What is the Confidential tier?
What is the Confidential tier?
Inference served by a gateway running in a TEE that proves its own identity with an attestation report and signs a per-response receipt binding your request + response to that attested workload — and t2000 anchors that receipt on Sui. You verify the proofs yourself rather than trusting an API’s word. Available on
phala/* models.How is it different from the Private (ZDR) tier?
How is it different from the Private (ZDR) tier?
Private (every model) is zero data retention — providers are contractually bound not to store or train on your prompts. Confidential (
phala/*) adds hardware: the model runs in a verified GPU-TEE, with a signed, Sui-anchored receipt you can check. Private is a policy promise; Confidential is cryptographic evidence.Can t2000 read my prompts?
Can t2000 read my prompts?
On a confidential call, plaintext is visible to the attested gateway after TLS terminates, because it has to process the request — but the gateway is a reviewed workload in a TEE and retains nothing (zero data retention). It does not mean no software ever sees the request. For the exact boundary, read the trust boundary. Full end-to-end encryption — where even t2000 never sees plaintext — is planned for v3.1.
How do I prove a response was genuinely confidential?
How do I prove a response was genuinely confidential?
Run
t2 verify <receipt-id> — it reads the on-chain Sui anchor (trustless) and recovers the receipt signature against the attested key, and surfaces the upstream.verified result + typed claims. Or check it manually: attestation → receipt (upstream.verified.result = verified) → anchor. See Verify a response.What's the Sui anchor — and why Sui?
What's the Sui anchor — and why Sui?
Every confidential response is automatically anchored on Sui as a
ReceiptAnchored event committing the response hash + attested workload id — a tamper-evident, publicly-timestamped, independently-checkable record (browse them all at verify.t2000.ai). RedPill anchors on Ethereum/Automata; t2000 anchors on Sui — the only Sui-native verifiable-inference anchor. It’s read straight from a fullnode, so t2000 can’t forge it.Which models are confidential?
Which models are confidential?
The
phala/* models — confirm per response from the receipt’s upstream.verified event (result = verified, required = true). Confidentiality is a property of the verified upstream provider, not the model id. The upstream may be NEAR AI, Chutes, Phala, or Tinfoil — see Providers; the receipt names which one served.What does the nonce in the attestation report do?
What does the nonce in the attestation report do?
GET /v1/aci/attestation?model=…&nonce=<hex> binds your nonce into the hardware-signed quote’s report_data. A report that commits a nonce you just generated can’t be a replay — that’s how you prove freshness. Use a new random nonce each time. See Attestation.What does the gateway store?
What does the gateway store?
Receipts hold hashes of your request and response, not the content. The gateway does not store request or response bodies.
