Apple says in their documentation here:
Verify your receipt first with the production URL; then verify with the sandbox URL if you receive a 21007 status code. This approach ensures you don’t have to switch between URLs while your application is tested, reviewed by App Review, or live in the App Store.
And I did exactly that. Used the production url, got 21007 status code, then started using the sandbox Url, tested my purchase flow, and submitted the app for a review, got the review approved and am now ready for launch.
What doesn't make sense is that Apple says above "you don’t have to switch between URLs while your application is tested, reviewed by App Review, or live in the App Store." Does that mean that after I release my app, my servers are to continue using the sandbox url after I have released the app? That doesn't make sense. I would expect to start using the production url to validate receipts on my server.
Assuming I am correct, and you DO have to switch to the production url when the app is live - what happens in the future when I want to submit my app for review when I update the app, do I have to take care and put the sandbox url back?
You don't need to change your code after release. It should automatically switch between production and sandbox urls, based on the receipt and the response from the production endpoint.
Apple's documentation says:
Verify your receipt first with the production URL; then verify with the sandbox URL if you receive a 21007 status code.
You will never receive a 21007 status code from the production endpoint when your app is live. A 21007 status means that you have a sandbox receipt in release mode. This only occurs with TestFlight and App Store Review.
You can safely leave the sandbox receipt validation code in place since the code path of checking against the sandbox url will not be used in the normal case.
When you submit a new version for review, and Apple tests it, you will once again get a 21007 response from the production endpoint and your code will attempt validation against the sandbox url.