Big Edit:
I have unknowingly spread misinformation by my lack of research into this topic. I cannot delete it, so I will leave it strike-throughed so hopefully I don’t cause anymore confusion
As a Roblox developer, it is currently impossible to safely grant rewards to a player for a gamepass they have just purchased in-game.
However, it has been revealed by other users that this API can be spoofed to unlock all gamepasses for free, making it unreliable.
⠀
The only other method is the API: UsersOwnGamepassAsync, but unfortunately the documentation explains that due to its caching behavior, it would not provide a reliable result:
> If the pass is purchased in-experience through PromptGamePassPurchase(), this function may return false due to the caching behavior.
⠀
The main ways of solving this would be one of the following: 1. The caching behaviour needs to be removed for UserOwnsGamePassAsync so that the developers can cache on their own end 2. A new API to reliably detect Gamepass ownership without being spoofed 3. Make it so PromptGamepassPurchasedFinished can’t be spoofed by the client
This bug report has been heavily based on this existing feature request by Chipio
I have heard later on that the gamepass purchase signal will not be fired if the player doesn’t have the gamepass.
The exploit that was being discussed at that time was firing multiple devproducts signals, which was a developer-introduced vulnerability by trusting the PromptPurchaseFinished signal for awarding rewards.
I’ll update my posts to avoid any misconception in the future.
Thanks for the report. As you pointed out, using PromptPurchaseFinished isn’t the correct signal to reward users. The right way to reward user is via ProcessReceipt API. We do not plan to change this behavior.