Expo has become one of the fastest ways to build, test, and ship React Native apps. It gives developers a smooth workflow, a rich ecosystem of tools, and a path from prototype to production without having to manage every detail of native iOS and Android development.
But as soon as an Expo app starts calling backend APIs, there is an important security question to answer:
How does your backend know that an API request really came from your genuine app, running in a trustworthy environment?
Authentication can tell you who the user is. TLS can protect data in transit. But neither one proves that the request came from your unmodified mobile app rather than a bot, script, emulator, repackaged build, or automated abuse tool.
That is where Approov fits.
What Approov adds to an Expo app
Approov provides mobile app attestation for React Native apps. When added to an Expo React Native app, Approov can attach short-lived, cryptographically signed tokens to protected API requests and your backend can verify those tokens before serving sensitive functionality. This protects the connection between the mobile app and your backend APIs.
At a high level, the flow looks like this:
- The Expo app initializes Approov when the app starts.
- The app makes API requests using standard React Native networking.
- Approov adds an attestation token to requests for protected API domains.
- Your backend verifies the Approov token.
- Requests without a valid token can be rejected before they reach sensitive business logic.
To add Approov, you do not need to rethink the entire API layer just to get started. You can keep your existing React Native networking approach and implement Approov to add protection where it matters.
Getting started
To add Approov to an Expo app, start with the React Native quickstart. The Approov React Native quickstart contains the current commands, code examples, setup details, and troubleshooting guidance.
The quickstart walks through the full setup, including the compatibility check, package installation, ApproovProvider initialization, API protection, app signing certificates, backend token verification, and optional secrets protection.
Here is the implementation journey in detail.
1. Start with an Expo development build
Because Approov depends on native modules, developers should first make sure their Expo app is using a development build rather than Expo Go. Approov cannot be added to apps built using Expo Go. Expo’s docs explain that Expo Go cannot be changed after installation and only includes native APIs and libraries that were bundled into Expo Go itself. A development build gives the app its own native runtime and supports custom native libraries.
This is the first Expo-specific decision point: before integrating Approov, move the app to a development build workflow if it is still Expo Go-only.
2. Run the Approov compatibility check
The React Native quickstart includes a compatibility check command that developers can run from the root of their app. This check reports issues that need to be fixed before integration, such as platform version requirements or required Android permissions.
This is a useful early step because it gives developers a clear view of what needs to change before they add the Approov package.
3. Add the Approov React Native service layer
For Expo projects, the Approov quickstart recommends installing the React Native service package using Expo’s install command:
expo install @approov/approov-service-react-native
The quickstart also notes that iOS projects need CocoaPods dependencies installed.
After adding a native-code library to an Expo development build, developers should rebuild the development client so the native code is included in the installed app. Expo’s documentation calls this out explicitly for libraries that contain native code APIs.
4. Initialize Approov in the app
Approov is initialized by wrapping the app with ApproovProvider. The React Native quickstart shows the provider-based setup and the ApproovService import developers use for additional configuration.
This is the point where Approov becomes part of the app startup flow. Once initialized, network requests can receive Approov tokens or secret substitutions depending on how the developer configures API protection or secrets protection.
5. Add API domains to Approov
Next, developers tell Approov which API domains should be protected. Once a domain is added, Approov tokens are added automatically to requests for that domain using the default Approov-Token header, unless the developer changes the token header configuration.
This is where the integration starts protecting real backend traffic.
6. Verify Approov tokens on the backend
Approov token verification belongs on the backend API. The React Native API protection guide recommends this approach when developers control the backend API and can modify it to verify the Approov token. It also points developers to backend API quickstarts for different server-side technologies.
This distinction is important: adding Approov to the app enables token generation and request protection, but the backend must verify those tokens to enforce the trust decision.
7. Optionally protect app secrets
Many mobile apps still ship API keys, third-party service keys, or other secrets in app code. In Expo apps, developers should be especially careful about placing sensitive information in app config, because Expo documents that most app config is accessible at runtime from JavaScript through Constants.expoConfig.
Approov’s secrets protection flow is designed to address this problem. Instead of building secrets directly into the app, developers can move them into Approov and have them provided at runtime only to apps that pass attestation. The React Native secrets protection guide covers both automatic substitution and explicit secret fetching.
Why this matters for Expo teams
Expo helps teams move quickly, but API security still has to account for the realities of mobile environments. Attackers can inspect apps, automate requests, replay traffic, run modified builds, and attempt to abuse APIs directly without going through the intended user experience.
Approov gives Expo and React Native teams another signal to enforce on the backend: whether the request came from a genuine, trusted app instance.
That does not replace user authentication or authorization. Developers should still authenticate users, authorize access, and validate every request server-side. Approov complements those controls by helping the backend distinguish legitimate app traffic from untrusted clients.
Ready to protect your Expo app’s API traffic?
Follow the Approov React Native quickstart and add mobile app attestation to your next development build.
Natalie Novick
Natalie Novick is a technical product marketing manager at Approov. A technologist and strategist with deep roots in the European tech ecosystem, her experience bridges emerging technology trends and community building across global innovation networks.
