Questions About App Attestation Rate Limiting and AppID-Level Quotas

Question

Created 9h

Replies 1

Boosts 0

Participants 2

I’m looking for clarification on how rate limiting works for the App Attest service, especially in production environments. According to the entitlement documentation (https://developer.apple.com/documentation/BundleResources/Entitlements/com.apple.developer.devicecheck.appattest-environment), iOS ignores the environment setting once an app is distributed through TestFlight, the App Store, or Enterprise distribution, and always contacts the production App Attest endpoint.

With that context, I have two questions:

Rate‑Limiting Thresholds

How exactly does rate limiting work for App Attest? Is there a defined threshold beyond which attestation requests begin to fail? The "Preparing to Use the App Attest Service" documentation (https://developer.apple.com/documentation/devicecheck/preparing-to-use-the-app-attest-service) recommends ramping up no more than 10 million users per day per app, but I’m trying to understand what practical limits or failure conditions developers should expect.

Per‑AppID Budgeting

If multiple apps have different App IDs, do they each receive their own independent attestation budget/rate limit? Or is the rate limiting shared across all apps under the same developer account?

Boost

Answer 1

Engineer OP

Apple

6m

There is not a single number above which you will start getting errors. We recommend 10MM users a day, and keep it under 100 attestation calls a second, but that does not mean at call #101 or user 10MM and 1 you will get errors.

Depending on the load on the servers, and various system conditions, a bit more or a bit less could be possible. So, the key is to handle failures gracefully and pull back on your requests, once the calls start getting errors.

Similarly if you have multiple apps you have decided to onboard to AppAttest at the same time, while technically you could be under the limit, you would be straining a shared resource. Sometimes, even if your attestation calls do not get errors due to rate limiting, you could hear from Apple with a request to slow down your calls. If feasible for your case, you could stagger the launches of the versions with AppAttest instead of throwing everything in the pool on the same day.

This is usually (and hopefully) a once time problem when your app is onboarding. You need to make the attestation call only once per installation of the app. After that, unless you are blessed with 10 million new users a day, this should not be an ongoing problem.

0