Coinbase Developer Platform shipped a meaningful security update to its Embedded Wallets product: iOS App Attest and Android Play Integrity support, combined with a new Policy Engine-backed wallet policies feature that lets teams define transaction rules per CDP project. This is not an incremental patch. It is a structural shift in how consumer-grade crypto applications can enforce security and compliance without shipping a new app build every time a rule changes. If you are an engineering leader responsible for on-chain features in a mobile app, this release changes your threat model and your deployment calculus. Here is what shipped, why it matters competitively, and what you should do about it.
What Actually Shipped
The CDP changelog documents two distinct capabilities landing together: 1. Mobile App Attestation Coinbase CDP Embedded Wallets now support iOS App Attest and Android Play Integrity at authentication time and for every wallet action. These are platform-level APIs from Apple and Google, respectively, that cryptographically prove a request originated from a genuine, unmodified build of your app running on a real device. Not an emulator. Not a repackaged clone. Not a script hitting your backend directly. The critical detail is scope: attestation is checked at authentication and at every wallet operation, not just at login. That distinction closes a gap that most wallet SDKs ignore entirely. A session token obtained legitimately on a real device can still be replayed from a tampered environment. Per-action attestation eliminates that surface. 2. Embedded Wallet Policies The new policies feature introduces Policy Engine-backed rules scoped to each CDP project. The configurable controls include:
- •Transaction allowlists (restrict which contracts or addresses a wallet can interact with)
- •Per-transaction value caps (hard ceiling on what a single signing request can authorize)
- •Network locks (restrict wallets to specific chains)
- •ABI/IDL interface checks before signing (verify the function being called matches an expected interface before the wallet signs anything)
These rules live server-side, defined declaratively at the project level. They are not client-side validations that a sophisticated attacker can bypass by modifying the app binary. They execute before the wallet signs.
Why This Release Is More Important Than It Looks
Most coverage will frame App Attest and Play Integrity as security hygiene, the crypto equivalent of pinning a TLS certificate. That framing undersells what is happening. The deeper shift is governance. By centralizing policy definition and enforcement in the CDP platform layer, Coinbase is creating a surface where product, security, and compliance teams can encode business logic over wallets without coordinating an app release. Want to cap transactions at $500 during a fraud incident? Change a policy config. Need to allowlist a new contract address after a partnership goes live? Same story. No mobile release cycle. No coordinated deploy across iOS, Android, and web clients. For consumer fintech apps and neobanks already operating at scale, this maps directly to how they manage card controls today. Spend limits, merchant category blocks, and geographic restrictions on debit cards are all server-side policy decisions. Those teams understand this mental model. What they have lacked is an equivalent abstraction for on-chain actions. CDP just built it. Coinbase has more than 100 million verified users globally and serves thousands of developers through CDP. The security bar required to ship embedded wallets to audiences that large is genuinely different from the bar required to serve early adopters who accept self-custody risk. This release reflects that reality.
Competitive Landscape: How This Stacks Up
The embedded wallet space is occupied by credible products. Privy, Magic, and Dynamic all offer MPC or passkey-based key management with decent developer experience. For many projects, they remain valid choices. But this release creates a meaningful differentiation gap on two specific dimensions.
| Capability | Coinbase CDP | Dynamic |
|---|---|---|
| iOS App Attest support | ✅ | ❌ |
| Android Play Integrity support | ✅ | ❌ |
| Per-action attestation (not just login) | ✅ | ❌ |
| Project-scoped Policy Engine | ✅ | ❌ |
| Transaction value caps (server-side) | ✅ | ❌ |
| ABI/IDL pre-sign interface checks | ✅ | ❌ |
| Network locks | ✅ | ❌ |
This table reflects what is publicly documented as of June 2026. Privy, Magic, and Dynamic have strong developer experience and broad chain support. If your primary concern is rapid integration across a large number of chains with minimal friction, they remain competitive on those dimensions. But none of them currently combines first-party mobile attestation with a project-scoped on-chain policy engine governed from the same platform. For regulated fintechs, consumer apps with 100,000-plus MAUs, or any company that has already integrated Play Integrity or App Attest for traditional payment flows, the Coinbase CDP approach is now substantially more attractive than lighter-weight alternatives.
The TOTP Gap Worth Acknowledging
One capability that frequently comes up in enterprise wallet evaluations is TOTP (Time-based One-Time Password) support as part of multi-factor authentication flows for wallet recovery or high-value transaction confirmation. Hardware attestation and TOTP serve different threat models: attestation proves device legitimacy, TOTP proves user presence with a second factor. CDP's current release focuses on device-level attestation rather than explicit TOTP flows for wallet actions. Teams that require both signals (device integrity plus user-presented second factor for high-value transactions) should evaluate whether CDP's current MFA architecture satisfies their requirements, and confirm their fallback and recovery flows with Coinbase's developer support before committing to the integration. This is not a dealbreaker for most consumer apps, but regulated financial applications should verify this explicitly.
