I am trying to understand the correct flow for mobile app / server app - auto renewable subscriptions.

Since verifyReceipt has been marked as deprecated, I am struggling with the question of how I should link an App Store Server Notification v2 message with a user in the database.

Currently, the process is as follows:

First, the mobile application calls our server with receipt-data. Second, the server calls verifyReceipt to validate the receipt. Then, I am able to match the user's subscription/transaction with their data (using an internal JWT with user data from the first step and originalTransactionId from decoded verifyReceipt response). Now, if we omit the first step, how would I determine who should be the recipient of the App Store Server Notification v2 message?

If your backend is written in Node.js, Python, Swift or Java, Apple provides official libraries to verify purchases by setting up a web hook on your server: https://github.com/apple/app-store-server-library-node

I'm starting to working too ( not finish yet but I think I can shared my idea ).

My flow more like same as your flow. And this is your flow today:

1. the mobile application calls our server with receipt-data.
2. the server calls verifyReceipt to validate the receipt. Then, I am able to match the user's subscription/transaction with their data
3. Your server response to mobile that subscription is finished or failed.

I think the new flow will like this:

1. the mobile application calls our server with receipt-data.
2. The server calls App Store Server API to validate the payment maybe from transaction info api ( still not sure yet ) Then you can subscription follow your today process
3. Your server response to mobile that subscription is finished or failed.

As my describe I think for this part ( new subscription ) you need to Implement App Store Server API ( need to have JWS for authentication with App Store Server API )

The next part is for ( Server Notifications ) you can change Server Notification to version 2 Enabling App Store Server Notifications, and for this part I'm still checking, If I have more clear I'll shared to you.

Update after I'm already finish migration. I'm start to working with new payment first to handle between my server and my App and then apply the same method for App Notification after.

1. Handle between the app and my server

• My app still using StoreKit version 1 so I will send the same data to my server
• My server get the data and look for "Transaction Id" and call [Get all subscription statuses]: https://developer.apple.com/documentation/appstoreserverapi/get_all_subscription_statuses?language=objc if your product are subscription
• For decode JWT you can check [this site]: https://jwt.io/ to check and verity more easy.
• Check the decoded payload and update database, done.

2. Apply Notification version 2

• Test with development environment first
• Notification send with signedPayload need to decoded payload first, after decode payload you will get all like [this link]:https://developer.apple.com/documentation/appstoreservernotifications/responsebodyv2decodedpayload?language=objc
• When verify the JWS, you will get public certificate from header you can grab public certificate and verify with [apple root G3 certificate]: https://www.apple.com/certificateauthority/AppleRootCA-G3.cer
• After decoded and verify you can update your database and done.

I don't put the code because of all this is in server side, if you need I can provide more.