They can absolutely run the verification code client side, but they can’t really fully trust the data being provided from client side since the client might be manipulated or a 3rd party client may have reverse engineered the API to bypass the verification.
Probably they made the decision that it’s worth it to protect privacy (you know the thing people have been complaining about) weighed against that most teens probably won’t figure out how to bypass the system… which makes this sudden change (trial?) where it’s being sent to a 3rd party anyway kind of odd.
They can absolutely run the verification code client side, but they can’t really fully trust the data being provided from client side since the client might be manipulated or a 3rd party client may have reverse engineered the API to bypass the verification.
Probably they made the decision that it’s worth it to protect privacy (you know the thing people have been complaining about) weighed against that most teens probably won’t figure out how to bypass the system… which makes this sudden change (trial?) where it’s being sent to a 3rd party anyway kind of odd.