What AgentScore Customers Should Know
For teams building AI agent commerce on top of AgentScore's infrastructure, this CDP release is directly relevant to how you architect the buyer-side authentication layer for agents operating within mobile applications. AgentScore's Passport establishes verified buyer identity for agents transacting on behalf of users. When those agents operate within a mobile shell, the question of whether the signing environment is legitimate matters. An agent that routes a transaction through a tampered app binary is a compliance exposure, not just a security risk. Coinbase's per-action attestation signals are exactly the kind of runtime verification that strengthens the chain of custody from user intent through agent execution to on-chain confirmation. Teams integrating AgentScore's payment and compliance infrastructure alongside CDP Embedded Wallets should consider the following:
Treat attestation failures as first-class events in your fraud monitoring pipeline, not silent errors.
Encode your baseline policy configs (value caps, network locks, contract allowlists) before you go to production. Retrofitting these after a fraud event is harder than setting them at launch.
Coordinate with your legal and compliance teams on what happens when the Policy Engine blocks a transaction. Users need clear error messaging. Support teams need runbooks.
If you are building for regulated markets, document attestation as a control in your compliance evidence. Regulators increasingly expect mobile apps handling financial transactions to demonstrate device integrity checks.
Concrete Recommendations for Engineering Leaders
This is not a "wait and see" situation. The attestation and policy features are available now, and the threat vectors they address (app cloning, reverse engineering, replay attacks, client-side validation bypass) are active risks in any consumer crypto application. Here is a prioritized action list:
Enable App Attest and Play Integrity at the CDP project level today. The incremental implementation cost is low. The risk reduction is immediate.
Audit your existing client-side transaction validation logic. Any check you are currently doing in the app binary (value limits, contract allowlists, chain restrictions) should be migrated to CDP Policy Engine configs. Client-side checks are bypassed; server-side policies are not.
Define a minimum viable policy baseline before your next production deploy. At minimum: a per-transaction value cap appropriate to your use case, a network lock if you only support specific chains, and an address allowlist if your app interacts with a known set of contracts.
Build attestation failure handling into your incident runbooks. What happens when a user on a jailbroken device tries to sign a transaction? What is the user-facing message? Who on your team gets alerted? These questions need answers before they become incidents.
Evaluate MFA requirements for your specific regulatory context. If TOTP or equivalent second-factor confirmation is required by your compliance framework for high-value transactions, verify CDP's current support and roadmap with Coinbase directly.
Where This Is Heading
Coinbase is not building a wallet SDK. It is building a policy orchestration platform for crypto actions inside mainstream applications. The combination of device attestation, declarative policy configs, and project-scoped governance is the architecture that enterprise and regulated-consumer applications require to ship on-chain features with the same confidence they ship traditional financial features.
The competitors in this space have strong developer experience and faster initial integration paths. That advantage is real, and it will matter for projects where speed to launch outweighs security depth. But as the embedded wallet market matures and as AI agents begin executing transactions autonomously on users' behalf, the platforms that will win are the ones that can prove provenance, enforce policy, and maintain audit trails across every action. Coinbase CDP is building that infrastructure. The question for engineering leaders is whether they are building on top of it.
Get started with AgentScore
If you want to start accepting agent payments, AgentScore gets you live in one call:
1import { agentscoreGate } from '@agent-score/commerce/identity/hono';
2
3app.use('/purchase', agentscoreGate({
4 apiKey: process.env.AGENTSCORE_API_KEY!,
5 userAgent: `my-api/${VERSION}`,
6 requireKyc: true,
7 requireSanctionsClear: true,
8 minAge: 21,
9 allowedJurisdictions: ['US'],
10 createSessionOnMissing: { apiKey: process.env.AGENTSCORE_API_KEY! },
11}));Ready to power your agents with secure commerce?
Join innovators using AgentScore to accept payments, verify buyers, and ensure compliance for every AI-driven transaction.
Read More Blog Posts
Coinbase Agentic Wallet Is Live: What to Build Now
Coinbase dropped three significant updates to its Developer Platform this week, and if you're building AI agents that touch money, data, or APIs, this is the re
Stripe 2026-05-27 Expands Payment Methods and Recurring Billing Controls
Stripe adds support for Twint recurring payments, destination transfer metadata, and subscription invoice flexibility — addressing merchant demand for localized