Check a model’s attestation
tlsSpkiSha256) and the receipt-signing key (signingKey). It’s public — no key required.
The full report (verify it yourself)
Add anonce to get the full ACI report bound to your nonce — the raw artifacts a client needs to verify the quote trustlessly (DCAP via dcap-qvl) and prove freshness:
report_data. A report that commits a nonce you just generated can’t be a replay — that’s how you prove freshness. Generate a new one each time.
Fail-closed enforcement
For aphala/* request, the gateway verifies the upstream attestation before forwarding your prompt and fails closed if it can’t — a genuine, freshly-attested enclave, or the prompt never leaves us. Enforcement is on by default. The verified result is cached briefly (a workload’s attestation is stable) so we re-attest periodically, not per request.
What the report contains
| Field | What it proves |
|---|---|
workload_id | A SHA-256 identity for the running workload — the stable “which gateway is this”. |
attestation.evidence.quote | The hardware-signed TDX quote — the root of trust for everything else. |
attestation.report_data | Commits your nonce + the keyset → freshness + key binding. |
attestation.workload_keyset | The public keys: receipt_signing_keys, tls_public_keys, keyset epoch. |
attestation.keyset_endorsement | A signature under the workload identity tying the keys to the identity. |
attestation.source_provenance | The repo_url + repo_commit the workload was built from. |
