The https://data-development.appattest.apple.com/v1/attestationData endpoint is for requesting and analyzing fraud risk data. Your server sends an HTTP POST request with a Base64-encoded receipt, extracted from an attestation object, to this endpoint.
The Apple server returns a new receipt that includes a risk metric. This endpoint is specifically for the sandbox environment during development.
The App Attest service does not provide a direct Apple endpoint for server-side verification of the attestation object itself.
Instead, your server performs the verification of the attestation object by following a series of steps outlined in the Attestation Object Validation Guide. This process involves verifying the certificate chain, reconstructing and validating a nonce, hashing the public key, and checking various fields within the authenticator data, such as the App ID hash, counter, and aaguid. The attestation object is sent from your app to your server, and your server then processes it locally.
The attestKey(_:clientDataHash:completionHandler:) method is called from your app to ask Apple to attest to the validity of a generated cryptographic key. This method returns an attestation object to your app, which your app then sends to your server for verification. The verification of this attestation object occurs on your server, not by sending it to an Apple endpoint.
