Skip to main content
A confidential (phala/*) response is served by an upstream provider whose enclave the gateway verifies before forwarding your prompt. The confidential tier rides the Phala/RedPill ACI gateway, which fans out to several verified providers — so the same model can be backed by any of them. The receipt’s upstream.verified.provider is the authoritative record of who served a request (in our smokes we’ve seen both NEAR AI and Chutes).

Providers & bindings

Each provider produces exactly one enforceable channel binding (verified, then pinned on the wire before forwarding):
ProviderTEEChannel binding
PhalaIntel TDX + NVIDIA CCtls_spki_sha256
NEAR AIIntel TDX + NVIDIA CCtls_spki_sha256
ChutesIntel TDX + NVIDIA CCe2ee_public_key_sha256
TinfoilAMD SEV-SNP (or TDX) + NVIDIA CCtls_spki_sha256
  • tls_spki_sha256 pins the upstream HTTPS connection to the verified TLS key.
  • e2ee_public_key_sha256 encrypts the request body to the verified enclave key, so only that enclave can decrypt it.
A “verified” result that carries no enforceable binding is rejected — there’s no “verified but unpinned”.

What each provider attests

Claims are honest about their source — a claim is asserted only when that provider’s verifier backs it; anything not established is unknown:
ClaimPhalaNEAR AIChutesTinfoil
tee_attestedhardware-provenhardware-provenhardware-provenhardware-proven
tcb_up_to_datetri-statetri-statetri-statetri-state
gpu_attestedverifier-derivedunknownverifier-derivedunknown
serving_software_known_goodunknownunknownunknownverifier-derived (Sigstore)
model_weights_provenanceunknownunknownunknownunknown
  • tee_attested is hardware-proven for every confidential provider — a genuine TEE quote is verified and the channel bound to it.
  • tcb_up_to_date is read from the verifier’s reported TCB status: up-to-date → asserted; stale → refuted (recorded, not hidden); absent → unknown.
  • gpu_attested asserts when the NVIDIA confidential-computing GPU attestation is verified + nonce-bound. It’s verifier_derived (proves a genuine confidential GPU exists, not its binding to the serving CPU TEE) and never gates a session.

Routed (non-confidential) providers

Frontier models (openai/*, anthropic/*, …) have no confidential-inference verifier — the receipt records upstream.verified.result = failed, required = false. The request is still served through the gateway, but the upstream is not attested and sees your prompt. See the trust boundary.
t2000 consumes these providers’ attestations through Phala’s ACI gateway — it does not run its own TEE (v3.0). The gateway-in-TEE step (our own workload attested, E2EE) is planned for v3.1 — see the trust boundary.