Service info
Returns the health status and metadata of the Attestation API and each of its components. Intended for support and monitoring use — not part of the Relying Party integration.
GET /api/info
Authentication
The endpoint is anonymous. No X-Api-Key is required, and no client identity is recorded. Operators are expected to gate access at the network layer (e.g. restrict the path to internal monitoring infrastructure) rather than rely on application-level auth.
Request
No request body, no query parameters, no headers beyond standard HTTP.
curl https://attestation.example.com/api/info \
--header 'Accept: application/json'
Response
The endpoint always returns 200 OK as long as the request reaches the API process. Component-level failures are reported in the response body, not as HTTP errors — a monitoring system can scrape this endpoint without distinguishing transport-level failures from validator-level degradation.
{
"serviceName": "Mobile Attestation API",
"serviceVersion": "1.4.2+build.318",
"overallStatus": "Healthy",
"components": [
{
"name": "database",
"status": "Healthy"
},
{
"name": "google-play-integrity-api",
"status": "Healthy"
},
{
"name": "google-apk-signing-certificates",
"status": "Healthy"
}
],
"checkedAt": "2026-05-07T12:34:56.789Z"
}
{
"serviceName": "Mobile Attestation API",
"serviceVersion": "1.4.2+build.318",
"overallStatus": "Degraded",
"components": [
{
"name": "database",
"status": "Healthy"
},
{
"name": "google-play-integrity-api",
"status": "Degraded",
"error": "Google Play Integrity API partially unavailable"
},
{
"name": "google-apk-signing-certificates",
"status": "Degraded",
"error": "One or more packages have missing, expired, or expiring APK signing certificates"
}
],
"checkedAt": "2026-05-07T12:34:56.789Z"
}
Top-level fields
| Field | Type | Description |
|---|---|---|
serviceName | string | Constant identifier of the service. Currently "Mobile Attestation API". |
serviceVersion | string | null | Informational version of the running API assembly (e.g. semantic version + build metadata). May be null if the assembly was built without version metadata. |
overallStatus | string | Aggregate of all component statuses. See Status aggregation. |
components | array | One entry per registered component health check. See Component object. |
checkedAt | string (ISO 8601, UTC) | Timestamp at which the checks were executed. |
Component object
| Field | Type | Description |
|---|---|---|
name | string | Stable component identifier in lowercase kebab-case (e.g. "database", "google-play-integrity-api"). Suitable for use as a metric label. |
status | string | One of "Healthy", "Degraded", "Unhealthy". |
version | string | null | Optional component version. Omitted when not applicable. |
licenseExpiresAt | string (ISO 8601 date) | null | Optional license expiry date. Omitted when not applicable. |
details | object | null | Optional free-form metadata about the check (e.g. { "state": "No packages configured" }). Keys and values are component-specific and should not be parsed for control flow. |
error | string | null | Coarse, public-facing error description when the component is Degraded or Unhealthy. Specific failure reasons are recorded in server-side logs only. Omitted when the component is Healthy. |
Fields that are null are omitted from the response.
Status aggregation
overallStatus is derived from the individual component statuses:
Unhealthyif any component isUnhealthy.- otherwise
Degradedif any component isDegraded. - otherwise
Healthy.
A monitoring system that only consumes overallStatus will alert correctly without needing to understand individual components. Alerts that need to attribute the cause should also inspect components[].
Components
The set of components is determined by which validators are enabled in the deployment. The current build registers the following:
database
Verifies that the API can execute a trivial query against the attestation database.
Healthy— query succeeded.Unhealthy— query failed (connectivity, auth, schema, etc.).
google-play-integrity-api
Verifies that the API can acquire a Google access token for each configured package that uses the Standard Play Integrity flow.
Healthy— token acquisition succeeded for every configured Standard package, or no packages are configured for Standard attestation (details.statereports the latter).Degraded— token acquisition failed for some, but not all, configured packages.Unhealthy— token acquisition failed for all configured Standard packages (Google API likely unreachable, or all credentials are invalid).
Packages configured only for the Classic flow are not checked.
google-apk-signing-certificates
Verifies that each configured Google package has at least one APK signing certificate, and that none are expired or close to expiring.
Healthy— every configured package has at least one certificate, none are expired, and the earliest expiry per package is more than 30 days away.Degraded— at least one package is missing certificates, has an expired certificate, or has a certificate expiring within 30 days, but not all packages are in that state.Unhealthy— every configured package is either missing certificates or has only expired certificates.
The 30-day warning window is fixed in the current build.
Operational guidance
- Polling cadence. Each scrape executes all component checks, including outbound calls to Google. A polling interval of 30–60 seconds is typically sufficient. Sub-second polling is wasteful.
- Alerting. Alert on
overallStatus != "Healthy"for the simplest setup. For finer signals, alert percomponents[].statusso that, for example, an expiring APK certificate (Degradedongoogle-apk-signing-certificates) pages a different team than a database outage (Unhealthyondatabase). - Exposure. Because the endpoint is anonymous, do not expose it on the same public ingress as the Relying Party API without ACLs. Restrict it to internal monitoring networks.
- Stability of names. Component
namevalues are stable and safe to use as metric labels. Free-formdetailskeys anderrorstrings are not part of the contract and may change between releases.