My understanding from the App Attest wwdc session is that we store attestation keys in keychain on a per-user basis. For apps that don't require user login, I'm thinking of using StoreKit's AppTransactionID [1] as the identifier to discriminate keys. Do you have opinions on whether this is a valid pattern?
[1] https://developer.apple.com/documentation/storekit/apptransaction/apptransactionid
It is possible, but obviously an off-label use that might catch you with some gotchas.
Also depends on which StoreKit version you are using. In StoreKit 1, this would be limited to only certain type of transactions (non-consumables, for example). StoreKit 2 will let you access the original transaction in your database.
But the best would be to ask this question in the upcoming StoreKit Q&A tomorrow (June 11, 2026), and they would be able to answer if this sort of use is viable, and perhaps they can suggest a different pattern.
