App Check helps protect your apps from abuse by preventing unauthorized clients from authenticating using Google Sign-in: only the apps you've authorized can acquire access tokens and ID tokens from Google's OAuth 2.0 and OpenID Connect endpoint.
With App Check, devices running your app use Apple's App Attest service to verify that OAuth 2.0 and OpenID Connect requests originate from your authentic app. This attestation is sent with every request your app makes to Google's authentication endpoints. When you enable App Check enforcement, requests from clients without a valid attestation will be rejected, as will any request originating from an app you haven't authorized.
Ready to get started?
How does it work?
When you enable App Check for Google Sign-in, the following happens whenever you access a Google OAuth 2.0 endpoint:
- Your app interacts with Apple's services to obtain an attestation of the app's authenticity.
- The attestation is sent to the App Check server, which verifies the validity of the attestation using parameters registered with the app, and returns to your app an App Check token. This token might retain some information about the attestation material it verified.
- The App Check client library sends the token along with the request to Google's authentication endpoints.
When App Check enforcement is enabled, Google only accepts requests accompanied by a current, valid App Check token.
How strong is the security provided by App Check?
App Check relies on the strength of Apple's App Attest service to determine app authenticity. It prevents some, but not all, abuse vectors directed towards your project. Using App Check does not guarantee the elimination of all abuse, but by integrating with App Check, you are taking an important step towards abuse protection for your app.
First steps
Read the Get started guide to learn how to install and set up App Check.