> ## Documentation Index > Fetch the complete documentation index at: https://docs.phala.com/llms.txt > Use this file to discover all available pages before exploring further. > Learn how to verify the integrity of your Confidential AI API requests. # Integrity Proof ## Why integrity proof matters Every Confidential AI response comes with a cryptographic signature. This signature proves the AI output came from verified TEE hardware and nobody tampered with it along the way. The signature cryptographically binds the request and response to the TEE's signing key. Any modification to the AI's response or injected fake data will break the signature verification. Without this check, you're trusting the transport layer. With it, you have end-to-end cryptographic proof from the TEE itself. ## Get the signature After you make an AI request, you'll get a `chat_id` in the response. Use it to fetch the cryptographic signature: ```python theme={"system"} import requests # After getting AI response with chat_id chat_id = ai_response["id"] model = "phala/deepseek-chat-v3-0324" # or your model # Fetch the signature sig_response = requests.get( f"https://api.redpill.ai/v1/signature/{chat_id}?model={model}", headers={"Authorization": f"Bearer {api_key}"} ) signature_data = sig_response.json() # signature_data contains: # - text: "request_hash:response_hash" # - signature: The ECDSA or Ed25519 signature # - signing_address: The address that signed this response ``` The response gives you everything needed for verification. The `text` field contains hashes of your request and the AI's response, separated by a colon. The `signature` is the cryptographic proof from the TEE. The `signing_address` identifies which TEE instance signed this response. ## Verify request and response hashes Confirm the hashes in the `text` field match your actual request and response. The `text` field format is `request_hash:response_hash`. ```python theme={"system"} from hashlib import sha256 def sha256_text(text: str): """Calculate SHA256 hash of text""" return sha256(text.encode()).hexdigest() # Calculate hashes of your original request and response request_body_json = '{"model": "...", "messages": [...]}' # Your request JSON response_body = '{"id": "...", "choices": [...], ...}' # Full response JSON request_hash = sha256_text(request_body_json) response_hash = sha256_text(response_body) # Parse the signed hashes hashed_text = signature_data["text"] request_hash_server, response_hash_server = hashed_text.split(":") # Verify they match assert request_hash == request_hash_server assert response_hash == response_hash_server print("Request and response hashes verified") ``` This ensures the data wasn't modified or swapped after signing. The signature covers these exact hashes. ## Verify signature Now verify that the signature actually came from a TEE. You'll recover the signing address from the signature, then fetch and verify the attestation for that specific address. ### Recover signing address from signature For ECDSA signatures (most common), recover the Ethereum address: ```python theme={"system"} from eth_account.messages import encode_defunct from eth_account import Account # Recover the address that created this signature message = encode_defunct(text=signature_data["text"]) recovered_address = Account.recover_message( message, signature=signature_data["signature"] ) # Verify it matches the claimed signing address signing_address = signature_data["signing_address"] assert recovered_address.lower() == signing_address.lower() print(f"Signature valid from: {signing_address}") ``` For Ed25519 signatures, the verification process differs - check the signing algorithm in your attestation response. ### Fetch attestation for signing address Now fetch a fresh attestation for this specific signing address. This proves the signing key belongs to verified TEE hardware: ```python theme={"system"} import secrets # Generate fresh nonce for attestation nonce = secrets.token_hex(32) # Fetch attestation for this signing address attestation_response = requests.get( f"https://api.redpill.ai/v1/attestation/report?model={model}&nonce={nonce}&signing_address={signing_address}", headers={"Authorization": f"Bearer {api_key}"} ) attestation_report = attestation_response.json() # If using multi-server deployment, filter for matching signing address if "all_attestations" in attestation_report: attestation = next( item for item in attestation_report["all_attestations"] if item["signing_address"].lower() == signing_address.lower() ) else: attestation = attestation_report print(f"Found attestation for: {attestation['signing_address']}") ``` In multi-server deployments, the response may include `all_attestations` array containing attestations from multiple backend servers. You filter by `signing_address` to find the one matching your signature. ### Verify the attestation Finally, verify this attestation using all the checks from [Verify Attestation](./verify-attestation): * Verify Intel TDX quote * Verify report data binds the signing address and nonce * Verify NVIDIA GPU attestation * Verify Docker compose manifest and mr\_config * Verify Sigstore build provenance When all checks pass, you've proven end-to-end that your AI response came from verified TEE hardware running verified software. ## Verify using Etherscan (optional) Want to double-check visually? Use [Etherscan's signature tool](https://etherscan.io/verifiedSignatures). Enter the `signing_address` from your attestation report, paste the `text` field from the signature response, and add the `signature` value. Click verify and Etherscan will confirm everything matches. This gives you an independent third-party verification that the signature is valid. ## Complete example For a full implementation that verifies both attestation and signatures, see the [signature verifier example](https://github.com/Phala-Network/private-ml-sdk/blob/main/vllm-proxy/verifiers/signature_verifier.py). This script demonstrates the complete flow: 1. Send chat completion request (streaming or non-streaming) 2. Fetch signature for the response 3. Verify request and response hashes match 4. Recover signing address from ECDSA signature 5. Fetch fresh attestation for that signing address 6. Verify full attestation (TDX quote, GPU, report data, compose manifest, Sigstore) You've now verified both the TEE environment (attestation) and individual AI responses (signatures). Your Confidential AI setup is fully verified and trustworthy.