A PlayFab representative asked us to open this ticket on this forum thread (copy-pasted below): https://community.playfab.com/questions/46629/validating-purchases-in-the-server-api.html
We're currently handling subscription on Google Play with the private preview membership feature. The system works fine to ensure that all clients are legitimately subscribed. When the client logs in, it checks if a local receipt exists. If none is found, it checks in the player data if there are receipts from other devices. Then the client uses ValidateGooglePlayPurchase to validate the receipt. This system allows us to give memberships across different platforms. Ideally, all of that logic would be done atomically in cloudscripts / azure functions, but that requires Validate[Platform]Purchase to be available in the server API.
The current status of subscriptions is updated when players open their client, but if they unsubscribe through the OS and never go back to the app (a scenario we imagine will be quite frequent), PlayFab will never know that this subscription is now invalid. Same thing if a user just doesn't log to the client for a few months - we won't know whether or not that subscription is still valid.
The ideal scenario would be to be notified the moment a user unsubscribes, has an invalid payment, etc. Google Play and Apple both have server to server notification systems, which call an endpoint to notify that some change occurred to the subscription status. We could set a webhook in Azure, but for both platforms we still then need to validate the receipt with platform holders to get the actual status of the subscription. Ideally we would leverage PlayFab's existing code to do this, using a method like ValidateGooglePlayPurchase, which handles the communication with the platform and updates the membership status. Again, Validate[Platform]Purchase methods would need to be available in the server API. We can't use client API methods in cloudscripts or azure functions, since we could get rate limited due to these calls coming from the same IP address.
We could implement communications with platform holders directly from cloudscripts or azure functions, but at that point we're duplicating a lot of logic that playfab already implemented.
The suggestion is therefore to make the Validate[Platform]Purchase methods available from the server API. Not limiting client API calls coming from cloudscript or Azure Functions would also fix our issue (it's not the first time we would need access to client API from the server).