Skip to main content
Deploy a Jupyter notebook to Phala Cloud and run code inside a TEE in under 10 minutes. You’ll use the CLI to deploy, then test key derivation and remote attestation from inside the secure environment.

Prerequisites

Install the CLI

Install the Phala Cloud CLI globally: 
npm install -g phala
Or use npx phala / bunx phala to run commands without installing.

Authenticate

The CLI supports device flow authentication—run the login command and follow the browser prompt: 
phala login

⟳ Starting device flow authentication... ✓
ℹ Opening browser to complete authentication...
✓ Authentication successful!
  Logged in as: yourname
  Workspace: yourname's projects
Alternatively, generate an API key manually from the dashboard by clicking your username → API TokensCreate Token, then authenticate with: 
phala login --manual
Verify your authentication: 
phala status

Deploy a Jupyter Notebook

Create a docker-compose.yml file: 
services:
  jupyter:
    image: quay.io/jupyter/base-notebook
    ports:
      - 8080:8888
    volumes:
      - /var/run/dstack.sock:/var/run/dstack.sock
    environment:
      - GRANT_SUDO=yes
    user: root
    command: "start-notebook.sh --NotebookApp.token=${TOKEN}"
The dstack.sock volume mount enables your code to communicate with the TEE environment. Deploy with a name and access token: 
phala deploy -c docker-compose.yml -n jupyter-notebook -e TOKEN=my-secret-token

{
  "success": true,
  "vm_uuid": "425f4f38-5c48-40c3-8a9c-1be22caba517",
  "name": "jupyter-notebook",
  "app_id": "d8d6db935df75104a825fb96b6bbbcfc8d1753ca",
  "dashboard_url": "https://cloud.phala.network/dashboard/cvms/..."
}

Access Your Notebook

Check deployment status: 
phala cvms get jupyter-notebook
Once the status shows running, get the public URL: 
phala cvms get jupyter-notebook --json | jq -r '.public_urls[0].app'

https://d8d6db935df75104a825fb96b6bbbcfc8d1753ca-8080.dstack-pha-prod3.phala.network
Open this URL in your browser. You’ll see a login page with a “Password or token” field—enter the token you set during deployment (my-secret-token in this example) and click Log in. View container logs if needed: 
phala cvms logs jupyter-notebook

Test TEE Functions

Once logged in, click Python 3 (ipykernel) under “Notebook” to create a new notebook. In the first cell, install the dstack SDK: 
!pip install dstack-sdk
Run the cell with Shift+Enter. In a new cell, test TEE-native capabilities: 
from dstack_sdk import DstackClient
import hashlib

client = DstackClient()

# Get TEE environment info
info = client.info()
print(f"App ID: {info.app_id}")
print(f"MRTD: {info.tcb_info.mrtd}")

# Derive a deterministic key
key_result = client.get_key("my-app/encryption/v1")
key_bytes = key_result.decode_key()  # 32 bytes
print(f"Derived key (hex): {key_result.key[:32]}...")

# Generate a TDX attestation quote
data = b"data-to-attest"
hash_value = hashlib.sha256(data).digest()
quote_result = client.get_quote(hash_value[:32])
print(f"Quote: {quote_result.quote[:64]}...")
Generate blockchain wallet addresses using TEE-derived keys. In a new cell, install the additional dependencies: 
!pip install "dstack-sdk[all]"
Then in another cell: 
from dstack_sdk import DstackClient, ethereum, solana

client = DstackClient()

# Derive Ethereum account
eth_key = client.get_key("ethereum/main")
eth_account = ethereum.to_account(eth_key)
print(f"ETH Address: {eth_account.address}")

# Derive Solana keypair
sol_key = client.get_key("solana/main")
sol_keypair = solana.to_keypair(sol_key)
print(f"SOL Address: {sol_keypair.pubkey()}")

Clean Up

When you’re done experimenting, delete the CVM to stop billing: 
phala cvms delete jupyter-notebook
Other useful commands: phala cvms stop to pause without deleting, phala cvms start to resume, and phala cvms attestation to view the TEE attestation report.

Next Steps