Add the Play Integrity library dependency to your Android app and call IntegrityManagerFactory.create(context) at app startup to warm up the integrity token provider
Before a sensitive action, compute a requestHash by hashing a canonical representation of the request (e.g., SHA256 of the user action identifier and relevant parameters)
Call integrityManager.requestIntegrityToken(IntegrityTokenRequest.builder().setRequestHash(requestHash).build()) to obtain an integrity token; forward it to your backend
On the backend, call the Play Integrity API decryptIntegrityToken endpoint (or use the Google API client library) with your package name to decrypt and verify the token
Inspect the verdicts in the response: appIntegrity.appRecognitionVerdict, deviceIntegrity.deviceRecognitionVerdict, and accountDetails.appLicensingVerdict
Take action based on verdicts: allow only PLAY_RECOGNIZED / MEETS_DEVICE_INTEGRITY / LICENSED; for others, trigger remediation dialogs or deny the request
Known gotchas
Standard API requests require a warm-up call before the critical request path; calling requestIntegrityToken without prior warm-up increases latency significantly and may fail on slow connections
The requestHash is not a nonce — it is a digest of request content and does not guarantee single-use; implement your own replay protection (e.g., server-side token tracking) for high-value operations
Play Integrity verdicts reflect a snapshot assessment; a device that passes at token generation time may subsequently be compromised — re-evaluate at appropriate intervals for long sessions
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp