Quickstart

Make your first Tresor API call in under a minute, with or without attestation pinning.

Prerequisites

  1. Create an account at tresor.co.
  2. Open the API Dashboard, create an API key, and copy it. Keys start with tr- and are only shown once.
  3. Export it for the rest of this page:
    export TRESOR_API_KEY="tr-live-..."
    

Direct API

Use the OpenAI-compatible HTTP endpoint directly. Works in any environment that can speak HTTP.

curl https://api.tresor.co/v1/chat/completions \
  -H "Authorization: Bearer $TRESOR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "model": "global/redpill/gpt-oss-120b",
    "messages": [{"role": "user", "content": "Hello!"}],
    "stream": true
  }'

You should see the response stream back as Server-Sent Events. The final chunk includes a tresor.receipt_id you can use to fetch a signed receipt of the call.

Need to plug Tresor into a tool that only accepts an OpenAI-style base URL — like OpenCode, Cursor, OpenWork, or Continue? The direct API is what you want.

With tresor-attest

Wrap your client with the tresor-attest SDK. Every request is gated on a fresh hardware-attestation check; if the endpoint is not the audited binary inside an AMD SEV-SNP Confidential VM, the call refuses to send any payload.

# pip install tresorhq-attest openai
import httpx
from openai import OpenAI
from attest import AttestedTransport

client = OpenAI(
    base_url="https://api.tresor.co/v1",
    api_key="<your-api-key>",
    http_client=httpx.Client(transport=AttestedTransport()),
)

resp = client.chat.completions.create(
    model="global/redpill/gpt-oss-120b",
    messages=[{"role": "user", "content": "Hello!"}],
)
print(resp.choices[0].message.content)

If verification fails, the call raises a typed AttestationError (Python / TypeScript) or returns a sentinel error (Go) before any application data crosses the wire. There is no soft-fail mode.

For the full threat model and verifier algorithm, see Hardware attestation.

What just happened

  1. Your request authenticated against your API key.
  2. The router selected an upstream provider and forwarded the request to a Confidential VM.
  3. The CPU-encrypted enclave processed the prompt and streamed the response back over TLS.
  4. A signed receipt was issued so you can later prove which binary handled the request.

Next steps