Private AI-agents

AI-agents hebben privacy het hardst nodig.

Agents beheren je sleutels, je tokens, je inbox en je wallet — en handelen namens jou. Draai ze in een geattesteerde CVM waar de compose-hash de scope is en elke actie wordt ondertekend.

Lees agent-docs Praat met experts

Confidential agents, in production.

Personal, coding, security, financial, social, memory, MCP — pick a category, then drill into a specific framework to see how Phala slots into the runtime.

9:41▮▮ 5G ▰

‹

OpenClaw

bot

⌕

＋

Write a message...

◉

Visit Clawdi

Personal computer-use agent. Sessions, calendars, and inbox sealed in a CVM whose compose-hash IS the permission scope.

Agents · live on Phala Cloud.

Verified counts from Phala Cloud + ClickHouse. Compose-hashes are observed in the Cloud DB; trust-by-construction primitives sit in an attested CVM.

Agent CVMs deployed

12,783

cumulative · all frameworks

Compute hours

16.9M

fleet-wide · since Feb 2025

TDX quotes verified

1.10M

KMS attestation

Compose-hashes observed

2,591

distinct agent builds

Total CVMs deployed by framework

cumulative · since first deploy

1,585

1,545

604

279

168

Eliza

character agents

7 live · since 2024-12

Clawdi

OpenClaw

193 live · since 2026-01

BlueNexus

MCP servers

5 live · since 2025-10

Vijil

verifiable CI

since 2025-04

Agent Wallet

x402 · ERC-8004

1 live · since 2025-05

Hermes

Nous Research

7 live · since 2025-01

TDX nodes

GPU TEE teepods

8 · 64 GPUs

Regions

KMS instances

Failed quotes / 24h

1 / 35

Draai elk agentframework. Afdicht door ontwerp.

Coding agents

Claude Code, Codex, and verifiable CI agents like Vijil run in a CVM where the repo, secrets, and tool tokens stay sealed against the registered compose-hash. Every diff signed before merge.

CODING

marvin@Mac ~/ai-agent % claude code

Claude Code

sealed CVM

· [marvin@Mac] % claude

✓ scope: github.write

› refactor agents/...

⏺ sealed-token: github.pat ✓

✓ Sign-RPC 0x9c1a…

COMPUTER-USE

OpenClawbot

Triage today's inbox — Stanford threads.

tool · gmail.search

3 threads · 11 messages

sealed-token gmail.compose ✓

Computer-use agents

OpenClaw, Hermes, and Pi take over the browser, GUI, and OS — bounded by an attested compose-hash and KMS-gated credentials. Sessions, calendars, inbox stay sealed in the CVM.

Tool- en geheugenagents

MCP servers (BlueNexus) attest to clients before they accept a connection — mutual RA-TLS. Long-term memory backends (Xtrace) seal shards per app-id; revoking the build evicts memory cleanly.

MCP · MEMORY

BlueNexus MCP

$ mcp connect mcp.bluenexus.ai▸ verifying TDX quote✓ mutual RA-TLS bound• search.web (sealed)• vault.unlock (multi-sig)

WALLET · SECURITY

Agent Walletx402

payment request

$24.00 USDC

api.confidential-llm.ai

scope≤ $50/daymulti-sig2/2 ✓

Wallet & on-chain agents

Agent Wallet (ERC-8004 + Coinbase x402) and Ironclaw (NEAR security) bind spending scope to the compose-hash. Multi-sig DstackApp gates every signing key; revoke compose-hash → kill access.

permission as identity · scope as compose-hash

Permission is identity. Identity is the compose-hash.

On dstack, an agent’s tool list and credential scope can’t drift from what its build authorizes — there’s no runtime path that widens privilege.

Attested launch

dstack-vmm boots the agent CVM. The TDX quote covers the full compose-hash — including system prompt, model digest, and tool list (all in the docker-compose).

Sealed credentials

User previously sealed OAuth tokens against this exact compose-hash. dstack-kms releases the wrap key only after the quote matches. No host process ever sees plaintext.

Mutual RA-TLS

When Agent A delegates to Agent B, each cert embeds a fresh TDX quote. Both sides run dcap-qvl on the peer and check DstackApp.sol for the allowed-delegates whitelist.

Bounded outbound

External tool (Gmail, Stripe, etc.) is outside the trust boundary. The OAuth token leaves only inside the outbound TLS handshake, scope upper-bounded by compose-hash.

Signed action log

Every tool call is appended inside the CVM and signed via Sign RPC. Tamper breaks the chain. Auditors verify without trusting Phala or the operator.

Hoe het werkt

Loop stap voor stap door een multi-agent pipeline.

Schakel dstack uit om te zien dat credentials en tool-scope afdrijven.

