The flow
Reserve
Your client reserves a serving node and receives that node’s public encryption key + its attestation info.
Verifying the enclave
Every reserved node is attestation-verified before it can serve. Inference responses are tagged with the serving node’s TEE type and signing identity, surfaced as an attestation badge (e.g. ”🔒 Verified TEE · Apple Secure Enclave”) in the Playground. For programmatic use, the reservation includes the node’s attestation fields so you can check them yourself.What this guarantees
- The operator can’t read your prompt — plaintext only exists inside the enclave.
- The platform can’t read it — the orchestrator only ever holds ciphertext, which is why no chat history is stored server-side.
- No in-transit exposure — the wire carries ciphertext only.
Good practices
- For sensitive workloads, confirm the attestation is verified before trusting a response.
- Keep any conversation history client-side (encrypted at rest if you persist it) — the network deliberately doesn’t store it for you.
