Verify the attestation

Cryptographically prove that the API endpoint is the audited binary running inside an AMD SEV-SNP enclave.

When you call https://api.tresor.co, the TLS chain proves only that you reached a server controlled by Tresor. It does not prove that the binary serving your request is the audited Tresor router running inside a Confidential VM. This guide shows three ways to add that extra check.

For the threat model, full algorithm, and trust diagram, see Concepts → Attestation.

Drop in a verifying HTTP transport so your existing client refuses to send any payload to an unattested endpoint.

import httpx
from openai import OpenAI
from attest import AttestedTransport

client = OpenAI(
    api_key="YOUR_API_KEY",
    base_url="https://api.tresor.co/v1",
    http_client=httpx.Client(transport=AttestedTransport()),
)

If pinning fails, the call raises a typed AttestationError (MeasurementNotAllowedError, IdentityTagNotAllowedError, TCBBelowFloorError, ReportDataMismatchError, SPKIMismatchError, BundleSignatureInvalid, …) before any application data crosses the wire. There is no soft-fail mode.

The pinned release-root public key ships with each SDK release. Override it via AttestedTransport(release_root_pubkey=...) (or the equivalent option in TS/Go) to pin a different key — for example a private deployment.

→ Full SDK reference: tresor-attest

Option 2 — tresor-verify CLI (CI / one-shot audits)

Pin without taking on a runtime dependency:

go install github.com/tresorhq/zero/receipts/cmd/tresor-verify@latest

tresor-verify attest \
    --url https://api.tresor.co \
    --release-root ./release-root.pub
PASS
TLS SPKI SHA-256:      9b8c…
SNP MEASUREMENT:       0e3b…
Workload identity tag: a1b2…
Trust bundle version:  17 (valid until 2026-05-01T00:00:00Z)

Pass --json for machine-readable output. Compare against a previously recorded pin to detect rotation.

Option 3 — Manual recipe (curl + your crypto library)

For audits or non-supported stacks:

curl -s https://api.tresor.co/attestation | jq
curl -s https://trust.tresor.co/api/router.json   # JWS compact form

Then run the verifier algorithm with the crypto library of your choice.

Operational notes

  • Bundle freshness. The trust bundle has a valid_until (typically 90 days). Refetch at least daily.
  • Caching. The attestation envelope is small (≈ 2 KB). Honour max_age_seconds and re-fetch only on certificate change or cache expiry.
  • Release-root rotation. Rotation requires re-pinning by every client. Tresor announces rotations at least 30 days in advance.

See also