Zum Inhalt springen
Capgo - Live Updates for Capacitor Apps Capgo

Getting Started

Dieser Inhalt ist in Ihrer Sprache noch nicht verfügbar.

  1. Install the package

    Terminal-Fenster
    npm i @capgo/capacitor-app-attest

  2. Sync native projects

    Terminal-Fenster
    npx cap sync

  3. Configure platform requirements

    • Complete iOS setup for App Attest capability and backend verification flow.
    • Complete Android setup for Play Integrity Standard and backend verification flow.

Why use this plugin

Section titled “Why use this plugin”

This plugin provides one cross-platform API while keeping native platform security:

  • iOS: Apple App Attest (DeviceCheck)
  • Android: Google Play Integrity Standard API
  • No custom client-side crypto scheme
  • Normalized outputs for backend checks

Usage

Section titled “Usage”
import { AppAttest } from '@capgo/capacitor-app-attest';


const support = await AppAttest.isSupported();
if (!support.isSupported) {
  throw new Error(`Attestation not supported on ${support.platform}`);
}


const prepared = await AppAttest.prepare();


const registration = await AppAttest.createAttestation({
  keyId: prepared.keyId,
  challenge: 'backend-one-time-registration-challenge',
});


const assertion = await AppAttest.createAssertion({
  keyId: prepared.keyId,
  payload: 'backend-one-time-request-payload',
});


console.log(registration.platform, registration.format, registration.token);
console.log(assertion.platform, assertion.format, assertion.token);

Unified response shape

Section titled “Unified response shape”

createAttestation() and createAssertion() return the same key fields on iOS and Android:

FieldTypeDescription
platform'ios' | 'android' | 'web'Native platform that produced the token
formatAttestationFormatapple-app-attest or google-play-integrity-standard
keyIdstringKey/provider handle used for attestation
tokenstringToken to verify on your backend

Backend requirement

Section titled “Backend requirement”

Attestation is only useful when verified server-side.

  • Never trust client-only success.
  • Require one-time challenge/payload values from your backend.
  • Verify token, app identity, and replay protections in backend logic.

Use the platform-specific backend guides: