When you call https://api.tresor.co, the TLS chain proves only that you reached a server controlled by Tresor. It does not prove that the binary serving your request is the audited Tresor router running inside a Confidential VM. This guide shows three ways to add that extra check.
For the threat model, full algorithm, and trust diagram, see Concepts → Attestation.
tresor-attest SDK (recommended)Drop in a verifying HTTP transport so your existing client refuses to send any payload to an unattested endpoint.
import httpx
from openai import OpenAI
from attest import AttestedTransport
client = OpenAI(
api_key="YOUR_API_KEY",
base_url="https://api.tresor.co/v1",
http_client=httpx.Client(transport=AttestedTransport()),
)
import { createAttestedFetch } from "@tresorhq/attest";
const attestedFetch = createAttestedFetch();
const resp = await attestedFetch("https://api.tresor.co/v1/models", {
headers: { Authorization: "Bearer YOUR_API_KEY" },
});
import "github.com/tresorhq/attest/go/attest"
// See the package README for the full Inputs / VerifiedTuple shapes.
result, err := attest.Verify(ctx, attest.Inputs{
AttestationJSON: envelope,
TrustBundleJWS: bundle,
ReleaseRoot: releaseRoot,
TLSSPKISHA256: spkiHash,
})
If pinning fails, the call raises a typed AttestationError (MeasurementNotAllowedError, IdentityTagNotAllowedError, TCBBelowFloorError, ReportDataMismatchError, SPKIMismatchError, BundleSignatureInvalid, …) before any application data crosses the wire. There is no soft-fail mode.
The pinned release-root public key ships with each SDK release. Override it via AttestedTransport(release_root_pubkey=...) (or the equivalent option in TS/Go) to pin a different key — for example a private deployment.
→ Full SDK reference: tresor-attest
tresor-verify CLI (CI / one-shot audits)Pin without taking on a runtime dependency:
go install github.com/tresorhq/zero/receipts/cmd/tresor-verify@latest
tresor-verify attest \
--url https://api.tresor.co \
--release-root ./release-root.pub
PASS
TLS SPKI SHA-256: 9b8c…
SNP MEASUREMENT: 0e3b…
Workload identity tag: a1b2…
Trust bundle version: 17 (valid until 2026-05-01T00:00:00Z)
Pass --json for machine-readable output. Compare against a previously recorded pin to detect rotation.
For audits or non-supported stacks:
curl -s https://api.tresor.co/attestation | jq
curl -s https://trust.tresor.co/api/router.json # JWS compact form
Then run the verifier algorithm with the crypto library of your choice.
valid_until (typically 90 days). Refetch at least daily.max_age_seconds and re-fetch only on certificate change or cache expiry.