Setup

This page explains how to set up your app or game to use the Play Integrity API. In particular, you need to enable responses from the API and integrate the API into your app.

You also have the option to configure your response encryption management strategy and manage the set of responses that the API sends to your app.

Prerequisites

To integrate the Play Integrity API into your app, do one of the following depending on your development environment:

  • For apps that use the Kotlin or Java programming languages, install the latest available Android library for the Play Integrity API from Google’s Maven Repository.
  • For Unity games, install Google Play Plugins for Unity 1.7.0 or higher. All versions of 2019.x, 2020.x, and newer are supported. If you use Unity 2018.x, install version 2018.4 or newer. If you use Unity 2017.x, install 2017.4.40 or newer. Note that Unity 5.x and older aren’t supported.
  • For Native apps and games, install install Play Core Native SDK 1.11.0 or higher.

Enable Play Integrity responses

To use the Play Integrity API, you must enable Play Integrity API responses by linking your app to a Google Cloud project. Then follow the instructions to integrate the API into your app.

Apps on Google Play

In the Play Console, navigate to the Release section of the left menu. Go to Setup > App integrity. Select the Integrity API tab to get started.

Apps exclusively distributed outside Google Play

You can enable Play Integrity API responses for your app without using the Google Play Console. To do so, complete these steps:

  1. Choose an existing project or create a new project from the Google Cloud Console.
  2. Go to APIs and services and select enable APIs and services.
  3. Search for Play Integrity API. Select it and then select Enable.

After the API is enabled, you can integrate Play Integrity API into your app.

SDKs using Play Integrity API

To use the Play Integrity API in your SDK, the following conditions must be met:

  • You must link your SDK to a Google Cloud project and enable the Play Integrity API.
  • To receive and decrypt Integrity API responses, you will need to include your Cloud project number in your requests. You can find this in Project info in your Google Cloud Console.
  • The requesting app calling your API must enable the Play Integrity API for their app. When apps available on Google Play use your SDK, your requests to Play Integrity API automatically count towards the app’s API usage.

After choosing a project in the Google Cloud Console, go to APIs and services and select enable APIs and services. Search for Play Integrity API. Select it and then select Enable. After the API is enabled, you can follow the instructions in integrate Play Integrity API into your app for your SDK.

Configure how your responses are encrypted and decrypted (optional)

By default, Google Play's servers manage the response encryption that your app uses when you interact with the Play Integrity API. While we recommend that you use this default option, you can also choose to manage and download your response encryption keys.

Let Google manage your response encryption (default and recommended)

To protect your app's security, it's recommended that you allow Google to generate and manage your response encryption keys. Your backend server will call Google Play's server to decrypt responses.

Manage and download my response encryption keys

If you want to decrypt the integrity verdict locally within your own secure server environment, you can manage and download your response encryption keys.

Remember not to decrypt or verify the received token from within your client app, and never expose any decryption keys to the client app. To manage and download your response encryption keys, you must use the Play Console, and your app must be available on Google Play.

Switching between Google-managed and self-managed response encryption keys

If Google currently manages your response encryption, and you want to switch to manage and download your response encryption keys yourself, follow these steps:

  1. Log into the Play Console.
  2. Select an app that uses the Play Integrity API.
  3. In the Release section of the left menu, go to Setup > App integrity.
  4. Navigate to the Integrity API tab.
  5. In the Settings section of the page, next to Response encryption keys, click Change.
  6. In the window that appears, click Manage and download my response encryption keys..
  7. Follow the instructions to upload a public key.
  8. After the window shows that the upload was successful, click Save and your encrypted keys download automatically.
  9. Change your server logic so that you decrypt and verify integrity tokens locally, in your own secure server environment, using your response encryption keys.
  10. (Optional) When you self-manage your response encryption keys, your app can still fall back to Google Play's server to decrypt and verify the response.

If you self-manage your response encryption keys, and you want to switch to have Google manage your response encryption, follow these steps:

  1. Change your server logic so that you're solely decrypting and verifying on Google's servers.
  2. Log into the Play Console.
  3. Select an app that uses the Play Integrity API.
  4. In the Release section of the left menu, go to Setup > App integrity.
  5. Navigate to the Integrity API tab.
  6. In the Settings section of the page, next to Response encryption keys, click Change.
  7. In the window that appears, click Let Google manage my response encryption (recommended).
  8. Click Save changes.

Before you change your response encryption management strategy in the Play Console, make sure your server is correctly configured to decrypt and verify integrity tokens or on Google Play’s servers.

Configure API responses (optional)

The Play Integrity API provides the following main signals in its integrity verdict:

  • Application integrity.
  • Account details.
  • Device integrity.

You can edit the set of device integrity responses that your app receives. By opting in to receive multiple labels, you can build an enforcement strategy based on different levels of device trustworthiness. To do so, follow the instructions in your Play Console. This option is only available for apps available on Google Play.

Integrate Play Core into your app

To integrate Play Integrity API into your app, follow the platform-specific instructions listed in one of the following sections. ​

Kotlin or Java

If you're using a local Maven repository, add the following dependency to your app's build.gradle file:

implementation com.google.android.play:integrity::LATEST_VERSION

Unity

See Install Google packages for Unity.

Native

See Play Core Native's development environment setup guide.