The two binding types
Every confidential provider produces exactly one binding, and that value lives inside the verified attestation.| Binding | What it is | How the gateway enforces it |
|---|---|---|
tls_spki_sha256 | SHA-256 of the upstream’s TLS public key (SPKI). | Pins the upstream HTTPS connection to that key before forwarding. |
e2ee_public_key_sha256 | SHA-256 of the upstream’s end-to-end public key. | Encrypts the request body to that key, so only the attested enclave can decrypt it. |
The invariant: verified implies an enforceable binding
The gateway treats verification and binding as one fact. A “verified” result that carries no enforceable binding is rejected. A provider can never be “verified but unpinned”. This is enforced in the gateway, not left to configuration.Fail-closed forwarding
For a confidential model,upstream.verified.required is true. If the gateway cannot verify the
upstream, or cannot enforce the verified binding on the actual connection, it does not send your
prompt. Retries and reconnects cannot bypass this: if the channel binding no longer matches, the
gateway re-verifies before forwarding.
For a routed model, required is false. The gateway forwards to the third-party provider over
ordinary TLS without an attested binding, and the receipt records result: failed. Your prompt still
leaves the gateway, so use confidential models when the
upstream must be attested. See Trust boundary for the full picture.
How you confirm it
You do not enforce the binding yourself; the gateway does, before forwarding. What you verify after the fact is that it happened:- Verify the attestation report and the receipt.
- Read
upstream.verified. For a confidential response,resultisverifiedandrequiredistrue, and the event references the attested session whose binding the gateway enforced.
Next
Providers
Binding type and attested claims per provider.
Trust boundary
What the gateway does and does not protect.