How to verify confidential chat on TeeChat

TeeChat leads with data sovereignty — your chat history stays in folders you control, and we do not host a server-side archive. When you use chat.teechat.ai or our hosted API, encryption is always on — and this guide covers L3 verification (the verification step on our data sovereignty ladder): verify the engine in Settings before you send (desktop, web, or mobile).

This post explains what that verification means and how the pieces fit together.

The verifiable smart vault (analogy)

Hosted inference is hard to explain in one sentence. Start with an analogy (it is not a line-by-line map of every component):

Verifiable smart vault: open blueprints, physical vault, compare and verify

The one-minute mental model

Think of three zones:

Three-zone confidential chat mental model: your device, routing server, and AI engine

Verification is about proving the engine (and, when enabled, the platform server) matches published fingerprints before you hand it keys.

Step 1 — Open Settings on any client

Path: Settings → Inference → Hosted chat.

You need:

If encryption is unavailable, the panel tells you to rebuild — verification is the same experience everywhere once crypto loads.

Step 2 — Pick an engine and verify

  1. Choose an engine from the Engine dropdown (for example engine-prod-1 with the model it serves).
  2. Tap Verify attestation.

Settings: gateway platform attestation verified — Build 0.7.6, CPU TEE sev-snp, gateway hash, platform manifest link

The app contacts the gateway, checks published release fingerprints, and shows what passed. On production today you will typically see two layers. Do not confuse the gateway Build with Engine version — they are separate release trains (screenshot above shows Build 0.7.6 on the routing server; the engine panel below shows Engine version 0.6.23).

Gateway platform attestation (routing server)

The blue Gateway platform attestation verified block is about the routing server (Gateway + Skill Hub), not the GPU inference box. Key fields:

FieldWhat it means
GatewayRegistered gateway id (e.g. teechat-gateway).
BuildGateway / client release train pinned in our platform manifest (e.g. 0.7.6). This is the version of the routing server binary — not the inference engine.
PolicyCPU attestation policy id the gateway must satisfy.
CPU TEECPU confidential technology for the gateway VM — production uses sev-snp (AMD SEV-SNP). This is hardware-backed proof that the gateway binary runs inside a measured confidential VM, not plain cloud VPS.
GPU confidentialNot applicable on the gateway — it is a CPU-only role; GPU confidential compute applies on the inference engine (screenshot below).
Gateway binary (SHA-256)Cryptographic fingerprint of the gateway executable you are routing through. The client compares this hash to the active row in our published platform-binaries manifest (public JSON — paste in a browser or curl). A mismatch fails verification — you are not talking to the release we ship.
Platform manifestLink to the published hash allowlist (GET /v1/platform/binaries/manifest). The gateway is closed source — there is no public release tarball; trust comes from TEE attestation plus manifest hash match.

This layer protects platform integrity (sessions, engine registry, metering, engine-plane TLS) even though the gateway never unscrambles chat text.

Engine trust (inference server)

After platform checks, the client downloads the selected engine’s trust bundle and validates inference-side evidence. On success you get the green Engine trust verified panel:

Engine trust verified: epoch, Engine version 0.6.23, engine and vLLM hashes, AMD/NVIDIA signature verification, and public trust references

Production attestation surfaces three version numbers — keep them straight:

