Apple App Attest server-side verification for edge runtimes, using only WebCrypto.
Any mobile app with a backend API faces a fundamental problem: API keys embedded in the client are extractable. An attacker can intercept traffic, extract the key, and issue arbitrary requests outside the app. Apple's App Attest uses the device's Secure Enclave to prove that a request came from a genuine instance of your app on a real Apple device. This library implements the server-side half of that verification using only crypto.subtle, so it runs in Supabase Edge Functions, Deno Deploy, and any runtime where node:crypto is incomplete or unavailable.
| Package | Description |
|---|---|
@bradford-tech/supabase-integrity-attest |
Attestation and assertion verification library |
| Docs | Documentation site at integrity-attest.bradford.tech |
| Demo | Expo starter app with Supabase edge functions |
deno add jsr:@bradford-tech/supabase-integrity-attestimport { verifyAttestation } from '@bradford-tech/supabase-integrity-attest'
const clientDataHash = new Uint8Array(
await crypto.subtle.digest('SHA-256', new TextEncoder().encode(challenge)),
)
const { publicKeyPem } = await verifyAttestation(
{ appId: 'TEAMID.com.example.app' },
keyId,
clientDataHash,
attestation,
)
// publicKeyPem: "-----BEGIN PUBLIC KEY-----\nMFkw..."See the library README for middleware wrappers, assertion verification, and full API details.
git clone https://github.com/bradford-tech/supabase-integrity-attest.git
cd supabase-integrity-attest
npm installcd packages/lib
deno task check # format + lint + testnpm run dev:docs # start dev server (from root)npm run check # CI gate: prettier + turbo check
npm run fix # auto-format + lint fix + testIssues and pull requests are welcome on GitHub.
MIT