has been brought up multiple times to staff members, and one mentioned they were working on a solution nearly a year ago now. Still no updates. :neutral_face:

1 Like