The problem
An affiliate sends a user to your App Store listing. The user installs, then subscribes a few days later. You want to credit that subscription to the affiliate and pay a commission on it. The catch: the purchase happens inside Apple's system, where web affiliate cookies and pixels never fire, and device fingerprinting for attribution has been against Apple's rules since iOS 14.5.
The mechanism
StoreKit 2 lets your app attach an appAccountToken, a UUID you generate, to a purchase. Apple echoes that UUID back in the signed transaction and in every App Store Server Notification about it. That gives you a deterministic, privacy-safe key that ties a specific purchase to whatever you associated the UUID with, such as an affiliate referral.
App Store Server Notifications v2 then confirm the subscription server side. Each notification is a signed JWS you verify against Apple's certificate chain, so it cannot be forged. Renewals, refunds, and cancellations arrive the same way, which is what lets a commission reverse automatically when a subscription is refunded.
The steps
First, when a referred user is about to purchase, set the appAccountToken on the StoreKit 2 purchase option. With Attribloom you fetch that token from its bind endpoint, which mints it against the specific affiliate, so your app never invents its own UUID. If you build your own attribution instead, you generate the UUID and record which affiliate it belongs to. Second, configure your App Store Server Notifications v2 URL and forward each signed notification to your attribution endpoint. Third, on each verified notification, read the appAccountToken, look up the affiliate, and record the conversion at the real transaction value, excluding trials and refunds.
Attribloom implements the hard part of this for you: it verifies the JWS, matches the token to an affiliate, applies the commission, and reverses it on refund or cancellation.