We just shipped the NEAR Shade Agent template on Phala Cloud—a fast path to run verifiable NEAR agents and oracles inside a TEE, starting on testnet. It includes an ETH price-oracle example, REST endpoints, and a clean migration path to mainnet. (phala.com)
Why this matters
Shade Agents aim to make agents verifiable and decentralized across chains—useful for oracles, automation, and account control. Pairing that model with Trusted Execution Environments (TEEs) lets you keep keys protected while producing hardware-backed proofs (attestation) that your code is the one actually running. (docs.near.org, docs.phala.network)
Phala Cloud, powered by Dstack, gives you a managed way to deploy containerized apps into TEEs with remote attestation—no bespoke infrastructure required. (GitHub)
What you can build with it
- Price/data oracles (ships with an ETH price-oracle scaffold).
- dApp automations where TEE-held keys and verifiable execution matter.
- Custom agents that extend the REST API and frontend included in the template. (https://phala.com)
Guided quickstart (testnet-first, high level)
We’ll target NEAR testnet for the walkthrough. You can later flip a few fields (RPC/provider, contract IDs, funding) for mainnet.
Prerequisites
- NEAR testnet account (via
near-cli), Phala Cloud account & API key. - Optional: Docker for local dev. (cloud.phala.network)
Path A — Deploy on Phala Cloud (recommended)
- Open the NEAR Shade Agent template and click Deploy.
- In the dashboard, set env vars like
NEAR_ACCOUNT_ID,NEAR_SEED_PHRASE,NEXT_PUBLIC_contractId, andPHALA_API_KEY. - Deploy; when green, open your app URL to reach the agent. (cloud.phala.network)
Path B — Local development
- Clone the repo branch referenced on the template page.
- Copy
.env.development.local.example→.env.development.localand edit values. npm install→npm run dev→ visithttps://localhost:3000. (cloud.phala.network)
Tip: If you point the included frontend to a Phala deployment, change the public API base URL in your config (see NEAR quickstart notes on switching the API_URL). (docs.near.org)
Configure for testnet now, mainnet later
- Contract ID convention (set via
NEXT_PUBLIC_contractId):- Local dev:
ac-proxy.[NEAR_ACCOUNT_ID] - Phala Cloud (TEE):
ac-sandbox.[NEAR_ACCOUNT_ID](cloud.phala.network)
- Local dev:
- When moving to mainnet: flip NEAR RPC/provider + any chain addresses; ensure funding, monitoring, and your security checks are in place first. (docs.near.org)
How it’s wired (high-level architecture)
The template runs a Shade Agent API and minimal frontend inside a Phala Cloud TEE. A local TEE socket (from Dstack) exposes enclave services (e.g., attestation, key ops) to the app. The agent talks to NEAR testnet, and an optional ETH price-oracle loop can be enabled. (cloud.phala.network)
Try it: ping the agent (no deep code)
Once deployed (locally or o Phala), basic endpoints are available:
Agent account (public):
curl -s https://<your-app>.phala.run/api/agent/account
ETH account (auth):
curl -H "Authorization: Bearer <TOKEN>" https://<your-app>.phala.run/api/eth/account
Send a transaction (auth):
curl -X POST \
-H "Authorization: Bearer <TOKEN>" \
-H "Content-Type: application/json" \
-d '{"to":"0x...","value":"0.1","gasLimit":21000,"data":"0x"}' \
https://<your-app>.phala.run/api/eth/send
Endpoint paths and example responses are listed on the template page. (cloud.phala.network)
[Screenshot placeholder — JSON from /api/agent/account]
Security & privacy — TEE vs. “just a server” (quick compare)
| Concern | TEE-hosted agent (Phala Cloud) | Traditional server |
| Key handling | Keys generated/kept inside the enclave; never exposed in plaintext on the host | Keys typically on disk or in process memory |
| Verifiability | Remote attestation proves code + environment (TDX), so partners can verify what runs | No built-in runtime integrity proof |
| Data-in-use privacy | Requests/responses processed in a protected memory region | Host OS/cloud admins can observe processes |
| Blast radius | Attacker must bypass enclave/attestation | Full process compromise leaks keys & secrets |
| Ops trade-offs | Enclave limits, provider choices, attestation plumbing | Familiar ops, weaker security model |
Phala Cloud documents Intel TDX attestation and the key fields verifiers should check—measurement (code hash), TCB, configuration. Dstack exposes enclave features to apps via a local socket. (docs.phala.network, GitHub)
Note: Keep the template’s REST endpoints behind auth where appropriate; rotate tokens; prefer provider keys per environment. (cloud.phala.network)
Important cautions (read before mainnet)
- ⚠️ Audit status: The template explicitly notes no formal security audit yet—do your own due diligence before production. (cloud.phala.network)
- Secrets hygiene: Do not commit seed phrases or private keys; use env vars; rotate credentials. (cloud.phala.network)
- Observability: Turn on logs/alerts; monitor for failed attestations or unusual behavior. (cloud.phala.network)
Security checklist (starter):
- Validate attestation at startup or CI and expose a simple
/healthz/attestationfor integrators. (docs.phala.network) - Use dedicated RPC providers and restrict rates for write endpoints.
- Scope tokens to least privilege; plan key rotation and incident response.
Extending the template
- Swap the sample oracle for your own data source or strategy.
- Add API endpoints and wire NEAR methods or off-chain tasks.
- Point the frontend at your Phala URL by updating its
API_URL. (docs.near.org)
For broader context, NEAR’s docs cover agent concepts, local dev, and TEE deployment paths that map closely to this template. (docs.near.org)
[Screenshot placeholder — tiny diff in frontend config.js showing API URL change]
FAQ
Which networks are supported?
Start on NEAR testnet in this guide. For mainnet, flip NEAR RPC/provider and any contract/account IDs; ensure funding and monitoring are in place. (docs.near.org)
How do I prove it’s running in a TEE?
Use Phala Cloud / Intel TDX attestation—produce a report and let integrators verify your measurement and TCB. (docs.phala.network)
What role does Dstack play?
Dstack is the SDK under Phala Cloud that simplifies deploying containerized apps into TEEs and exposing enclave features via a local socket. (GitHub)
Call to action
- Build a more meaningful Shade Agent—extend the template and share what you ship.
- Star Dstack (the open SDK under Phala Cloud):
Dstack-TEE/dstack. (GitHub) - Explore the NEAR Shade Agent template and docs to go deeper. (cloud.phala.network, docs.near.org)
References
- Template page: NEAR Shade Agent Template (features, env vars, endpoints, cautions). (cloud.phala.network)
- NEAR docs: Shade Agents introduction & quickstart (frontend
API_URL, local vs TEE). (docs.near.org) - Phala docs: Attestation overview (Intel TDX). (docs.phala.network)
- Dstack repo: Overview & features. (GitHub)
