Getting Started
Copy a setup prompt with the install steps and the full markdown guide for this plugin.
Set up this Capacitor plugin in the project.
Use the package manager already used by the project.
Install these package(s): `@capgo/capacitor-app-attest`
Run the required Capacitor sync/update step after installation.
Read this markdown guide for the full setup steps: https://raw.githubusercontent.com/Cap-go/website/refs/heads/main/apps/docs/src/content/docs/docs/plugins/app-attest/getting-started.mdx
Use that guide for platform-specific steps, native file edits, permissions, config changes, imports, and usage setup.
If that guide references other docs pages, read them too.
-
Install the package
Terminal window bun add @capgo/capacitor-app-attest -
Sync native projects
Terminal window bunx cap sync -
Configure platform requirements
- Complete iOS setup for App Attest capability and backend verification flow.
- Complete Android setup for Play Integrity Standard and backend verification flow.
Why use this plugin
Section titled “Why use this plugin”This plugin provides one cross-platform API while keeping native platform security:
- iOS: Apple App Attest (
DeviceCheck) - Android: Google Play Integrity Standard API
- No custom client-side crypto scheme
- Normalized outputs for backend checks
import { AppAttest } from '@capgo/capacitor-app-attest';
const support = await AppAttest.isSupported();if (!support.isSupported) { throw new Error(`Attestation not supported on ${support.platform}`);}
const prepared = await AppAttest.prepare();
const registration = await AppAttest.createAttestation({ keyId: prepared.keyId, challenge: 'backend-one-time-registration-challenge',});
const assertion = await AppAttest.createAssertion({ keyId: prepared.keyId, payload: 'backend-one-time-request-payload',});
console.log(registration.platform, registration.format, registration.token);console.log(assertion.platform, assertion.format, assertion.token);Unified response shape
Section titled “Unified response shape”createAttestation() and createAssertion() return the same key fields on iOS and Android:
| Field | Type | Description |
|---|---|---|
platform | 'ios' | 'android' | 'web' | Native platform that produced the token |
format | AttestationFormat | apple-app-attest or google-play-integrity-standard |
keyId | string | Key/provider handle used for attestation |
token | string | Token to verify on your backend |
Backend requirement
Section titled “Backend requirement”Attestation is only useful when verified server-side.
- Never trust client-only success.
- Require one-time challenge/payload values from your backend.
- Verify
token, app identity, and replay protections in backend logic.
Use the platform-specific backend guides:
Keep going from Getting Started
Section titled “Keep going from Getting Started”If you are using Getting Started to plan security and compliance, connect it with Using @capgo/capacitor-app-attest for the native capability in Using @capgo/capacitor-app-attest, Encryption for the implementation detail in Encryption, Compliance for the implementation detail in Compliance, Capgo Security Scanner for the product workflow in Capgo Security Scanner, and Capgo Security for the product workflow in Capgo Security.