I am looking at using the v2 in-app subscriptions server-side notifications. I have got this working by decoding and validating the token using the x5c and alg properties in the header. However, I don't know how to validate that this certificate was issued by Apple. The docs don't really seem to say anything about this. Does anyone know how I do this? At the moment, my code is a bit pointless as the jwt could have been signed by anyone. The only other thing I can think of is to ignore the JWT altogether and just use the API to query every time which seems to defeat the object.