Approov validates that requests reaching your backend originate from trusted builds of your mobile apps. This quickstart demonstrates how to enforce Approov tokens in ASP.NET 8, optionally add token binding, and verify HTTP message signatures produced by the Approov SDK.
The sample backend that accompanies this guide lives at servers/hello/src/approov-protected-server/token-check. It exposes minimal endpoints that illustrate each protection layer:
/tokenreturnsGood Tokenafter validating the Approov token./token_bindingechoesGood Token Bindingwhen the configured headers hash to thepayclaim./ipk_message_sign_testand/ipk_testgenerate deterministic signatures and validate installation public keys for local testing.
An unprotected reference backend lives at servers/hello/src/unprotected-server so you can compare behaviour with and without Approov.
- .NET 8 SDK for building/running the samples.
- Approov CLI with an account that can manage API domains and secrets.
- An API domain registered with Approov:
approov api -add your.api.domain.com. - The account secret exported in base64 form. Enable the admin role (
eval \approov role admin`on Unix shells orset APPROOV_ROLE=admin:in PowerShell) and runapproov secret -get base64`.
When using symmetric signing (HS256) you must keep the secret confidential. Approov also supports asymmetric keys; see Managing Key Sets for guidance.
-
Copy the environment template and add your secret:
cp servers/hello/src/approov-protected-server/token-check/.env.example \ servers/hello/src/approov-protected-server/token-check/.env
Edit
.envand setAPPROOV_BASE64_SECRETto the value returned byapproov secret -get base64. The optional variables in that file enable token binding and message signature policy enforcement. -
Run the sample APIs with the local .NET SDK:
./scripts/run-local.sh all
The script launches the unprotected server on
8001and the Approov-protected server on8111. PressCtrl+Cto stop both. Launch a single backend with./scripts/run-local.sh token-check. -
Exercise the protections using the helper scripts:
./test-scripts/request_tests_approov_msg.sh 8111 ./test-scripts/request_tests_sfv.sh 8111
These scripts cover token validation, token binding, canonical message reconstruction, and signature verification.
Follow the detailed quickstarts to bring the same protections into your own API:
- Token validation quickstart - integrate the middleware that enforces Approov tokens.
- Token binding quickstart - bind Approov tokens to request headers such as
Authorization. - Message signing quickstart - verify HTTP message signatures using the installation public key included in the Approov token.
Each guide includes package requirements, configuration snippets, and testing instructions that match the code in this repository.
- TESTING.md summarises manual and automated test options, including how to use the published dummy secret for local verification.
- EXAMPLES.md explains the sample server layout and optional Docker workflow.
- Run unit tests for the helper components with
dotnet test tests/Hello.Tests/Hello.Tests.csproj.
Keep the backend clock synchronised with an authoritative time source (for example via NTP). Accurate clocks are essential when checking JWT expiry times and HTTP message signature lifetimes.
Report problems or request enhancements via GitHub issues. Include reproduction steps so we can assist quickly.