Skip to main content
Inference served by a gateway running in a TEE that proves its own identity with an attestation report and signs a per-response receipt binding your request + response to that attested workload — and t2000 anchors that receipt on Sui. You verify the proofs yourself rather than trusting an API’s word. Available on phala/* models.
Private (every model) is zero data retention — providers are contractually bound not to store or train on your prompts. Confidential (phala/*) adds hardware: the model runs in a verified GPU-TEE, with a signed, Sui-anchored receipt you can check. Private is a policy promise; Confidential is cryptographic evidence.
On a confidential call, plaintext is visible to the attested gateway after TLS terminates, because it has to process the request — but the gateway is a reviewed workload in a TEE and retains nothing (zero data retention). It does not mean no software ever sees the request. For the exact boundary, read the trust boundary. Full end-to-end encryption — where even t2000 never sees plaintext — is planned for v3.1.
Run t2 verify <receipt-id> — it reads the on-chain Sui anchor (trustless) and recovers the receipt signature against the attested key, and surfaces the upstream.verified result + typed claims. Or check it manually: attestationreceipt (upstream.verified.result = verified) → anchor. See Verify a response.
Every confidential response is automatically anchored on Sui as a ReceiptAnchored event committing the response hash + attested workload id — a tamper-evident, publicly-timestamped, independently-checkable record (browse them all at verify.t2000.ai). RedPill anchors on Ethereum/Automata; t2000 anchors on Sui — the only Sui-native verifiable-inference anchor. It’s read straight from a fullnode, so t2000 can’t forge it.
The phala/* models — confirm per response from the receipt’s upstream.verified event (result = verified, required = true). Confidentiality is a property of the verified upstream provider, not the model id. The upstream may be NEAR AI, Chutes, Phala, or Tinfoil — see Providers; the receipt names which one served.
GET /v1/aci/attestation?model=…&nonce=<hex> binds your nonce into the hardware-signed quote’s report_data. A report that commits a nonce you just generated can’t be a replay — that’s how you prove freshness. Use a new random nonce each time. See Attestation.
Receipts hold hashes of your request and response, not the content. The gateway does not store request or response bodies.