Skip to main content
The Confidential tier is verifiable, not just claimed. Given a receipt id, t2 verify checks the whole chain and fails closed on any forgery — and the Sui-anchor check needs zero trust in t2000.

Anchor-every + verify (Sui-native — the wedge)

Every confidential response is automatically anchored on Sui — a ReceiptAnchored event committing the response wire_hash + attested workload_id, tamper-evident and publicly timestamped. No extra call: it’s fired for you the moment the response returns (zero added latency). RedPill anchors on Ethereum/Automata; t2000 anchors on Sui — the only Sui-native verifiable-inference anchor. The signed receipt is also durably stored, so you can verify any time — not just inside the upstream gateway’s short receipt-retention window. GET /v1/aci/receipts/{id} serves the durable copy once the gateway TTL lapses (still fully trustless — the receipt is signed and its hash is anchored on-chain, so it can’t be forged wherever it’s served).
# Every confidential response is already anchored — just verify it:
t2 verify {x-receipt-id}
Prefer a browser? Paste any receipt id at verify.t2000.ai — the same trustless checks, plus a live public feed of every confidential response anchored on Sui (hashes only — no prompts, no identities).
  ✓ Receipt              well-formed (9 log entries, workload sha256:3def…)
  ✓ Confidential upstream chutes: verified
        · tee_attested: asserted (hardware_proven)
        · gpu_attested: asserted (verifier_derived)
        · tcb_up_to_date: asserted (hardware_proven)
        session: as_c5a0…
  ✓ Sui anchor (trustless) on-chain ReceiptAnchored matches (wire_hash + workload_id), tx BrVp…
  ✓ Receipt signature (trustless) signed by the attested receipt key (dstack-kms-receipt-v1)
  ✓ TDX quote (DCAP) (trustless) genuine Intel TDX (verified vs Intel collateral), TCB UpToDate
  RESULT: ✓ verified — genuine TDX quote + TEE-signed receipt + Sui anchor, all checked client-side.

What it checks

  • Sui anchor (trustless). Reads the on-chain ReceiptAnchored event straight from a Sui fullnode and confirms the committed wire_hash + workload_id match the signed receipt. t2000 can’t forge it; a wrong/missing anchor fails closed.
  • Receipt signature (trustless). Recovers the receipt’s secp256k1 signer — recomputing the dstack ACI canonical bytes (JCS → sha256 → 65-byte r‖s‖v) — and matches it to the attested receipt-signing key. An altered or forged receipt fails.
  • TDX quote / DCAP (trustless). Re-verifies the hardware TDX quote with @phala/dcap-qvl, chaining to Intel’s root CA via PCCS collateral (Intel-signed — the PCCS is a cache, not a trust point) → genuine enclave + TCB status, without trusting the gateway’s server-side verification. Also confirms the quote’s report_data commits the report’s signing address and the quote is for the receipt’s workload. Skip it with --quick.
  • Confidential upstream + typed claims. Surfaces the upstream’s typed TCB claims (each with its source) and the attested-session id.
It prints a per-check report and exits non-zero if anything doesn’t line up.

Programmatic

import { verifyReceipt } from "@t2000/sdk";
const result = await verifyReceipt("rcpt-…");
result.verified;        // false on any mismatch
result.anchorVerified;  // the trustless Sui-anchor core
result.upstream?.claims; // [{ name, status, source }]
Also: agent.verify(receiptId) on a T2000 instance, or the t2000_verify MCP tool.
What’s trustless (honest): the Sui anchor, the receipt signature, and the TDX quote are all verified client-side — the quote chains to Intel’s root, so even the gateway’s verified:true is no longer something you have to trust. The one remaining hop is keyset_endorsement (cryptographically tying the receipt-signing key to the quote’s identity key); the receipt-signature check already proves the receipt is signed by the published keyset key. The gateway still terminates TLS and sees plaintext on its forwarding leg (ZDR) — full E2EE is planned for v3.1. See the trust boundary.