Version labelWhere you see itWhat it tracks
BuildGateway panel (above)Gateway + Skill Hub release train (e.g. 0.7.6).
Engine versionGreen engine panel (below)Inference engine release train — the OPE engine tarball we ship to TEE hosts (e.g. 0.6.23). Matched against the platform manifest allowlist in addition to the engine hash.
vLLM versionGreen engine panelvLLM runtime inside the TEE (e.g. 0.23.0+cpu), separate from both Build and Engine version.
FieldWhat it means
Epoch / ValidShort-lived encryption key window — send only while this window is active; re-verify when it expires.
PolicyEngine CPU attestation policy (e.g. teechat-cpu-tee-prod-v1).
CPU TEEEngine VM confidential CPU — sev-snp on our production metal.
GPU confidentialNVIDIA confidential compute on the inference GPU — nv-cc when CC mode and nvattest evidence are live.
Engine versionReported inference engine release train (e.g. 0.6.23 in the screenshot). Independent of gateway Build (0.7.6) and vLLM version (0.23.0+cpu). The client rejects attestation if this string does not match the active manifest row for the measured engine hash.
Engine hashSHA-256 of the OPE inference engine binary running inside the TEE. Matched against the platform manifest allowlist.
vLLM versionReported vLLM runtime version (e.g. 0.23.0+cpu), pinned in the platform manifest and bound in the engine TEE quote.
vLLM hashSHA-256 of the vLLM launcher measured inside the TEE (bin/vllm). Matched against the platform manifest allowlist.

Signature verification results

Below the hashes, Signature verification summarizes three independent checks:

  1. Signed by AMD (CPU TEE — SEV-SNP) — The engine’s CPU quote passed gateway policy and matches published manifest measurements (manifest-bound browser verify on production builds).
  2. Signed by NVIDIA (GPU confidential) — GPU evidence from nvattest + RIM verification on the gateway; you should see CC mode ON and architecture (e.g. Blackwell) when production GPU attestation is enabled.
  3. Engine ephemeral identity — Ed25519 signature over the current epoch keys used for OPE encryption. Proves the live key window is owned by the engine identity registered at boot.

Public trust references at the bottom link to AMD KDS and the NVIDIA RIM catalog for auditing hardware attestation collateral.

The client:

  1. Downloads the engine trust bundle (signed proof package from our API).
  2. Checks CPU secure-hardware evidence (production uses Intel TDX or AMD SEV-SNP class quotes; dev may use test policy).
  3. Validates engine and vLLM fingerprints (version + launcher hash) against the published platform-binaries manifest (gateway-hosted allowlist).
  4. Verifies short-lived encryption keys (signed identity over the current key window).

On success, the UI shows policy id, key window, engine version, engine hash, vLLM version, vLLM hash, and signature evidence. The app blocks send if you skip verification or the key window expires.

Platform verification (routing server + Skill Hub)

When platform verification is enabled for your build, Verify attestation also runs the gateway platform check described above (challenge to our API + manifest hash binding). That ties the gateway binary to the published manifest — separate from engine trust, but important for platform integrity.

Why the routing server runs in secure hardware even though it does not read chat

A common question: if the routing server never sees plain text, why put it in secure hardware?

Because the routing server still holds high-value platform state:

AssetRisk if tampered
Sign-in / session checksImpersonation, quota bypass
Engine registry & trust cacheRouting you to a malicious engine
MeteringBilling fraud
Engine connection secretsMan-in-the-middle on engine links

Production TeeChat places Gateway and Skill Hub in a CPU confidential VM so measurements are bound to known binaries — complementary to OPE, not a substitute for engine-side unscrambling.

Important nuance: Clients today cryptographically verify the inference engine before encrypting. Gateway secure hardware is a platform integrity control; users still rely on HTTPS + optional platform verify for the routing path. We document both layers honestly in our design notes.

What happens when you send a message

  1. App builds an OPE envelope to the engine’s current keys.
  2. POST to our chat API with a body that should look opaque under network capture.
  3. Routing server validates signature, replay rules, quota; forwards to the selected engine over a secure engine link.
  4. Engine unscrambles inside secure hardware, runs the model (GPU confidential mode in production target), locks response chunks.
  5. App unscrambles the stream with the session established at send time.

Multi-turn conversations stick to the same engine when possible for speed — affinity is a routing concern, still without plain-text access.

What verification does not claim

Checklist before you trust a session

Further reading

Verification is not a marketing checkbox — it is how we want confidential AI to work in public: encrypt by default, verify before trust, fail closed when evidence does not match.

Revision log

  1. Add verifiable smart-vault analogy; tie open blueprints to Settings verification steps.
  2. Refresh Settings screenshots; clarify gateway Build vs Engine version.

← All posts