phala/* models) runs inference behind an Attested Confidential Inference (ACI) gateway — a workload inside a Trusted Execution Environment (Intel TDX + NVIDIA confidential computing). It does two things a normal API can’t, plus one thing no other API does:
- It proves which code is running, in a genuine TEE, with an attestation report.
- It signs a per-response receipt that ties your exact request and response to that attested workload.
- t2000 automatically anchors every response on Sui — a tamper-evident, publicly-timestamped on-chain commitment — and durably stores the signed receipt, so you can verify a response trustlessly, any time, with one command (or in the browser at verify.t2000.ai).
The two proof layers
Attestation report
Proves the gateway is a specific workload in a genuine TEE, and publishes the keys it signs with.
Signed receipt
Proves what the gateway received and returned for one request, signed by a key from the attested report.
Confidential vs routed
The API serves two postures through one endpoint. The difference is whether the upstream that runs the model is itself attested:Confidential (phala/*) | Routed (frontier openai/*, anthropic/*, …) | |
|---|---|---|
| Upstream verified before forwarding | Yes (fail-closed) | No |
Receipt upstream.verified.result | verified | failed |
| Who sees your prompt | Only the attested gateway + attested upstream enclave | The gateway, then the third-party provider |
What you can verify
After one confidential request you hold enough to check, locally:- The gateway is a genuine TEE workload with a known identity (attestation).
- The receipt was signed by a key that report endorses (verify).
- The response you received is exactly the response that was signed (hash match).
- The same hashes are committed on Sui — tamper-evident, independent of t2000 (verify).
This is the honest counterpart: read the trust boundary for exactly what the Confidential tier proves versus what it still trusts (the gateway’s plaintext leg, under zero data retention).
