How to test a VPP token

At times we see issues with VPP tokens not retrieving data correctly, you can manually validate the VPP token using the steps below.

Using an API client such as Postman (https://www.getpostman.com/) or Insomnia (https://insomnia.rest/)

You need a VPP stoken, open it up in notepad and copy the value

The JSON payload will look like below (token):

{"sToken":"ewogICAgImV4cERhdGUiOiAiMjAxOS0xMC0zMFQyMjozNjozMi0wNzAwIiwKICAgICJvcmdOYW1lIjogIkV4YW1wbGUgT3JnIiwKICAgICJ0b2tlbiI6ICJENjFRNFhldjdhYmMxMjM0NTY3ODg5OTBIaHRpS1Rob0E9PSIKfQ=="}

I am using Insomnia in my example.

Create a new POST request and add Content-Type application/json into the headers

image

Add a JSON body and add the sToken payload in the format below.

image

Successful response from Apple

image

Note this is a test location with no apps in it, real request will return an inventory of apps.

VPP API is documented here: Device Management | Apple Developer Documentation

1 Like

Thanks Daniil!
Works fine.

In addition - how to check what (if any) B2B VPP apps are avail for a customer:

As per Getting App and Book Information (Legacy) | Apple Developer Documentation

GET
https://uclient-api.itunes.apple.com/WebObjects/MZStorePlatform.woa/wa/lookup\?version\=2\&p\=mdm-lockup\&caller\=MDM\&platform\=enterprisestore\&cc\=au\&l\=en

note that country code is au and no app id is in request

Add cookie first:

then refer it in the header:

image

If you need to re-run query for different stoken, make sure that you’ve refreshed cookie in header after edited it:

Note that the isAuthenticated field will always be false regardless from actual result.