appsettings.json
The API reads its attestation configuration from appsettings.json (typically located in the API container at /app/appsettings.json, or mounted as an external file).
This page describes the two attestation-specific sections:
GooglePlayIntegrity— configures Android attestation via Google Play IntegrityAppleAppAttest— configures iOS attestation via Apple App Attest
Configuration
GooglePlayIntegrity
Configures verification of Google Play Integrity tokens (both Classic and Standard).
appsettings.json
{
"GooglePlayIntegrity": {
"tokenIssuanceToleranceSeconds": 60,
"packageRootDir": "/google-play-integrity",
"appPackages": [
{
"packageName": "com.example.app",
"integrityThreshold": "MEETS_DEVICE_INTEGRITY",
"allowEmulators": false,
"packageDir": "com-example-app",
"classicDecryptionKeyBase64": "",
"classicVerificationKeyBase64": "",
"standardCredentialsJsonFile": ""
}
]
}
}
Top-level fields
| Field | Type | Description |
|---|---|---|
tokenIssuanceToleranceSeconds | integer | Clock skew tolerance, in seconds, when validating the token issuance timestamp. Default: 60. |
packageRootDir | string | Root directory containing per-package resources (APK signing certificates and, if configured, the Standard credentials JSON file). Each app package's packageDir is resolved as a subdirectory under this root. Path may be absolute or relative to the API working directory. |
appPackages | array | One entry per Android app package to be accepted by the API. |
appPackages[] fields
| Field | Type | Description |
|---|---|---|
packageName | string | Android application id (e.g. com.example.app). Must match the package that produced the integrity token. |
integrityThreshold | string | Minimum Play Integrity device verdict to accept. One of: MEETS_BASIC_INTEGRITY, MEETS_DEVICE_INTEGRITY, MEETS_STRONG_INTEGRITY. |
allowEmulators | bool | If true, tokens originating from emulators are accepted. Typically false in production. |
packageDir | string | Subdirectory under packageRootDir containing this package's resources. Holds the APK signing certificates (required for APK certificate validation) and, if configured, the Standard credentials JSON file. |
classicDecryptionKeyBase64 | string | Base64-encoded key used to decrypt Classic integrity payloads. Required to verify Classic tokens. |
classicVerificationKeyBase64 | string | Base64-encoded key used to verify Classic integrity signatures. Required to verify Classic tokens. |
standardCredentialsJsonFile | string | Filename, relative to packageDir, of the Google service account credentials JSON file used for the Standard Play Integrity API. Required to verify Standard tokens. |
note
Only fields needed for the token type(s) you intend to accept must be populated. To support both Classic and Standard tokens for a package, all three of classicDecryptionKeyBase64, classicVerificationKeyBase64, and standardCredentialsJsonFile must be set.
AppleAppAttest
Configures verification of Apple App Attest tokens.
appsettings.json
{
"AppleAppAttest": {
"rootCertificatesDir": "/apple-root-certs",
"allowedApps": [
{
"appId": "A1B2C3D4E5.com.example.app",
"allowDevelopmentTokens": false,
"allowProductionTokens": true
}
]
}
}
Top-level fields
| Field | Type | Description |
|---|---|---|
rootCertificatesDir | string | Directory containing Apple App Attest root certificates used to validate the certificate chain. Path may be absolute or relative to the API working directory. |
allowedApps | array | One entry per iOS app to be accepted by the API. |
allowedApps[] fields
| Field | Type | Description |
|---|---|---|
appId | string | App identifier in the form [TeamId].[BundleId] (e.g. A1B2C3D4E5.com.example.app). |
allowDevelopmentTokens | bool | If true, tokens issued by the Apple App Attest development environment are accepted. Typically false in production. |
allowProductionTokens | bool | If true, tokens issued by the Apple App Attest production environment are accepted. |