When you call https://api.tresor.co, the certificate-authority chain proves only that you reached a server controlled by Tresor — it does not prove that the binary serving your request is the audited router running inside a Confidential VM. An attacker (or an insider) with TLS-termination access could intercept traffic without breaking any conventional check.
Tresor publishes a hardware attestation envelope on every router pod. Combined with a trust bundle signed by an offline release-root key, this lets your client refuse to send traffic to anything that isn't a release you've explicitly trusted.
This page explains the trust model and verifier algorithm. To put it into practice, see Verify the attestation.
Release ceremony (offline)
│
▼
Release Root Key (Ed25519) ←── pinned by your client
│ signs
▼
Trust bundle JWS (https://trust.tresor.co/api/router.json)
│ lists
▼
{ allowed_hw_measurements, allowed_workload_identity_tags, min_tcb }
│ matches
▼
GET https://api.tresor.co/attestation
│ contains
▼
AMD SEV-SNP report → MEASUREMENT, REPORTED_TCB, REPORT_DATA
│ binds
▼
tls_spki_sha256 ⇄ live TLS handshake SPKI
Three things have to line up: the SNP MEASUREMENT must be in the allowlist, the workload identity tag must be in the allowlist, and the live TLS public key must match the one bound inside the SNP report.
For each new connection (or once per max_age_seconds):
GET /attestation from the API endpoint.trust_bundle_url and verify its EdDSA JWS signature with your pinned release root public key. Reject if valid_until is in the past.snp_report_b64 and extract MEASUREMENT, REPORTED_TCB, and REPORT_DATA. Verify the VCEK chain against the AMD root CA in the bundle.MEASUREMENT ∈ allowed_hw_measurements and workload_identity_tag ∈ allowed_workload_identity_tags.REPORTED_TCB ≥ min_tcb.REPORT_DATA[0:32] == SHA-256( hex_decode(tls_spki_sha256) || hex_decode(workload_identity_tag) ).tls_spki_sha256.If all checks pass, cache the verified (tls_spki_sha256, MEASUREMENT, workload_identity_tag) tuple and use it as a TLS pin until the cache expires.
valid_until (typically 90 days). Tresor re-signs it whenever a new measurement, identity tag, or TCB floor enters the allowlist.max_age_seconds.GET /attestation reference — envelope shapetresor-attest SDK — Python / Node / Go verifier librariesattested-api-pinning.md