When I test an in-app purchase with the sandbox the post request to the sandbox url https://sandbox.itunes.apple.com/verifyReceipt returns

 data: { environment: 'Sandbox', status: 21003 }

The 21003 status code means that the receipt could not be authenticated. https://developer.apple.com/documentation/appstorereceipts/status?language=objc

Is this expected? I'd assumed my test receipt would be considered valid for the sandbox environment and return a status of 0.

No its not expected. I needed to provide a valid code in the password field even though the in-app purchase was not for an auto-renewable subscription.

You report that when you send the appStoreReceipt to the verifyReceipt endpoint that you are seeing the status result 21003. This status indicates that the appStoreReceipt was malformed, incomplete, or incorrectly encoded. Can you capture the base64 encoded appStoreReceipt and send me the contents as a text file for me to manually validate the contents. If you app process sells an auto-renewing subscription item, please include the app's shared secret. I use the following curl command line tool to validate appStoreReceipts.

For sandbox receipts:

curl -d '{ "exclude-old-transactions": true "password":"yyyy" "receipt-data": "xxxx"}' https://sandbox.itunes.apple.com/verifyReceipt

For production receipts:

curl -d '{ "exclude-old-transactions": true "password":"yyyy" "receipt-data": "xxxx"}' https://buy.itunes.apple.com/verifyReceipt

Where exclude-old-transactions is used to limit the contents of the latest_receipt_info to only the most recent entry and

"password" is the request key to indicate the shared-secret that is required when the content is an auto-renewing subscription.

yyyy - is the shared-secret and
xxxx - is the base64 encoded content of the appStoreReceipt.

No its not expected. I needed to provide a valid code in the password field even though the in-app purchase was not for an auto-renewable subscription.

I also experienced this error, in my case the shared secret that I was using was wrong.

Maybe someone need a bash script I have wrote for this.

#!/bin/bash
clear

green='\033[0;32m'
cyan='\033[0;36m'
noColor='\033[0m' # No Color

sig=$1
mode=$2

if [ -z "$mode" ];
  then
    PS3="Please select a mode: "
    options=("Sandbox" "Production")
    select opt in "${options[@]}"
    do
        case $opt in
            "Sandbox") break;;
            "Production") break;;
            *) echo -e ${red}"\ninvalid option" \"$REPLY\"${noColor};;
          esac
        done
    else
      opt=$mode
fi

if [[ "$opt" == "Production" ]]
then
  echo -e ${green}"Production selected"${noColor}
  commandToExecute="curl -d '{\"receipt-data\":\"$sig\"}' https://buy.itunes.apple.com/verifyReceipt"
else
  echo -e ${cyan}"Sandbox selected"${noColor}
  commandToExecute="curl -d '{\"receipt-data\":\"$sig\"}' https://sandbox.itunes.apple.com/verifyReceipt"
fi

eval $commandToExecute

Call it like ./scriptName signatureToValidate

In my case the password was incorrect of the API call was incorrect.

You should go to Apple Store Connect > Users and Access > Shared Secret :

Then Create (or copy if you already have one) the shared secret.

Then in the API call you should include this code in the password field of the body:

exports.postDataApple = async (receiptData) => {
    const res = await fetch(process.env.APPLE_VERIFY_RECEIPT_URL, {
        method: "POST",
        headers: {
             "Content-type": "application/json",
             "Accept": "application/json",
        },
        body: JSON.stringify({
            "password": process.env.APPLE_SECRET_STRING,
            "receipt-data": receiptData,
        }),
    });
    return res !== undefined && res.status !== undefined && res.status === 200
        ? await res.json()
        : undefined;
}