In the iOS app, call DCDevice.current.generateToken(completionHandler:) to obtain a device token; Base64-encode it for transmission
On your server, generate a signed JWT using your Apple Developer private key (key ID and team ID in the header, issued-at in the payload)
POST to https://api.devicecheck.apple.com/v1/query_two_bits with JSON body containing device_token (Base64), transaction_id (UUID string), and timestamp (Unix milliseconds); include the JWT as the Authorization: Bearer header
Inspect the bit0 and bit1 boolean values in the 200 response to determine prior fraud state for this device
To flag a device, POST to https://api.devicecheck.apple.com/v1/update_two_bits with the same structure plus bit0 and bit1 set to the desired values
Use the development endpoint (api.development.devicecheck.apple.com) for sandbox testing; use the production endpoint for live apps
Known gotchas
DeviceCheck bits persist across app reinstalls and factory resets only within the same Apple Developer team; switching developer accounts resets the bits for all devices
The API returns HTTP 200 with an empty body for update requests and HTTP 200 with bit data for query requests; HTTP 200 with 'bit state not found' in the response body means the device has never been flagged — do not treat this as an error
JWT tokens used for Apple server-to-server authentication expire; generate a fresh JWT per request or cache them with a short TTL (Apple recommends no longer than 20 minutes)
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp