As documented in this article (by Apple), it is apparent that calls to the DeviceCheck App Attest API (DCAppAttestService.attestKey(_:clientDataHash:completionHandler:)) might be subject of throttling from Apple's side. Apple servers might throttle attestation traffic from a particular app to avoid becoming overwhelmed if too many instances of your app make this call simultaneously. That could happen if you have a lot of users that simultaneously receive an app update enabling App Attest. Me and my team are planning to launch a new feature in our app that utilise Apple’s DeviceCheck framework to attest cryptographic keys for our users. And as part of our internal development process and risk analysis routine, we would love to get more details about this throttling. Do anyone have any numbers on when Apple might start to throttle our API calls? Is there a limit on requests per hour or something? And is it possible to get an exception from this throttling?

Hello, I would simply like to know where i can find the information regarding the quotas and limits for using DeviceCheck / AppAttest APIs please. Thanks

I'm testing out an app that will be using the DeviceCheck framwork / API to enable a one-time free trial. I'm testing using the deveopment URL provided in the documentation (https://api.development.devicecheck.apple.com). I had set the bits for one of my test iOS devices several days ago. Today when I went to do some additional testing the query_two_bits response came back with "200 Bit State Not Found" - what the API apparently returns for a device that has never had the DeviceCheck value set. I tried it several times before I executed another update_two_bits call, which succeeded. Subsequent calls to the query endpoint returned 200 OK and the expected bit values.It's probably worth mentioning that the unexpected behavior happened after I had deleted and re-installed the app. The app's bundle ID did not changed, but I did enable Push Notifications yesterday.My question is: is the development version of DeviceCheck less "permanent" than the production version (i.e. does everything get deleted after X days)?Or, unlike in the production environment, does deleting and reinstalling the app change something that causes DeviceCheck to not recognize the device by subsequently generated DC tokens?Or does making a change to the app's configuration in AppStoreConnect (i.e. enabling Push) make some change that causes DeviceCheck to not recognize the device by subsequently generated DC tokens?Or is it most likely that something has broken in my environment or code?Thanks -S

Hello developers and apple support team. Im was quite surprised why it's not possible to get SecKey reference for key which was generated using DCAppAttestService.generateKey() Case 1. So after self.iosDeviceAttestationManager.generateKey { keyId, error in guard let keyId = keyId else { promise(.failure(error!)) return } promise(.success(keyId)) } Then Im converting keyId from string to Data using guard let keyIdData = Data(base64Encoded: keyId) else { return Fail(error: Errors.someError).eraseToAnyPublisher() } P.S. Actually I have tried convert keyId as pure string to data but it also does not work let keyIdData = keyID.data(using: .utf8)! Then Im trying to obtain this key using standard keychain API. let getquery: [String: Any] = [ kSecClass as String: kSecClassKey, kSecAttrApplicationTag as String: keyIdData, kSecAttrKeyType as String: kSecAttrKeyTypeECSECPrimeRandom, kSecReturnRef as String: true] var item: CFTypeRef? let status = SecItemCopyMatching(getquery as CFDictionary, &item) guard status == errSecSuccess else { print("SecItemCopyMatching failed. Status = \(status)") return nil } Which return me SecItemCopyMatching failed. Status = -25300 Which means that itemNot found in keychain. Why it's happening? Case 2. I have tried other way around to create ECKey using let access = SecAccessControlCreateWithFlags( kCFAllocatorDefault, kSecAttrAccessibleWhenUnlockedThisDeviceOnly, .privateKeyUsage, nil) let ECKeySize = 256 let attributes: NSDictionary = [ kSecAttrKeyType: kSecAttrKeyTypeECSECPrimeRandom, kSecAttrKeySizeInBits: ECKeySize, kSecAttrTokenID: kSecAttrTokenIDSecureEnclave, kSecPrivateKeyAttrs: [ kSecAttrIsPermanent: true, kSecAttrApplicationTag: keyTagData, kSecAttrAccessControl: access as Any ] ] var error: Unmanaged<CFError>? guard let privateKey = SecKeyCreateRandomKey(attributes as CFDictionary, &error) else { error!.takeRetainedValue() as Error return nil } and then trying to attest this key using self.iosDeviceAttestationManager.attestKey(keyId, clientDataHash: clientDataHash) { data, error in guard let data = data else { promise(.failure(error!)) return } promise(.success(data)) } But this gives me error Error Domain=com.apple.devicecheck.error Code=3 "(null)" Which states fot InvalidKey So is there any way how I could get reference to attested key to later use it for signing/verification purposes? Thanks, in advance!

How often does the devicecheck values reset on DEV environment? From what I see, it seems to be 24h. Can anyone confirm?

DeviceCheck: generateToken() fails to return token in Xcode Cloud for macOS. The device token is always nil. How does one write test with that API ? Skipping the test is an option but then defeats the purpose.

I have encountered this error while using "service.generateAssertion". But I am not understanding what does this error mean exactly.

Hi, I am new to iOS development and currently studying App Attest functionality. Can someone confirm why the counter value be 0 during attestation validation at the server side. And also, can this value be reset to 0 at any point of time? Do we need to do code signoff as well for using App Attest?

Hi! Sometimes when calling DCAppAttestService.shared.generateAssertion(key.id, clientDataHash: hash) I'm getting DCError.Code.invalidInput. I am formatting clientDataHash usingSHA256.hash - so it is always 32 bytes long. As I found out - this error depends on hash that I pass to generateAssertion method. But I could not find any system - which hashes are good and which are not. Keys are always correct, otherwise invalidKey error would be risen. What can cause the issue? I'm testing on iPhone 11, iOS 15.2.1

I tried to enroll a developer account but it shows that we cant enroll now . and we tried so many times ,there is no error reference as well , is there anyone met this kind of situation before, really appreciate if you could share your experience. thanks so much

I am submitting the JWT with required payload to https://api.development.devicecheck.apple.com/v1/validate_device_token. However Apple's development devicecheck server always returns http response 401 - Unable to verify authorization token.  I generated the token following the instructions in https://developer.apple.com/documentation/appstoreconnectapi/generating_tokens_for_api_requests and check token by curl -v -H 'Authorization: Bearer [signed token]' "https://api.appstoreconnect.apple.com/v1/apps" I can use that token to call this API successfully. However, when I tried to use exactly the same token to verify a device ID, I got a 401 response here is my payload for the request https://api.devicecheck.apple.com/v1/validate_device_token It's my code: now = int(time.time()) expire_time = now + 20 * 60 HEADERS = { &#9;&#9;"alg": "ES256", &#9;&#9;"kid": kid, &#9;&#9;"typ": "JWT" } PAYLOAD = { &#9;&#9;'exp': expire_time, &#9;&#9;'iss': iss, &#9;&#9;'aud': "appstoreconnect-v1" } jwt_token = jwt.encode(PAYLOAD, private_key, algorithm='ES256', headers=HEADERS).decode('utf-8') auth = 'Bearer {}'.format(jwt_token) headers = { &#9;&#9;'Content-Type': 'application/x-www-form-urlencoded', &#9;&#9;'Authorization': auth } response = requests.get( &#9;&#9;'https://api.appstoreconnect.apple.com/v1/apps', &#9;&#9;headers=headers ) print(response.status_code) print(response.text) request_file = '.../ValidateDeviceTokenRequest.json' data = None with open(request_file) as json_file: &#9;&#9;data = json.load(json_file) data['timestamp'] = (now) * 1000 response = requests.post( &#9;&#9;'https://api.devicecheck.apple.com/v1/validate_device_token', &#9;&#9;data=json.dumps(data).encode(), &#9;&#9;headers=headers ) print(response.status_code) print(response.text)

I have a problem is we have some clients. And each client have difference Apple Development Id. But we want to share data between apps like Keychain Sharing or App Group but it require same Apple Development Id. So have any other ways for apps can share data with difference Apple Id?

I’m trying to get DeviceCheck to work, where I keep getting this response from Apple’s server: 401 ‘Unable to verify authorization token’.The device_token is being sent to my Python server over a base64 encoded string in another similar JSON payload. I’ve even tried cutting and pasting the base64 string from the logs directly to my server (very quickly) and nothing works. Any ideas what I might be doing wrong?I’m slightly concerned perplexed that in the https://developer.apple.com/account/ios/authkey/, the generated key is not explicitly associated with my app other than being generated in my apple account.def device_check_query(device_token): data = { ‘device_token’: device_token.replace(“\\“, “”), ‘transaction_id’: str(uuid4()), ‘timestamp’: int(time.time() * 1000), } jw_token = get_jw_token() headers = {‘Authorization’: ‘Bearer ’ + jw_token} response = requests.post(QUERY_URL, json=data, headers=headers) return response.content def get_jw_token(): with open(KEY_FILE, ‘r’) as cert_file: certificate = cert_file.read() jw_token = jwt.encode( {‘iss’: TEAM_ID}, certificate, algorithm=‘ES256’, headers={‘kid’: KEY_ID}) return jw_token

Hi everybody, I am trying to make DeviceCheck work in Javascript. But I keep on getting this issue: Unable to verify authorization token Following is my code: versionRouter.post('/update_two_bits', function(req, response) { console.log('hereeee'); console.log("\n\n\n\n\n"); var dctoken = req.body.token; var bit0 = req.body.bit0; var bit1 = req.body.bit1; console.log("Updating two bits to:"); console.log("bit0: "+bit0); console.log("bit1: "+bit1); var jwToken = jwt.sign({}, cert, { algorithm: 'ES256', keyid: keyId, issuer: teamId,}); console.log('jwToken',jwToken); // Build the post string from an object var post_data = { 'device_token' : dctoken, 'transaction_id': uuidv4(), 'timestamp': Date.now(), 'bit0': bit0, 'bit1': bit1 } // An object of options to indicate where to post to var post_options = { host: deviceCheckHost, port: '443', path: '/v1/update_two_bits', method: 'POST', headers: { 'Authorization': 'Bearer '+jwToken } }; // Set up the request var post_req = https.request(post_options, function(res) { res.setEncoding('utf8'); console.log(res.headers); console.log("statusCode: "+res.statusCode); var data = ""; res.on('data', function (chunk) { data += chunk; }); res.on('end', function() { console.log(data); response.send({"status": res.statusCode}); }); res.on('error', function(data) { console.log('error'); console.log(data); response.send({"status": res.statusCode}); }); }); // post the data post_req.write(new Buffer.from(JSON.stringify(post_data))); post_req.end(); }); Kindly provide some solution for it.

I have built a server app to generate a JWT using apple KEYID, TEAMID and P8 private key file. I am submitting the JWT with required payload to https://api.development.devicecheck.apple.com/v1/query_two_bits. However Apple's development devicecheck server always returns http response 401 - Unable to verify authorization token. Is there some other request I can send to Apple's development devicecheck server that could give me more detail why error 401 was being returned?

I just placed a test where I've tested my site on different platforms. It's doing well on Andriod devices but not showing responsiveness on ios devices. What are the possible reasons for this???

Hi! We have enabled automatic renewal for apple developer account of our company. Today is our renewal date and it was renewed already. But the device reset popup doesn't show up yet. Can anyone help me with this? We have already exceeded our registered device limit and we have to wait another year for device resetting otherwise. Thanks!

We see appAttest (available iOS 14+) provides us 3 key features: if app instance is not modified, device is genuine apple device and payload is not tempered with. We also have deviceCheck Api (iOS 11+) which return 2 bits per device, as mentioned in documentation we can create different payloads for validation and different for updating the 2 bits. Apart from returning those bits in validation request, does this DeviceCheck APIs also validate 2 of the 3 above features i.e. app is not modified and the device is genuine apple device? If yes, what response from apple server to look for in successful validation of above 2 features and what response to look for in fraud cases or failure cases? Does isSupported in case of DCDevice.current hints the device is a simulator ? Can we get exhaustive list of cases where isSupported is false? Does DCDevice.current.generateToken fails only in case of modified app instance? Can we get exhaustive list of cases where above can throw error? Can modified app instance also able to generateToken?

Is there a recommended way to determine whether to use the development or the production server API endpoint for DeviceCheck? For App Attest, the authenticator data includes either "appattest" or "appattestdevelop" in a field of the cbor data. For IAPs, we're supposed to try the production endpoint and then retry with the development endpoint if we get a particular HTTP status code. But the docs for DeviceCheck say only to use the development endpoint in development and the production endpoint in production. What are others doing? Is there any clue in the docs that I have missed?