Java
Server→server Background-Check attest (appraise client evidence with your rh_sk_ secret key, get the verdict directly) plus offline token verification, from any JVM service. Java 17+. Spring Boot 3 auto-configures via @RootHeraldGuard.
This SDK is implemented but not yet published to its package registry. Until it ships, mint attestation tokens on the device and verify them server-side with @rootherald/node (or any available server SDK). The API shown below is the planned surface and may change before release.
Install
<!-- Maven -->
<dependency>
<groupId>io.rootherald</groupId>
<artifactId>rootherald-core</artifactId>
<version>0.1.0</version>
</dependency>
<dependency>
<groupId>io.rootherald</groupId>
<artifactId>rootherald-spring</artifactId>
<version>0.1.0</version>
</dependency>// Gradle (Kotlin DSL)
implementation("io.rootherald:rootherald-core:0.1.0")
implementation("io.rootherald:rootherald-spring:0.1.0")Verify a token
Five lines to validate signature, issuer, audience and exp against the JWKS.
var verifier = AttestationTokenVerifier.builder()
.issuer("https://rootherald.io/myorg")
.audience("my-app")
.jwksUri("https://rootherald.io/myorg/.well-known/jwks.json")
.build();
AttestationClaims claims = verifier.verify(token);Spring Boot integration
Add the starter, annotate the protected handler, and Spring Boot wires the filter for you. Configuration lives in application.yml:
rootherald:
issuer: https://rootherald.io/myorg
audience: my-app
base-uri: https://rootherald.io
mode: offline # 'online' to call the verifier per request@PostMapping("/signup")
@RootHeraldGuard(action = "signup")
public ResponseEntity<?> signup(HttpServletRequest req) {
var claims = (AttestationClaims) req.getAttribute(RootHeraldGuardFilter.CLAIMS_ATTRIBUTE);
return ResponseEntity.ok(Map.of("device", claims.subject()));
}Errors
try {
verifier.verify(token);
} catch (TokenExpiredException e) {
// 401 — client should refresh attestation
} catch (RootHeraldException e) {
// 401/403 — log e.getMessage() for diagnostics
}TokenExpiredException— attestation aged out; ask the client to re-attest.RootHeraldException— catch-all base class for every other validation failure.
Sample
A runnable Spring Boot demo lives at RootHerald/sdk-java.