npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@n3arby/play-integrity-verifier

v0.2.0

Published

A TypeScript library for verifying Google Play Integrity API responses

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

arkadiusz_bartnikarkadiusz_bartnik

Keywords

google-playplay-integrityandroidsecurityverificationtypescript

Readme

@n3arby/play-integrity-verifier

A TypeScript library for verifying Google Play Integrity API responses using the official Google APIs client library. This package helps you validate the integrity of Android app installations and device authenticity using Google's Play Integrity API.

Features

  • 🔐 Verify Play Integrity tokens server-side using official Google APIs
  • 📱 Check app integrity and device authenticity
  • 🛡️ Validate app licensing status
  • 🌐 TypeScript support with full type definitions
  • ⚡ Modern async/await API
  • 🏗️ Built on official @googleapis/playintegrity library

Installation

npm install @n3arby/play-integrity-verifier

Prerequisites

  1. Google Cloud Project: Set up a Google Cloud project with Play Integrity API enabled
  2. Service Account: Create a service account with Play Integrity API permissions
  3. Service Account Key: Download the JSON key file for your service account

Enable Play Integrity API

  1. Go to the Google Cloud Console
  2. Select your project
  3. Navigate to "APIs & Services" > "Library"
  4. Search for "Play Integrity API" and enable it

Create Service Account

  1. Go to "IAM & Admin" > "Service Accounts"
  2. Click "Create Service Account"
  3. Give it a name and description
  4. Grant the "Play Integrity API Service Agent" role
  5. Create and download the JSON key file

Usage

Basic Example

import { verifyPlayIntegrity } from '@n3arby/play-integrity-verifier';

async function verifyToken() {
  const integrityToken = 'YOUR_INTEGRITY_TOKEN_FROM_ANDROID_APP';
  const expectedPackageName = 'com.yourcompany.yourapp'; // Your app's package name
  
  const credentials = {
    clientEmail: '[email protected]',
    privateKey: '-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n'
  };

  try {
    const result = await verifyPlayIntegrity(integrityToken, credentials, expectedPackageName);
    
    console.log('App package name:', result.requestDetails?.requestPackageName);
    console.log('App integrity verdict:', result.appIntegrity?.appRecognitionVerdict);
    console.log('Device integrity verdict:', result.deviceIntegrity?.deviceRecognitionVerdict);
    console.log('App licensing verdict:', result.accountDetails?.appLicensingVerdict);
    
  } catch (error) {
    console.error('Verification failed:', error.message);
  }
}

Express.js Integration

import express from 'express';
import { verifyPlayIntegrity } from '@n3arby/play-integrity-verifier';

const app = express();
app.use(express.json());

const credentials = {
  clientEmail: process.env.GOOGLE_CLIENT_EMAIL!,
  privateKey: process.env.GOOGLE_PRIVATE_KEY!.replace(/\\n/g, '\n')
};

app.post('/verify-integrity', async (req, res) => {
  try {
    const { integrityToken, packageName } = req.body;
    
    if (!integrityToken) {
      return res.status(400).json({ error: 'Missing integrity token' });
    }
    
    if (!packageName) {
      return res.status(400).json({ error: 'Missing package name' });
    }
    
    const result = await verifyPlayIntegrity(integrityToken, credentials, packageName);
    
    // Check if app is recognized and device is authentic
    const isAppLegitimate = result.appIntegrity?.appRecognitionVerdict === 'PLAY_RECOGNIZED';
    const isDeviceAuthentic = result.deviceIntegrity?.deviceRecognitionVerdict?.includes('MEETS_DEVICE_INTEGRITY');
    
    res.json({
      verified: isAppLegitimate && isDeviceAuthentic,
      appIntegrity: result.appIntegrity,
      deviceIntegrity: result.deviceIntegrity,
      requestDetails: result.requestDetails
    });
    
  } catch (error) {
    res.status(500).json({ error: error.message });
  }
});

Using with Environment Variables

import { verifyPlayIntegrity } from '@n3arby/play-integrity-verifier';

// Load from environment variables
const credentials = {
  clientEmail: process.env.GOOGLE_CLIENT_EMAIL!,
  privateKey: process.env.GOOGLE_PRIVATE_KEY!.replace(/\\n/g, '\n')
};

async function verify(token: string, packageName: string) {
  return await verifyPlayIntegrity(token, credentials, packageName);
}

Android Client Side (for reference)

// In your Android app, generate the integrity token
val integrityManager = IntegrityManagerFactory.create(applicationContext)
val integrityTokenRequest = IntegrityTokenRequest.builder()
    .setNonce("your-unique-nonce")
    .build()

integrityManager.requestIntegrityToken(integrityTokenRequest)
    .addOnSuccessListener { response ->
        val token = response.token()
        // Send this token to your server for verification
        sendTokenToServer(token)
    }
    .addOnFailureListener { exception ->
        // Handle error
    }

API Reference

verifyPlayIntegrity(token, credentials, expectedPackageName)

Verifies a Play Integrity token and returns the decoded response.

Parameters

  • token (string): The integrity token received from the Android app
  • credentials (PlayIntegrityCredentials): Google service account credentials
  • expectedPackageName (string): The expected package name of your Android app (e.g., 'com.example.myapp')

Returns

Promise - The decoded and verified integrity response

Types

PlayIntegrityCredentials

interface PlayIntegrityCredentials {
  clientEmail: string;    // Service account email
  privateKey: string;     // Service account private key (PEM format)
}

PlayIntegrityResponse

interface PlayIntegrityResponse {
  requestDetails?: {
    requestPackageName?: string;  // Package name of the app
    timestampMillis?: string;     // Request timestamp
    nonce?: string;               // Nonce used in the request
  };
  appIntegrity?: {
    appRecognitionVerdict?: string;      // PLAY_RECOGNIZED, UNRECOGNIZED_VERSION, etc.
    packageName?: string;                // App package name
    certificateSha256Digest?: string[];  // App signing certificate digests
    versionCode?: string;                // App version code
  };
  deviceIntegrity?: {
    deviceRecognitionVerdict?: string[]; // MEETS_DEVICE_INTEGRITY, etc.
  };
  accountDetails?: {
    appLicensingVerdict?: string;        // LICENSED, UNLICENSED, etc.
  };
}

Environment Variables

For production use, store your credentials as environment variables:

GOOGLE_CLIENT_EMAIL=your-service-account@project.iam.gserviceaccount.com
GOOGLE_PRIVATE_KEY="-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n"

Error Handling

The library throws descriptive errors for various failure scenarios:

try {
  const result = await verifyPlayIntegrity(token, credentials);
} catch (error) {
  if (error.message.includes('Play Integrity verification failed')) {
    // Handle API-specific errors (invalid token, quota exceeded, etc.)
  } else {
    // Handle other errors (network, authentication, etc.)
  }
}

Security Considerations

  1. Server-side only: Never verify tokens on the client side
  2. Secure credentials: Store service account keys securely
  3. Token freshness: Verify tokens promptly after generation
  4. Nonce validation: Always validate the nonce in your server logic
  5. Package name validation: The library automatically validates that the package name in the token matches your expected package name
  6. Required package name: Always provide the expected package name - this is crucial for security as it prevents token replay attacks from other apps

License

MIT

Contributing

Contributions are welcome! Please feel free to submit a Pull Request.