Why does RevenueCat need a Google Play service account?

RevenueCat communicates with Google Play through a Google Cloud service account so it can validate purchases server side and receive Real-time Developer Notifications. Without valid service account credentials, RevenueCat cannot confirm whether a Google Play purchase or subscription is active.

How long do Google Play permissions take to propagate?

Permission changes on Google can take up to 36 hours to fully propagate. During that window purchase validation may fail intermittently. If validation still fails after 36 hours, recheck the API, the Play Console permissions, and the uploaded credentials JSON.

Why am I getting a credential or permission error in RevenueCat?

The usual causes are that the Google Play Android Developer API is not enabled in the linked Cloud project, the service account email has not been granted the required Play Console permissions, the wrong JSON key was uploaded, or the permissions have not finished propagating yet. Confirm each of these in order.

Set Up Google Play Service Account Credentials for RevenueCat

Q: Which Google Play Console permissions does the service account need?

In Google Play Console under Users and permissions, grant the service account email these account permissions: View app information and download bulk reports, View financial data, and Manage orders and subscriptions. These let RevenueCat read purchase data and manage subscription state.

Set Up Google Play Service Account Credentials for RevenueCat

Overview

RevenueCat and Google Play communicate through a Google Cloud service account. The service account is a non-human identity that RevenueCat uses to validate Google Play purchases on its servers and to receive Real-time Developer Notifications about renewals, cancellations, and other subscription events. Without valid service account credentials, RevenueCat cannot confirm whether a Google Play purchase or subscription is active.

The setup spans three consoles, and the order matters:

Google Cloud Console (console.cloud.google.com) - enable the API, create the service account, and generate the JSON key.
Google Play Console (play.google.com/console) - grant the service account permission to your Play account.
RevenueCat Dashboard (app.revenuecat.com) - upload the credentials JSON to your Google Play Store app.

Prerequisites: You need a Google Play Developer account, admin access to the Google Cloud project that is linked to that Play account, and a RevenueCat project with a Google Play Store app already added. See the Google Play codelab for the full integration and Configure the SDK for app-side setup.

Step 1: Enable the Google Play Android Developer API

Open the Google Cloud Console and use the project picker at the top to select the project that is linked to your Google Play account. If you are not sure which project that is, your Play account is usually linked to a single Cloud project under its API access settings.

Go to APIs & Services > Library, search for Google Play Android Developer API, open it, and click Enable. If the Google Play Developer Reporting API is also listed, enable it as well, since RevenueCat uses it for some reporting and notification features.

Pick the linked project, not a new one. The service account only works if it lives in the Cloud project that Google Play recognizes. Creating a brand new, unlinked project is the most common reason credentials fail later. If your Play account is not linked to any Cloud project yet, link it from Play Console under API access first.

Step 2: Create a Service Account

Still in the Google Cloud Console, navigate to IAM & Admin > Service Accounts and click Create service account.

Give it a descriptive name, for example revenuecat-play-access, so you can recognize it later.
You can skip the optional Grant this service account access to project step. Project-level IAM roles are not required here, because the permissions RevenueCat needs are granted in Google Play Console, not in Cloud IAM.
Finish creating the account.

After it is created, copy the service account email address. It looks like revenuecat-play-access@your-project-id.iam.gserviceaccount.com. You will paste this exact address into Google Play Console in Step 4.

Step 3: Create and Download a JSON Key

Open the service account you just created, go to its Keys tab, and choose Add key > Create new key. Select JSON as the key type and confirm. The browser downloads a credentials file that looks like this:

json

{
  "type": "service_account",
  "project_id": "your-project-id",
  "private_key_id": "abcdef0123456789",
  "private_key": "-----BEGIN PRIVATE KEY-----\n...redacted...\n-----END PRIVATE KEY-----\n",
  "client_email": "revenuecat-play-access@your-project-id.iam.gserviceaccount.com",
  "client_id": "1234567890",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://oauth2.googleapis.com/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/..."
}

Treat this file as a secret. The JSON key grants access to your Play account data. Do not commit it to source control, paste it into chat tools, or bundle it in your app. Store it in a password manager or secrets store. The only place it needs to go is the RevenueCat dashboard upload in Step 5. If a key leaks, delete it from the service account Keys tab and create a new one.

Step 4: Grant the Service Account Access in Google Play Console

Open the Google Play Console and go to Users and permissions (at the account level, not inside a single app). Click Invite new users and paste the service account email address you copied in Step 2.

Under Account permissions, grant the following permissions:

Permission	Why RevenueCat needs it
View app information and download bulk reports	Read app and product metadata
View financial data	Read order and revenue information
Manage orders and subscriptions	Validate, acknowledge, and manage subscription state

Save the invitation. The service account now appears as a user on your Play account with the permissions RevenueCat requires.

Account permissions, not app permissions. Grant these at the account level so they apply across your apps. If you scope permissions to a single app only, RevenueCat may fail to validate purchases for other apps on the same account.

Step 5: Upload the JSON to RevenueCat

In the RevenueCat dashboard, open your project, then open your Google Play Store app from the project's apps list. In the app configuration, find the Service Account credentials JSON field and upload the JSON file you downloaded in Step 3. Save the configuration.

RevenueCat reads the credentials and uses them to authenticate with Google Play going forward. You only upload the file once per app, unless you rotate the key.

Match the package name. Make sure the Google Play Store app in RevenueCat is configured with the same Android package name as the app in Play Console. A mismatch here will surface as validation errors even when the credentials are correct.

Step 6: Wait for Propagation and Verify

Google permission changes are not instant. After granting access in Play Console and uploading the JSON, allow up to 36 hours for the permissions to fully propagate before purchase validation works reliably. In practice it is often much faster, but plan for the full window before concluding that something is misconfigured.

To verify the connection once propagation has had time to complete:

Make a test or sandbox purchase in your app, or use an existing real purchase.
Open the customer in the RevenueCat dashboard and confirm the transaction appears and validates without credential errors.
Confirm that subscription events (renewals, cancellations) show up, which indicates Real-time Developer Notifications and validation are flowing.

Troubleshooting

Credential or authentication errors. Confirm the Google Play Android Developer API is enabled in the same Cloud project the service account belongs to, and that the project is the one linked to your Play account. A disabled API or an unlinked project is the most common root cause.

Permission denied even though the API is enabled. Recheck Google Play Console > Users and permissions. The service account email must be present with the three account permissions from Step 4: View app information and download bulk reports, View financial data, and Manage orders and subscriptions.

It still does not work right after setup. Permissions can take up to 36 hours to propagate. If you just finished the steps, wait and try again before changing anything. Repeatedly re-uploading the JSON does not speed this up.

Wrong JSON uploaded. If you created multiple keys or have several projects, verify the uploaded file's client_email matches the service account you granted access to in Play Console, and that project_id is the linked project. When in doubt, create a fresh JSON key and re-upload it.

For the latest exact wording and screenshots, see the official RevenueCat documentation.

Related Guides

Google Play In-App Purchases Tutorial - the full end-to-end Google Play integration
Android In-App Purchases Tutorial - app-side RevenueCat setup with Kotlin
Configure the RevenueCat SDK - apiKey and appUserID setup
RevenueCat Docs - official reference and current console wording