Register your app in Google Play Console and enable the Play Integrity API; link a Cloud project for server-side token decryption access
On the backend, generate a cryptographically random nonce string (at minimum 16 bytes, Base64-encoded) per request; store it server-side associated with the session
In the app, pass the nonce to IntegrityTokenRequest.builder().setNonce(nonce).build() and call integrityManager.requestIntegrityToken() to obtain the integrity token
Send the integrity token to your backend; do not decrypt it client-side
On the backend, call the Play Integrity API with the token and your package name; verify the nonce in the decrypted payload matches the server-stored nonce before trusting the verdict
Use classic requests sparingly — only for high-value actions such as account recovery or large transactions — due to higher latency (seconds) and greater battery and data cost
Known gotchas
Classic requests have higher latency than standard requests (seconds versus hundreds of milliseconds); do not use them in time-sensitive UI flows or on critical rendering paths
The nonce in a classic request must be Base64-encoded; passing raw bytes or a non-Base64 string causes the request to fail with an invalid argument error
Classic requests do not benefit from Google's cached attestation state; each call initiates a full device attestation, which may fail more frequently on devices with intermittent connectivity or degraded Google Play Services state
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp