Confidential Providers

A confidential model is served by an upstream provider whose enclave the gateway verifies before forwarding your prompt. Each provider produces one enforceable channel binding and a set of typed claims. This page summarizes what each provider proves. The receipt’s upstream.verified.provider field names the provider that served a given request, so a single model can be backed by any of these providers. The platform adds confidential providers over time, so treat the provider field on the receipt as the authoritative record of who served a request rather than this list.

Providers and bindings

Provider	TEE	Channel binding
Tinfoil	AMD SEV-SNP (or TDX) + NVIDIA CC	`tls_spki_sha256`
NEAR AI	Intel TDX + NVIDIA CC	`tls_spki_sha256`
Chutes	Intel TDX + NVIDIA CC	`e2ee_public_key_sha256`
Phala	Intel TDX + NVIDIA CC	`tls_spki_sha256`

A tls_spki_sha256 binding pins the upstream HTTPS connection to the verified TLS key.
An e2ee_public_key_sha256 binding encrypts the request body to the verified enclave key, so only that enclave can decrypt it.

What each provider attests

Claims are honest about their source. A claim is asserted only when that provider’s verifier backs it; anything not established is Unknown. See Reading TCB and claims for the vocabulary.

Claim	Tinfoil	NEAR AI	Chutes	Phala
`tee_attested`	Hardware-proven	Hardware-proven	Hardware-proven	Hardware-proven
`tcb_up_to_date`	Tri-state	Tri-state	Tri-state	Tri-state
`serving_software_known_good`	Verifier-derived (Sigstore)	Unknown	Unknown	Unknown
`gpu_attested`	Unknown	Unknown	Verifier-derived	Verifier-derived
`model_weights_provenance`	Unknown	Unknown	Unknown	Unknown

Notes:

tee_attested is hardware-proven for every confidential provider: a genuine TEE quote is verified and the request channel is bound to it.
tcb_up_to_date is a tri-state, read from the verifier’s reported TCB status. An up-to-date platform asserts the claim; a stale platform refutes it (the gateway records the stale status rather than silently passing); an absent status is Unknown.
serving_software_known_good is asserted for Tinfoil by comparing its launch measurement against published Sigstore golden values for the build. Other providers leave it Unknown today.
gpu_attested asserts when the provider’s NVIDIA confidential-computing GPU attestation is verified and nonce-bound. It attests a genuine confidential GPU, not its binding to the serving CPU TEE, so it is verifier-derived and never gates a session.

Router-backed providers

Some providers (NEAR AI, Tinfoil) front many models behind one TEE gateway. The gateway verifies that gateway channel, so it produces one attested session per router, and the served model is recorded on the receipt. Per-model coverage is delegated to the verified router, which attests its own backend model enclaves.

Generic routed providers

A routed response goes to a third-party provider with no confidential-inference verifier (for example OpenAI or Anthropic). The receipt records upstream.verified.result = failed and required = false. The request is served through the TEE gateway, but the upstream is not attested. See Trust boundary.

Confidential models

How to confirm a confidential response from its receipt.

Reading TCB and claims

How to interpret a claim and its source.

​Providers and bindings

​What each provider attests

​Router-backed providers

​Generic routed providers

​Next