In the iOS app, call DCAppAttestService.generateKey() to create a hardware-bound key in the Secure Enclave; store the returned keyIdentifier
Request a one-time challenge from your server; compute SHA256 of the challenge bytes on device
Call DCAppAttestService.attestKey(keyIdentifier, clientDataHash:) on device to produce an attestation object; send both the keyIdentifier and attestation object (Base64-encoded) to your server
On the server, decode the CBOR-encoded attestation object, verify the certificate chain against Apple's App Attest root CA, and confirm the nonce embedded in the leaf certificate matches SHA256(challenge)
Verify the credCert public key's SHA256 matches the keyIdentifier, confirm the RP ID hash in authenticatorData matches your App ID, and check the aaguid matches Apple's published App Attest value
Persist the verified public key and receipt associated with the keyIdentifier for use in subsequent assertion verification
Known gotchas
App Attest is unavailable in the iOS Simulator; the DCAppAttestService.isSupported property returns false, so all simulator code paths must have a fallback or skip attestation
Apple does not provide real-time revocation checking during server-side verification; all certificate chain validation is done locally using Apple's published root CA certificate, which must be kept current in your server trust store
The attestation object uses CBOR encoding (not JSON); failing to use a proper CBOR parser will produce malformed verification and false positives or false negatives
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp