Skip to main content
GET
/
aci
/
attestation
Attestation Report
curl --request GET \
  --url https://api.example.com/aci/attestation

Endpoint

GET https://inference.phala.com/v1/aci/attestation?nonce={nonce}
This endpoint returns the ACI gateway’s attestation report. The report proves which TEE workload serves the API and publishes the public keyset used for receipts and end-to-end encryption.
Always pass a fresh random nonce when verifying an attestation report. The gateway binds the nonce into the quote’s report data so old reports cannot be replayed as fresh evidence.

Parameters

nonce
string
required
Fresh random value, for example 16 or 32 bytes encoded as hex.

Example

NONCE=$(openssl rand -hex 16)

curl "https://inference.phala.com/v1/aci/attestation?nonce=$NONCE" \
  -H "Authorization: Bearer <API_KEY>"

Response

200 OK, application/json. The response is the bare attestation report.

Top-level fields

FieldTypeDescription
api_versionstringACI version token, for example aci/1.
workload_idstringsha256:... identity of the running gateway workload.
workload_keyset_digeststringsha256:... digest over the published keyset.
attestationobjectTEE evidence, source provenance, and keyset data.
all_attestationsarrayFull attestation objects for each server in a multi-instance deployment.
service_capabilitiesobjectRuntime capabilities such as supported E2EE versions.

attestation object

FieldTypeDescription
tee_typestringTEE technology, for example tdx.
vendorstringDeployment vendor tag.
report_datastringValue bound into the quote. It commits to your nonce and the keyset.
freshnessobjectfetched_at and stale_after timestamps.
source_provenanceobjectSource repo, commit, image digest, and image provenance when available.
workload_keysetobjectWorkload identity, receipt signing keys, E2EE public keys, TLS public keys, and keyset epoch.
keyset_endorsementobjectSignature over the keyset under the workload identity key.
evidenceobjectTDX quote, quote report data, event log, VM config, and key custody details.
{
  "api_version": "aci/1",
  "workload_id": "sha256:3def476b...",
  "workload_keyset_digest": "sha256:3eff0836...",
  "attestation": {
    "tee_type": "tdx",
    "vendor": "phala-confidential-ai",
    "report_data": "7b7daf62...",
    "freshness": {
      "fetched_at": 1781589476,
      "stale_after": 1781593076
    },
    "source_provenance": {
      "repo_url": "https://github.com/Dstack-TEE/private-ai-gateway.git",
      "repo_commit": "9d45c7e3d48d2f74c31cd85f1fb5c6cee1435ef3",
      "image_digest": null,
      "image_provenance": null
    },
    "workload_keyset": {
      "workload_identity": { "public_key": { "algo": "ecdsa-secp256k1", "public_key": "04d3b5..." } },
      "receipt_signing_keys": [
        { "key_id": "dstack-kms-receipt-v1", "algo": "ecdsa-secp256k1", "public_key": "04211c..." }
      ],
      "e2ee_public_keys": [
        { "key_id": "dstack-kms-e2ee-v1", "algo": "secp256k1-aes-256-gcm-hkdf-sha256", "public_key": "04943c..." }
      ],
      "tls_public_keys": [],
      "keyset_epoch": { "version": 1, "not_after": 18446744073709551615 }
    },
    "keyset_endorsement": { "algo": "ecdsa-secp256k1", "value": "a91bff..." },
    "evidence": {
      "quote": "040002008100...",
      "quote_report_data": "7b7daf...",
      "event_log": "[{...}]",
      "vm_config": "{...}",
      "key_custody": { "provider": "dstack-kms", "keys": [] }
    }
  },
  "all_attestations": [],
  "service_capabilities": { "supported_e2ee_versions": ["2"] }
}

Verification Flow

  1. Verify attestation.evidence.quote against Intel DCAP collateral.
  2. Confirm the quote report data binds your nonce and the workload_keyset.
  3. Verify keyset_endorsement under workload_keyset.workload_identity.
  4. Confirm workload_id and workload_keyset_digest match the receipts you verify.
  5. Confirm freshness.stale_after is in the future.
  6. For production policy, confirm source_provenance matches the release you trust.
The end-to-end walkthrough is in Verify a Response.

Legacy Alias

GET /v1/attestation/report remains available as a compatibility alias for earlier clients. It returns the same gateway attestation, wrapped for older response shapes with top-level signer fields.

Get Receipt

Fetch the signed per-response receipt.

Verify Attestation

Learn what each attestation field proves.