App payments guide

There are two kinds of payments made by app end users in the Firefox Marketplace: a payment made to purchase an app (a paid app), and a payment made to buy something after the app is installed (an in-app payment). This page covers the code and workflow required to create paid apps; In-app payments are covered elsewhere.

Decide on a Packaging Model (Packaged vs. Hosted)

Before learning about payments, it will help to decide whether your app should be packaged or hosted. If you need a packaged app, it will need to follow a Content Security Policy (CSP). See the references below for more information.

  • Packaged apps: Explains the difference between a packaged app and a hosted app. Talks a little about the CSP that is required when you use a packaged app.
  • Content Security Policy: Explains CSP implications.

Building a paid app

Any app can be a paid app. It can be a hosted app or a packaged app, and it does not require special permissions. You can create a paid app simply by choosing to make it a paid app when you submit it to the Firefox Marketplace, but you also need to make your app validate its sales receipt, so you can tell if they payments are real. The next few sections set out wat you need to do.

Add installs_allowed_from to your manifest.webapp

First, you should add the installs_allowed_from field to the app manifest. Give it the URL of the Firefox Marketplace like this:

"installs_allowed_from": [ "" ]

This is needed as part of receipt validation so it can be determined if your app came from a store where it was paid for.

Verify the receipt

When an app is sold on the Marketplace, a digital receipt for the sale is created. You should code your app so it verifies this sales receipt when it runs. This verification is not required for the app to be sold, but it comes highly recommended. It will stop people from installing your app without paying for it.

There is a Mozilla-maintained JavaScript helper library called receiptverifier that enables you to verify the receipt with a small amount of code. Include the following receiptverifier libraries in your app:

Then you can add the following code to your app (with text changes to match your app) to verify the receipt:

  storeURL: "",
  supportHTML: '<a href="">email</a>',
  verify: true

The usual time for receipt validation is when the app is started. If the receipt is valid, you release the app's resources to the user. If it is not valid, you can prevent the app from running.

Note: For more detail, including building your own receipt verifier, read Validating a recipt.

See also

Document Tags and Contributors

Contributors to this page: MarkGiffin, chrisdavidmills
Last updated by: chrisdavidmills,