Vertrouwelijke AI-agents op dstack

Agentcomputer in een CVM · sandboxes per subagent · verzegelde vault · scoped outbound channel

actieve edgeinactiefnieuw in stap

stap 1 of 5 · scroll-aware

Stap 1 / 5

Geattesteerde opstart — TDX-quote verifieert de hele computer

dstack-vmm boot de agent-runtime als één TDX CVM. dstack-guest-agent geeft een gecombineerde TDX-quote uit die MRTD + RTMR0–3 + GPU Confidential mode dekt. De gebruiker haalt de quote op via RA-TLS en draait dcap-qvl lokaal — de vertrouwensbeslissing ligt aan clientzijde, verankerd in Intel's TDX-hardware-root en DstackKms.sol on-chain. Phala Network hoeft zichzelf niet te attesteren.

With dstack: De trust root is de TDX-hardwarehandtekening van Intel, verankerd on-chain — elke client kan verifiëren zonder Phala of de cloudoperator te vertrouwen.

live · Sign-RPC action log

Every tool call leaves a tamper-evident receipt.

Each row is a real-shaped Sign-RPC entry: agent identity, tool, args hash, and a per-app key signature that chains to the TDX root. Auditors verify the log offline — Phala isn't in the trust chain.

action.log · streaming

tamper detected · 0

tsagenttoolargssignatureverify

14:00:01support-bot-v3.2crm.readlookup(account=acme)0x9c1a…f7e2✓

14:00:03inbox-triagegmail.readlist(after=09:00)0x4f2c…a91e✓

14:00:04support-bot-v3.2stripe.readcharge(id=ch_3O…)0xc3d4…f7e2✓

14:00:08cal-botcalendar.readfree(2026-05-05, 30m)0xa1b2…d4f6✓

14:00:11pnl-monitorwallet.readbalance(addr=0xab…)0xe5f6…b8c0✓

14:00:14inbox-triagegmail.composedraft(thread=18b4…)0x7d8e…2f1a✓

14:00:18research-botweb.search"phala dstack v0.6"0x6e9f…c3d4✓

14:00:21devops-botgithub.writepr.merge(123)0xb1a2…f0e7✓

14:00:24support-bot-v3.2zendesk.writeticket.reply(8421)0x3d4e…7a8b✓

14:00:27cal-botcalendar.writecreate(slot=15:00)0x8c9d…e1f2✓

14:00:31pnl-monitorwebhook.sendalert(threshold=2.5%)0xf2e3…d4c5✓

14:00:35devops-botsentry.readerrors(env=prod)0x5b6c…7d8e✓

14:00:39inbox-triagegmail.readlist(label=INBOX)0xa9b8…c7d6✓

14:00:43research-botdoc.writeappend(notes.md)0x4e5f…6a7b✓

14:00:47awaiting next call————

chain · per-app key → KMS root → TDX root + DstackApp.sol14 rows · all verified offline

AI-oplossingspaden

Gebruik privé-modellen waar AI met geheimen werkt.

Het endpoint voor het privé-model is het eerste toegangspunt. Hetzelfde privacy-gebouwblok breidt zich uit naar agents, datastromen en training.

LLM API

Private AI-inference

Bied OpenAI-compatibele modelaanroepen aan waarbij prompts, outputs en klantcontext versleutelde-bij-gebruik bescherming nodig hebben.

Open oplossing

encrypted

DeepSeek V3.1

128K

$0.27/M input

encrypted

Qwen3 Coder

256K

$0.40/M input

encrypted

Llama 3.3 70B

128K

$0.15/M input

encrypted

GPT OSS 120B

128K

$0.10/M input

encrypted

Claude Sonnet 4.5

200K

$3.00/M input

encrypted

Gemini 2.5 Pro

$1.25/M input

Training

Privémodeltraining

Pas modellen aan op propriëtaire data terwijl datasets, gradients, checkpoints en evaluatietraces binnen de grens blijven.

Open oplossing

private training run

Observe without exposing weights.

H100 CC

dataset

sealed

fine-tune

running

eval

private

checkpoint

verified

loss curve

proof attached

attestation.json

Data

Privé AI-data

Verplaats modellen naar gevoelige records en geef goedgekeurde outputs terug zonder ruwe data bloot te stellen aan de modeloperator.

Open oplossing

source

EHR data

source

Customer records

source

Internal docs

TEE clean room

query without raw access

approved output

aggregate only

no row exportproof linked

Deploy a confidential agent

Toestemming als identiteit. Scope als compose-hash.

Ship de agent als een docker-compose. Registreer de compose-hash. Seal de OAuth-tokens. Elke cross-agent call verifieert de peer opnieuw via RA-TLS.

View docs Neem contact op met sales

01Mutual RA-TLS between agent CVMs
02Sealed OAuth tokens, KMS-gated
03Compose-hash IS the scope
04Outbound tools bounded by attested code
05Sign-RPC action log

Private uitvoering. Verifieerbare resultaten.

Nieuwsbrief