Managing your Approov Subscription

This section outlines the facilities that you have for managing your Approov subscription and outlines the Approov update procedure adopted by CriticalBlue.

The Approov Portals

Three portals are provided to manage your Approov service.

The Approov Admin Portal

You can reach your admin portal via the link that was provided to you separately by email after you signed up for Approov. The admin portal allows you and your team to:

  • Download the Approov integration tools archive
  • Create and Download Approov client libraries for your chosen client architecture.
  • View a list of all app versions that have been registered with the Approov cloud service.
  • Manage your subscription to the Approov Failover service.
  • Access usage statistics and charts for your Approov enabled apps including
    • Total daily and monthly devices seen over time.
    • Device rejection rates.
    • Historical monthly devices over time.
    • Volume of rooted devices detected.
    • Volume and nature of Frameworks detected (Xposed, Frida, Cydia etc)

Portal access is not required for the server-side changes, however, you will need to download the required components from your admin portal before you are able to integrate Approov with your app.

The admin portal works with all up-to-date platforms with Firefox, Safari, Chrome or Edge browsers. Minimum supported versions are listed below.

  • Ubuntu 16.04
    • Firefox 47
    • Google Chrome 50.0.2661.102
  • Windows 10, Windows 8.1, Windows 7
    • Microsoft Edge 25.10586.0.0
    • Google Chrome 52.0.2743.116
    • Internet Explorer 11 version 11.0.9600.18427
  • OS X - El Capitan
    • Firefox 48

The Approov Ticket-based Support Portal

You can reach the portal here:

Sign up for an account or use an existing Google account.

The Support Portal is only for technical enquiries. We strive to reply within the time frame stipulated for your level of service.

The Approov Subscription Portal

You can reach the portal here:

If you are a new customer, you can request a new sign-up link at the bottom of the portal page, otherwise use your credentials to log in.

The Subscription Portal allows you to change your subscription plan, update your payment details, terminate your subscription, etc. For further sales-related enquiries, please contact us at

Approov Service Updates

CriticalBlue continuously monitor the Approov service, looking for ways to improve its security, performance and features.

  • CriticalBlue will contact you immediately should the need arise to update a service component.
  • CriticalBlue will automatically update all components that will not affect the current operation of the service.
  • In the unlikely event that service downtime is required in order to perform critical updates to any components, you will be informed immediately and the maintenance time and date will be arranged with your consent. Please note that delaying an Approov service update deemed critical by CriticalBlue may cause loss of authentication service or a state of lowered security. In particular, if the client app authentication library needs to be updated, CriticalBlue will work with you to ensure the smooth transition to a new Approov-authenticated version of your app.

Approov Failover Service

The Approov Failover service is provided by CriticalBlue as a backup system in the event that any point of the Approov attestation service should fail or be unreachable for any reason. The Failover service can provide valid tokens in the unlikely event that there is an interruption to the main attestation service. The Approov healthcheck service (see Monitoring Service Health) continuously monitors the health of the attestation service and the Failover service, if enabled, activates when the healthcheck detects a failure. Handling failures in this way allows your service to continue uninterrupted, with no changes to your production servers, but while the Failover service is active no attesation will be performed. If automatic Failover is disabled when the attestation service is unhealthy then no valid tokens will be provided.

Your production servers should not check the issuer claim as a way of filtering out all Failover tokens. Instead, it is possible, though not recommended, to deactivate the Failover service for all of your applications by visiting the “Settings” page of your Approov Admin Portal and selecting “Automatic Failover Disabled” in the “Failover” drop down. The service can also be reactivated by changing the drop down selection to “Automatic Failover Enabled”. In the event of the Approov Admin Portal being unavailable, the Failover service can be activated be contacting CriticalBlue directly.

It is possible to check if a token was generated by the Failover service by checking if the token’s issuer claim is present and set to “Failover”. This can be used to detect when tokens from the Failover service are being received by your servers. It is highly recommended that this should not be used as a way to filter out Failover tokens from your servers. If you do not wish to receive Failover tokens, the above opt-out mechanism should be used instead. This will result in simpler, cleaner code that is easier to test and maintain.

In the event that logging Failover tokens is necessary, the following code is an example of how this may be achieved (where SECRET is the secret used for signing tokens):

tokenContents = jwt.decode(token, base64.b64decode(SECRET), algorithms=['HS256'])
    issuer = (tokenContents['iss'])
    if issuer == "Failover":
        # This is a Failover token - log this with your favourite logging package
    # otherwise continue with no extra work
    # No issuer given - this is not a Failover token