After your backend decrypts the integrity token, parse the tokenPayloadExternal JSON object returned by the decryptIntegrityToken API call
Read appIntegrity.appRecognitionVerdict: PLAY_RECOGNIZED means the app matches the Play-distributed binary; UNRECOGNIZED_VERSION and UNEVALUATED are degraded states
Read deviceIntegrity.deviceRecognitionVerdict array: MEETS_DEVICE_INTEGRITY (hardware-backed), MEETS_BASIC_INTEGRITY, MEETS_STRONG_INTEGRITY, and their absence indicate trust levels
Read accountDetails.appLicensingVerdict: LICENSED confirms the user's account purchased or installed from Play; UNLICENSED and UNEVALUATED indicate sideloading or no Play account
For non-compliant verdicts, trigger an in-app remediation dialog using the Play Integrity API's showDialog() method with the appropriate dialog type code returned in the error response
Log verdict outcomes with the requestHash and timestampMillis from the token payload for audit and anomaly detection
Known gotchas
MEETS_STRONG_INTEGRITY (hardware-backed attestation) requires Google Play Services on a device with a valid hardware attestation chain; custom ROMs and many older devices will only achieve MEETS_BASIC_INTEGRITY at best
Remediation dialogs (introduced in library version 1.4.0 / May 2025 requirement update) require the user to interact with a Google Play overlay; some enterprise-hardened devices may block this UI
timestampMillis in the verdict reflects when Google evaluated the request — compare it to your server's receipt time; large skews may indicate token exfiltration and reuse
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp