Webhook setup

Apple App Store Server Notifications v2

Apple delivers subscription lifecycle events as signed JWS payloads via App Store Server Notifications (ASSN) version 2. stubkit verifies the signature against Apple's certificate chain and applies the event to your tenant's canonical state.

Endpoint to paste

https://api.stubkit.com/v1/webhooks/apple

One endpoint across all tenants. The bundle ID inside the payload routes to the right tenant automatically.

Dashboard steps

1. Open App Store Connect → Users and Access → Integrations → App Store Server API.
2. Create an API key with the Admin role. Note the Issuer ID, the Key ID, and download the .p8 private key file.
3. Paste the Issuer ID, Key ID, and .p8 file contents into dash.stubkit.com → Apps → your app → Settings → Providers.
4. In App Store Connect → My Apps → your app → App Information → App Store Server Notifications, set the Production Server URL to the endpoint above and set Version to v2.
5. Leave the Sandbox Server URL pointing at your existing sandbox target in parallel until the cut-over is complete.

What we verify

• The JWS is signed with ES256 using the leaf certificate in the x5c header.
• The certificate chain anchors to Apple's trusted root authority by pinned fingerprint.
• Optional cross-check with the App Store Server API provides a second authoritative trust anchor on top of the JWS signature.

What we store

The full raw body is archived under apple/<bundleId>/yyyy/mm/dd/<notificationUUID>.json with a two-year retention policy. A normalized message is dispatched for asynchronous processing and the per-user state engine updates canonical state before any subsequent read returns.