App Attest in 60 seconds

The minimum you need to know about Apple App Attest to use this library effectively.

Three phases

App Attest has three phases. The first happens once per device; the other two happen on every protected request.

1. Attestation (one-time)

Your app asks the Secure Enclave to generate a key pair, then sends the attestation object to Apple. Apple returns a signed certificate chain vouching for the key. Your app sends this to your server, which verifies it and stores the device's public key.

2. Challenge (per-request)

Before each protected request, your app asks your server for a fresh, single-use challenge (random bytes). This prevents replay attacks — an attacker can't reuse a captured request because the challenge will have expired.

3. Assertion (per-request)

Your app signs the request body (plus the challenge) with the Secure Enclave's private key and sends the signature alongside the request. Your server verifies the signature using the stored public key and checks that the counter has incremented.

What your server does

This library handles phases 1 and 3 on the server side:

• verifyAttestation() — Called once when a device first registers. Validates Apple's certificate chain, extracts the public key, and returns it for storage.
• verifyAssertion() — Called on every protected request. Verifies the signature and counter.

You're responsible for:

• Generating and storing challenges (random bytes, single-use, short-lived)
• Persisting the device's public key and sign count after attestation
• Updating the sign count after each assertion