Keys and secrets
- Project secret (private): sent via header to PushWave backend (once API is available).
- Project API key (public): used by the client SDK.
- Google: no API key needed to decode Play Integrity; PushWave uses its own service account + OAuth.
- iOS .p8: stored encrypted at rest; metadata (
teamId, keyId, bundleId) stored in clear.
Transport
- Always use HTTPS. Never log secrets or
.p8.
- The SDK may log extra debug info in
__DEV__; avoid shipping verbose logs to production.
Attestation storage
- Android: store
packageName, SHA-256 certs, and attestation verdicts. No Google API key required.
- iOS: store encrypted
.p8 + metadata.
Operational notes
- Rotate secrets if you suspect exposure (project secret,
.p8).
- Keep all signing cert fingerprints up to date (Play signing + upload/rotation).
- If you change the GCP project used for Play Integrity, update the cloud project number served to the SDK.