Google Play Integrity API

Name: Google Play Integrity API API
Brand: Google Play Integrity API
Availability: InStock

✓ Official Vendor SpecSecurityThreat Detectionoauth22 EndpointsREST

For Agents

Decode Play Integrity tokens server-side to verify device, app, and account integrity, and write recall records to detect replay.

Quickstart

Get started with Google Play Integrity API in minutes using your preferred integration method.

# Add to your MCP client config (Claude Desktop, Cursor, Windsurf)
{
  "jentic": {
    "url": "https://api.jentic.com/mcp",
    "auth": "oauth"
  }
}

# Then ask your agent:
"decode a Play Integrity token"

# → Jentic returns the GET /events tool with parameter schema, agent executes.

Capabilities

What an agent can do with Google Play Integrity API API.

Decode an integrity token returned by the Play Integrity client library into device and app verdicts

Verify that an Android binary matches the version published on Google Play

Confirm that the calling device meets Play integrity requirements such as CTS profile match

Detect tampered, emulated, or unofficial Android environments before granting access

GET STARTED

Start building with Google Play Integrity API API

Explore with Jentic

View OpenAPI Document

The Google Play Integrity API helps Android apps confirm that they are interacting with a genuine binary on a genuine Google-Play-licensed device, replacing the deprecated SafetyNet Attestation. Two server-side endpoints decode an integrity token produced by the Play Integrity client library into device, app, and account verdicts, and write a device recall record so the app's backend can detect token replay across reinstalls. Backends use the verdicts to gate sensitive actions like payments, sign-in, and unlocking premium features.

Use Cases

Patterns agents use Google Play Integrity API API for, with concrete tasks.

★ Anti-Abuse Gating for Payments

An Android app embeds the Play Integrity client SDK to obtain an integrity token, then forwards it to its backend before high-value actions such as in-app purchases or refund requests. The backend calls decodeIntegrityToken to obtain device, app, and account verdicts, and only authorises the action when verdicts indicate a Play-licensed app on a CTS-compliant device. This blocks tampered builds and emulators from abusing payment flows.

POST /v1/{packageName}:decodeIntegrityToken with body {integrityToken: 'eyJ...'} and reject the request if appRecognitionVerdict is not 'PLAY_RECOGNIZED' or deviceIntegrity does not contain 'MEETS_DEVICE_INTEGRITY'.

Sign-In Trust Score

A consumer app augments its login flow with a Play Integrity check to compute a trust score per session. High-trust devices skip step-up MFA, while low-trust verdicts (custom ROM, unrecognised app) require an additional verification factor. Decoding tokens server-side keeps the verdict tamper-resistant since the client cannot forge the underlying JWT.

POST /v1/{packageName}:decodeIntegrityToken and route the user to step-up MFA when deviceIntegrity is empty or appRecognitionVerdict is 'UNRECOGNIZED_VERSION'.

Reinstall Replay Detection

Anti-abuse teams want to detect users who uninstall and reinstall to dodge bans or grant-once promotions. The deviceRecall:write endpoint persists a recall record keyed by the device's recall verdict, so subsequent decodeIntegrityToken calls can return whether the device has been seen before across reinstalls. This closes a common loophole in promo-abuse and free-trial fraud.

POST /v1/{packageName}/deviceRecall:write to register the recall record after a successful first-time signup, then check the recall verdict on subsequent decodes to detect repeat installs.

AI Agent Integrity Verification via Jentic

Trust-and-safety agents that need to score incoming Android requests can call the Integrity API through Jentic without managing OAuth scopes or token formats by hand. Jentic stores the project's service account in its vault and exposes the decodeIntegrityToken operation as a single search-load-execute call, turning a multi-day backend integration into a same-day automation.

Search Jentic for 'decode a Play Integrity token', load the decodeIntegrityToken schema, and execute it with the app's package name and the integrity token from the client.

Key Endpoints

2 endpoints — the google play integrity api helps android apps confirm that they are interacting with a genuine binary on a genuine google-play-licensed device, replacing the deprecated safetynet attestation.

METHOD

PATH

DESCRIPTION

POST

/v1/{packageName}:decodeIntegrityToken

Decode an integrity token into structured verdicts

POST

/v1/{packageName}/deviceRecall:write

Write a device recall record for replay detection

POST

/v1/{packageName}:decodeIntegrityToken

Decode an integrity token into structured verdicts

POST

/v1/{packageName}/deviceRecall:write

Write a device recall record for replay detection

Why though Jentic?

Three things that make agents converge on Jentic-routed access.

Credential isolation

Play Integrity service-account credentials are stored encrypted in the Jentic vault. Agents receive scoped, short-lived access tokens at call time so the service account JSON never enters agent context.

Intent-based discovery

Agents search Jentic with intents like 'decode a Play Integrity token' or 'detect Android reinstall' and receive the matching Integrity operation with its full input schema.

Time to first call

Direct integration: 2-4 days for service account setup, scope linkage, and decode-side error handling. Through Jentic: under 1 hour.

Related APIs

Alternatives and complements available in the Jentic catalogue.

Alternative

Firebase App Check API

Attest app authenticity for Firebase backend services using Play Integrity and DeviceCheck

Choose App Check when calls are routed through Firebase services; choose Play Integrity for direct backend integrations.

Complementary

Google Play Android Publisher API

Publish the app whose installations Integrity then attests

Choose Android Publisher to ship a new release; use Play Integrity to verify devices running that release.

Complementary

Google Safe Browsing API

Check URLs for malware and phishing alongside device integrity checks

Choose Safe Browsing to score URLs; use Play Integrity to score the device and binary loading them.

FAQs

Specific to using Google Play Integrity API API through Jentic.

What authentication does the Google Play Integrity API use?

The decode endpoints use OAuth 2.0 with the https://www.googleapis.com/auth/playintegrity scope and require a service account linked to the Play Console project. Through Jentic the service account credential is held encrypted in the Jentic vault and a scoped access token is injected at call time.

Can I detect emulators with the Play Integrity API?

Yes. POST /v1/{packageName}:decodeIntegrityToken returns deviceIntegrity verdicts including MEETS_DEVICE_INTEGRITY, MEETS_BASIC_INTEGRITY, and MEETS_STRONG_INTEGRITY. Emulators and rooted devices typically return an empty or basic-only set, which the backend can use to block or step-up high-risk actions.

What are the rate limits for this API?

The Play Integrity API has a default project-level quota measured in queries per day, with separate quotas for standard requests and classic requests. Quota can be raised via Google Cloud Console for high-traffic apps, and the client SDK supports prefetching to amortise the cost.

How do I decode an integrity token through Jentic?

Run jentic search 'decode a Play Integrity token', load the schema for POST /v1/{packageName}:decodeIntegrityToken, and execute it with the app's package name and the integrity token returned by the client SDK. Jentic handles OAuth and returns the structured verdicts.

Is the Google Play Integrity API free?

Standard Play Integrity calls are free up to a generous default quota. Classic requests and very high-volume usage may require a quota increase or the use of standard requests with prefetching to stay within free limits.

Can I detect when a user reinstalls the app?

Yes. POST /v1/{packageName}/deviceRecall:write writes a recall record after first install, and subsequent decodeIntegrityToken responses include a recall verdict that flags devices seen before across uninstall and reinstall. This is useful for detecting free-trial abuse and ban evasion.