appAttest Start in sandbox

Runtime delivery for iOS secrets

Ship the app.
Not the keys.

Your iOS app fetches secrets from appAttest at runtime. They land in Keychain. They never ship in your binary.

Start in sandbox Get started

One line. AppAttest.start(). Your keys land in Keychain when Apple says it's really your app.

The default

Your keys end up inside your app binary.

Drop them in Info.plist, hard-code them in a Swift file, embed them via build settings — the result is the same. Anyone with the IPA and ten minutes can read them out.

Info.plist · today
<key>OpenAIAPIKey</key>
<string>sk-proj-abc123xyz...</string>
<key>StripePublishableKey</key>
<string>pk_live_51HqX...</string>

Shipped to every install. Same value in every copy.

Info.plist · with appAttest
<!-- no secrets here -->
<!-- they arrive at runtime, attested -->

Binary ships clean. Keys land in Keychain after Apple verifies the install.

Positioning

Not a vault. Not a secrets manager. Not a platform.

  • Not a place to centralize every secret your company owns.
  • Not a stack you adopt instead of your existing infrastructure.
  • Not a framework that wants to manage your networking, your auth, your storage.
  • Is a runtime channel from your dashboard to the device, gated by App Attest, that lands a few keys in Keychain.

How it works

One call. One read. One state.

  1. 01Start
    AppAttest.start()

    One synchronous call in your @main. Apple proves the binary is yours; the SDK syncs your secrets and persists them in Keychain.

  2. 02Read
    AppAttest.secrets["OPENAI_API_KEY"]

    Synchronous subscript. After the first launch, secrets load from Keychain before the first frame — no async / await on the hot path.

  3. 03State
    switch AppAttest.state { /* … */ }

    Observable state — ready, sandboxBlocked, paymentRequired, failed. SwiftUI re-renders. No throwing on the read path.

Show full @main 
import SwiftUI
import AppAttest

@main
struct MyApp: App {
    init() { AppAttest.start() }

    var body: some Scene {
        WindowGroup { ContentView() }
    }
}

struct ContentView: View {
    var body: some View {
        if let key = AppAttest.secrets["OPENAI_API_KEY"] {
            Text("Ready")
        } else {
            ProgressView("Loading…")
        }
    }
}

What developers ship today

  • API keys in Info.plist, source files, or build settings.
  • Same value in every install. Rotate the key, ship a new build.
  • Anyone with the IPA can read them.

What appAttest changes

  • The binary contains no secrets. It contains a function that asks for them.
  • Apple proves the binary is yours, on real hardware, before any key is released.
  • Keys live in the iOS Keychain, scoped to your app and the device that attested.

Give every real install the keys it needs. Give the binary nothing.

Start in sandbox Read docs

Sandbox runs indefinitely. Production starts when you subscribe a project.

For AI agents — this page is available as markdown:
View markdown