Skip to main content
Get attestation reports from your CVM to prove it’s running in genuine TEE hardware. You can check the dashboard for quick verification, or use the dstack SDK to generate quotes programmatically with custom data.

View Attestation Report on Dashboard

Open the Attestation tab in your CVM dashboard. Click Check Attestation to verify the default report generated during bootstrap.

Generate Attestation Programmatically

Prerequisites: Configure Docker Compose

Your application needs access to the dstack service to generate attestation quotes. Mount the dstack socket into your container: 
version: '3'
services:
  app:
    image: your-app-image
    ports:
      - 8080:8080
    volumes:
      # Mount dstack socket for TEE operations
      - /var/run/dstack.sock:/var/run/dstack.sock

Using dstack SDK

The dstack SDK connects to /var/run/dstack.sock automatically. Install for your language:

Attaching Custom Data (reportData)

The attestation quote includes a 64-byte reportData field for your custom data. Important: The SDK throws an error if you exceed 64 bytes—it does not auto-hash. Two patterns:
  1. Short data (≤64 bytes): Nonces, small challenges, or hashes—pass directly
  2. Long data (>64 bytes): Any arbitrary data—hash it first with SHA256 (produces 32 bytes)
import { DstackClient } from '@phala/dstack-sdk';
import crypto from 'crypto';

const client = new DstackClient();

// Pattern 1: Short data (≤64 bytes) - pass directly
// Example: 32-byte nonce for challenge-response
const nonce = crypto.randomBytes(32);
const quote1 = await client.getQuote(nonce);

// Pattern 2: Long data (>64 bytes) - hash it first
// Example: JSON with arbitrary data
const userData = JSON.stringify({
  version: '1.0.0',
  timestamp: Date.now(),
  user_id: 'alice',
  public_key: '0x1234...'
});

// Hash to fit in 64 bytes (SHA256 produces 32 bytes)
const hash = crypto.createHash('sha256').update(userData).digest();
const quote2 = await client.getQuote(hash);

console.log('Quote:', quote2.quote);
console.log('Event Log:', quote2.event_log);
reportData Parameter RequiredThe getQuote() method requires a reportData parameter. If you don’t need custom data, pass an empty value: '' in TypeScript or b'' in Python. Calling getQuote() without any parameter will fail.

Exposing Attestation via API

Expose attestation endpoints so external verifiers can validate your CVM. The /attestation endpoint provides the quote for hardware verification, while /info provides the application configuration for code verification: 
import express from 'express';
import { DstackClient } from '@phala/dstack-sdk';

const app = express();
const client = new DstackClient();

app.get('/attestation', async (req, res) => {
  const result = await client.getQuote('');
  res.json({
    quote: result.quote,
    event_log: result.event_log,
    vm_config: result.vm_config  // Required by dstack-verifier
  });
});

app.get('/info', async (req, res) => {
  const info = await client.info();
  res.json(info);
});

app.listen(8080);
These endpoints allow external verifiers to fetch attestation data and verify your CVM. See Verify Your Application for how verifiers use these endpoints.

Next Steps

Verify Your Application

Prove your exact code is running

Verify the Platform

Verify OS, KMS, and infrastructure

Field Reference

Understand what each field in the quote means

Complete Security Checklist

Complete verification with no trust assumptions