Check Device Compatibility

Note that Rivetz is currently available only on the Android platform. The minimum OS requirement is Android 7.0, API level 24 ("Nougat").

If your device is a Samsung, you also will need to ensure you have the required security policy. Navigate to the Settings → About screen on your device, and verify that the Security Enhancements for Android ("SE For Android Status") is enforcing a policy from July 17th, 2015 or later.

Rivetz Application Installation Overview

It is strongly suggested that if you haven’t done so already, you familiarize yourself with the Rivetz environment by reading the Rivetz Technology Overview document on this website.

In order to develop an application using the Rivetz Toolkit, you must first download and install the Rivetz Adapter and the Trusted Application (TA). Because the Rivetz Adapter, TA and reference applications are all currently in beta, all accounts accessing them through the Google Play Store must be whitelisted by Rivetz. Subsequently, those accounts must opt in to the beta testing program for each Rivetz app.

The installation steps below will walk you through how to join the beta programs, download the Rivetz apps, activate the developer tools and load the TA.

  1. Send a list of developers - including name and an email address that is registered with the Google Play store - to

  2. In a web browser that is logged into the Google Play Store account with the email address submitted above, copy and paste the following link and select “Become a Tester” to opt-in to the beta release. Due to the interaction of the beta Play Store, we recommend completing this step on a computer rather than mobile device.

  3. Open the Google Play Store app on a TEE-compatible mobile device and ensure that it is logged in to the email account submitted in step 1.

  4. Search for “Rivetz” in the Play Store.

  5. Download, then open, the “Rivetz” app.

  6. Swipe sideways to “Activate Developer Tools” and tap that option.

  7. Tap “Accept” to install the Rivetz Trusted Application (TA).

Once complete there will be two "Riveted Apps", RivetzNet and Developer Tools. You can tap these to see the keys they contain.

Connect your device to the Android development environment. Please refer to Once your device is visible from the desktop using adb devices you’re all set. For example.

user@host:~$ adb devices
List of devices attached
LGH345c670f255	device

Add Rivetz to your Project

Assuming you are using Android Studio, point to our code repository and declare a dependency to the RivetJ Library and Rivetz Android Bridge. For example, in app/build.gradle add the following lines

maven {
    url ""
dependencies {
    compile 'com.rivetz:rivetz-bridge:0.7.2@aar'
    compile 'com.rivetz:rivetz-lib:0.7.2'

The example above shows how to specify the current release version in the build file; in this case, the current release is 0.7.2.

Create a Rivet

Import the Rivetz bridge library by adding com.rivetz.bridge to your class file

import com.rivetz.bridge.Rivet

Instantiate the Rivet class. Note that this is an asynchronous task as it establishes a binding to the Rivetz Adapter. You can provide a callback if you want to be notified when the binding is ready. In this example, we initialize the rivet with the Developer SPID (Service Provider ID). The Developer SPID is a common ID that can be used for experimentation. You will want to get your own ID if you have a real project in mind.

Rivet rivet = new Rivet(getApplicationContext(), Rivet.DEVELOPER_SPID);

Every Service Provider has a ServiceProviderRecord maintained by Rivetz on the device. This is used to store (encrypted) keys and state. The ServiceProviderRecord is established through a process called pairing, in which the Rivetz Network Registrar signs the service provider data and delivers it to the device. This establishes a trust relationship between the device and the service provider.

The pairing process involves user consent, and thus a UI element, but it only needs to happen once per device. You can test rivet.isPaired() or call pair() with the silent flag to just test if pairing is already done.


You call the Rivet to create a key and then do something with it. There are a number of different KeyTypes

rivet.createKey(KeyType.ECDSA_DFLT, "mykey");
String signature = rivet.sign("mykey","I yam what I yam");

We have developed a basic application which includes the source for integrating a basic Rivet. The full project is available on Github: We strongly recommend you download, build and run this application as a way to verify that your development environment and test mobile device are configured properly.

Next Steps

In the above example we used the simplest interface and a Test Service Provider. For a production deployment, you will want to create your own Service Provider ID and sign instructions sent to the Rivet.

Create a Service Provider ID

A Service Provider represents legal and cryptographic ownership over keys created and applied using the SPID. In order to protect access to your Riveted keys you can require that all instructions using those keys be signed by your Service Provider Key. The Service Provider Key is established prior to registering with Rivetz and supplied in the registration process.

To create your key on a Linux system you can use ssh-keygen.

$ ssh-keygen -t ecdsa
Generating public/private ecdsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_ecdsa): rivetz-key
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in rivetz-key.
Your public key has been saved in

Navigate to and fill out the registration form. You will need to provide company information and upload the key created in the last step.

You will also be asked to provide a logo for your app. This is an important visual identifier that is signed by Rivetz so it can’t be spoofed, particularly when used with Trusted User Interface. The logo should be a 256x256 pixel PNG file. Ideally the logo should be simple so the file size is kept to a minimum. White (#FFFFFF) is the default background color.

As a result of registration you will be emailed a newly minted Service Provider ID. Congratulations!

Sign your instructions

In the above example, the calls to Rivetz are made directly within the client Android App. Generally, you will want to create Rivet instructions on your server so you can sign them first. A key can be configured to only accept signed instructions.

The Rivetz Code Library is used by your server code to construct an instruction. This instruction is a byte array, which is signed and then passed down to the device. The instruction is invoked using rivet.execute(). A result record is returned, signed by the service provider unique device identity key, if present.

Further documentation coming soon!

Discover Rivetz

Rivetz is intended to be a very simple way to get very real keys for identity, encryption, transactions, and more. You can create keys of various types. (If you want to suggest a type we don’t support, contact us at You can attach rules to keys such as Require Trusted User Interface Confirmation. Soon, we will provide features for sharing Riveted keys among cryptographically paired devices.

The Reference Guide provides full documentation of the Rivetz API classes.