> ## Documentation Index
> Fetch the complete documentation index at: https://developers.t2000.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Verify a response

> Check — don't trust — a confidential response by its receipt id. t2 verify reads the on-chain Sui anchor and recovers the receipt signature, both trustlessly, and fails closed on any mismatch.

The Confidential tier is **verifiable**, not just claimed. Given a receipt id, `t2 verify` checks the whole chain and **fails closed** on any forgery — and the Sui-anchor check needs zero trust in t2000.

***

## Anchor-every + verify (Sui-native — the wedge)

**Every confidential response is automatically anchored on Sui** — a `ReceiptAnchored` event committing the response `wire_hash` + attested `workload_id`, tamper-evident and publicly timestamped. No extra call: it's fired for you the moment the response returns (zero added latency). RedPill anchors on Ethereum/Automata; t2000 anchors on **Sui** — the only Sui-native verifiable-inference anchor.

The signed receipt is also **durably stored**, so you can verify **any time** — not just inside the upstream gateway's short receipt-retention window. `GET /v1/aci/receipts/{id}` serves the durable copy once the gateway TTL lapses (still fully trustless — the receipt is signed and its hash is anchored on-chain, so it can't be forged wherever it's served).

```bash theme={null}
# Every confidential response is already anchored — just verify it:
t2 verify {x-receipt-id}
```

Prefer a browser? Paste any receipt id at **[verify.t2000.ai](https://verify.t2000.ai)** — the same trustless checks, plus a live public feed of every confidential response anchored on Sui (hashes only — no prompts, no identities).

```text theme={null}
  ✓ Receipt              well-formed (9 log entries, workload sha256:3def…)
  ✓ Confidential upstream chutes: verified
        · tee_attested: asserted (hardware_proven)
        · gpu_attested: asserted (verifier_derived)
        · tcb_up_to_date: asserted (hardware_proven)
        session: as_c5a0…
  ✓ Sui anchor (trustless) on-chain ReceiptAnchored matches (wire_hash + workload_id), tx BrVp…
  ✓ Receipt signature (trustless) signed by the attested receipt key (dstack-kms-receipt-v1)
  ✓ TDX quote (DCAP) (trustless) genuine Intel TDX (verified vs Intel collateral), TCB UpToDate
  RESULT: ✓ verified — genuine TDX quote + TEE-signed receipt + Sui anchor, all checked client-side.
```

***

## What it checks

* **Sui anchor (trustless).** Reads the on-chain `ReceiptAnchored` event **straight from a Sui fullnode** and confirms the committed `wire_hash` + `workload_id` match the signed receipt. t2000 can't forge it; a wrong/missing anchor fails closed.
* **Receipt signature (trustless).** Recovers the receipt's secp256k1 signer — recomputing the dstack ACI canonical bytes (JCS → `sha256` → 65-byte `r‖s‖v`) — and matches it to the **attested** receipt-signing key. An altered or forged receipt fails.
* **TDX quote / DCAP (trustless).** Re-verifies the hardware TDX quote with [`@phala/dcap-qvl`](https://github.com/Phala-Network/dcap-qvl), chaining to **Intel's** root CA via PCCS collateral (Intel-signed — the PCCS is a cache, not a trust point) → genuine enclave + TCB status, **without trusting the gateway's server-side verification**. Also confirms the quote's `report_data` commits the report's signing address and the quote is for the receipt's workload. Skip it with `--quick`.
* **Confidential upstream + typed claims.** Surfaces the upstream's [typed TCB claims](/confidential-ai/attested-sessions#typed-claims) (each with its source) and the attested-session id.

It prints a per-check report and exits non-zero if anything doesn't line up.

***

## Programmatic

```typescript theme={null}
import { verifyReceipt } from "@t2000/sdk";
const result = await verifyReceipt("rcpt-…");
result.verified;        // false on any mismatch
result.anchorVerified;  // the trustless Sui-anchor core
result.upstream?.claims; // [{ name, status, source }]
```

Also: `agent.verify(receiptId)` on a `T2000` instance, or the `t2000_verify` MCP tool.

<Note>
  **What's trustless (honest):** the Sui anchor, the receipt signature, and the TDX quote are all verified **client-side** — the quote chains to Intel's root, so even the gateway's `verified:true` is no longer something you have to trust. The one remaining hop is `keyset_endorsement` (cryptographically tying the receipt-signing key to the quote's identity key); the receipt-signature check already proves the receipt is signed by the published keyset key. The gateway still terminates TLS and sees plaintext on its forwarding leg (ZDR) — full E2EE is planned for v3.1. See the [trust boundary](/confidential-ai/trust-boundary).
</Note>
