I’m using storekit2 in swift to handle subscriptions and I’m told that I need to validate receipts from apple on the sever side using node js. Why do I need to do this? Can someone please explain? Doesn’t storekit2 already handle this for me?
You don't necessarily need to validate purchases on the server side. Store Kit2 entitlement information that is available to your app is secure.
However there is always a possibility that someone has attacked the logic in your app or maybe successfully attacked the store kit framework on the device, in which case server-side validation can provide more protection against fraud.
With StoreKit 2 APIs you don't need to validate the receipt. You can use the transactionId with the Get Transaction Info endpoint. If the transaction id is not valid then an error will be returned. Since the response returned by Apple is signed you can be sure that the information regarding the transaction id was provided by Apple.
You also need to consider whether the user will have access to their subscription benefits outside of your app. If so, then your server needs to know that the user has a current subscription, even if they haven't opened the app. This is different to transaction validation however.