Skip to content
SDKs · JavaIn developmentView source

Java

Server→server Background-Check attest (appraise client evidence with your rh_sk_ secret key, get the verdict directly) plus offline token verification, from any JVM service. Java 17+. Spring Boot 3 auto-configures via @RootHeraldGuard.

In development

This SDK is implemented but not yet published to its package registry. Until it ships, mint attestation tokens on the device and verify them server-side with @rootherald/node (or any available server SDK). The API shown below is the planned surface and may change before release.

Install

<!-- Maven -->
<dependency>
  <groupId>io.rootherald</groupId>
  <artifactId>rootherald-core</artifactId>
  <version>0.1.0</version>
</dependency>
<dependency>
  <groupId>io.rootherald</groupId>
  <artifactId>rootherald-spring</artifactId>
  <version>0.1.0</version>
</dependency>
// Gradle (Kotlin DSL)
implementation("io.rootherald:rootherald-core:0.1.0")
implementation("io.rootherald:rootherald-spring:0.1.0")

Verify a token

Five lines to validate signature, issuer, audience and exp against the JWKS.

var verifier = AttestationTokenVerifier.builder()
    .issuer("https://rootherald.io/myorg")
    .audience("my-app")
    .jwksUri("https://rootherald.io/myorg/.well-known/jwks.json")
    .build();
AttestationClaims claims = verifier.verify(token);

Spring Boot integration

Add the starter, annotate the protected handler, and Spring Boot wires the filter for you. Configuration lives in application.yml:

rootherald:
  issuer: https://rootherald.io/myorg
  audience: my-app
  base-uri: https://rootherald.io
  mode: offline   # 'online' to call the verifier per request
@PostMapping("/signup")
@RootHeraldGuard(action = "signup")
public ResponseEntity<?> signup(HttpServletRequest req) {
    var claims = (AttestationClaims) req.getAttribute(RootHeraldGuardFilter.CLAIMS_ATTRIBUTE);
    return ResponseEntity.ok(Map.of("device", claims.subject()));
}

Errors

try {
    verifier.verify(token);
} catch (TokenExpiredException e) {
    // 401 — client should refresh attestation
} catch (RootHeraldException e) {
    // 401/403 — log e.getMessage() for diagnostics
}
  • TokenExpiredException — attestation aged out; ask the client to re-attest.
  • RootHeraldException — catch-all base class for every other validation failure.

Sample

A runnable Spring Boot demo lives at RootHerald/sdk-java.