Get Started

Single backend · Offline verification · No device IDs

Attestation that feels boringly reliable.

Unified Attestation is a free, open-source alternative to Google Play Integrity. It delivers short-lived integrity tokens signed by a single backend, verified offline by app servers, and issued via a privileged Android system service. It can live alongside Play Integrity, and it’s simple to integrate for app developers on both the app and server sides.

Launch the stack See architecture Source code
Backend Device + Home combined
Attestation KeyMint + Standard requestHash
Federation Offline trust anchors

Architecture

An alternative to Google Play Integrity that’s easy to integrate and can run in parallel.

Unified Backend

Acts as Home + Device backend. Stores trust anchors, verifies chains, and signs short-lived tokens. Federation works fully offline.

  • GET /api/v1/info
  • POST /api/v1/device/process
  • POST /api/v1/app/decodeToken

Android System Service

Privileged service that talks to KeyMint, fetches attestation chains, and sends them to the backend. Apps only call the SDK.

  • Provider discovery
  • Per (app, backend) keys
  • Binder/AIDL boundary

SDK + Example App

Thin SDK exposes Play Integrity-style API. Example app shows canonical request hashing, provider selection, and verdict display.

  • No networking
  • No cert exposure
  • Opaque token

End-to-end flow

App → SDK → Service → Backend → App server. No nonce protocol. Simple for app devs.

1

Canonical request

App + server compute identical requestHash.

2

Provider discovery

SDK returns enabled backendIds only.

3

KeyMint attestation

Service sets challenge = requestHash and posts chain.

4

Token issuance

Backend verifies chain + policies, signs token (60s TTL).

5

Offline verification

App server checks signature + requestHash.

Key APIs

Minimal endpoints with strict role separation.

Public

GET /api/v1/info

Returns backendId + public keys.

Device-facing

POST /api/v1/device/process

Verifies chain + attestation challenge, mints token.

App server

POST /api/v1/app/decodeToken

Offline verification using federation trust store.

OEM/Admin

/api/v1/oem/*

Device families, builds, trust anchors.

SDKs & Services

Android SDK, system service, and server SDKs for JS/Python — free and open source.

Android SDK

Public API mirroring Play Integrity, no networking.

  • getProviderSet(projectId)
  • requestIntegrityToken(backendId, projectId, requestHash)

Server SDK (JS/Python)

Helper utilities for decoding tokens and trust checks.

  • getBackendInfo()
  • decodeToken(projectId, token)

Example App Server

TypeScript demo selecting backend and verifying tokens.

  • Backend selection
  • RequestHash comparison

Run locally

Quick commands to bootstrap the stack.

Backend

cd Backend
npm install
npm run dev:backend

Portal

cd Backend
npm run dev:portal

Example App Server

cd Example-App-Server
npm install
npm run dev