Skip to main content

Sessionless approach

In the sessionless approach, the Attestation API is not involved in nonce generation at all.

The RP produces the final nonce on its own and the API is only called once - to verify attestation token.

Though it is fully up to RP, how nonces are generated, it is recommended for nonce not to be plain data, since it is sent to the Attestation API. It should either be random or hashed data.

Properties:

  • The RP is fully responsible for nonce uniqueness, entropy, and replay protection. The Attestation API will not detect reuse.
  • Only one Attestation API call per attestation (verify).
  • The RP must persist the expected nonce between issuing it and verifying it.