01enterprise · live
OpenRouter
enterprise tier · drop-in
“Drop-in OpenAI-compatible endpoint with verifiable, no-log routing. The receipt is the audit trail.”
18B+ tokens
no-log · verified routing
Private Inference
Inference without exposing the prompt.
OpenAI-compatible. Signed receipts. By construction, no logs.
your thoughts stay yours
Private LLM catalog
Frontier models with private runtime.
OpenAI-compatible models with hardware-backed privacy and verification. Keep your SDK flow, change the endpoint, and copy the real call when you need it.
Model requests are routed through confidential AI providers with TEE support.
Check allPrivate inference, by construction.
What you say to the model stays between your client and an attested CVM. Three primitives — encryption, TEE, no-logs — make that a property of the build, not a promise.
End-to-End Encryption
- AES-GCM ciphertext on the wire, both hops
- RA-TLS terminates inside the CVM, not at a load balancer
- No plaintext intermediary on the host
How it works
Step through a single request, end to end.
Toggle dstack off to see exactly which guarantee disappears.
Private Inference on dstack
Two-hop RA-TLS into a fleet of attested model CVMs — verifiable, no-log by construction
active edgeinactivenew in step
step 1 of 5 · scroll-aware1
Step 1 / 5Verify the Build Before Sending One Byte
Client SDK fetches each candidate CVM’s TDX quote and runs dcap-qvl locally — confirms the build matches a no-log entry in DstackApp.sol. The trust decision is client-side; Phala is not asked to vouch for itself.
With dstack: User holds the trust root, anchored in Intel’s TDX hardware signature.
Same SDK. Same endpoints. Confidential by default.
cURL · drop-in
Hit api.redpill.ai/v1/chat/completions with the OpenAI request shape. Receipt headers come back on every response — even from curl.
cURL
$ curl https://api.redpill.ai \/v1/chat/completions \-H "Authorization: …" \-d '{"model":…}'x-phala-receipt-sig: 0x9c..x-phala-compose-hash: 0xa1..
PYTHON
from openai import OpenAIc = OpenAI(base_url="…redpill.ai/v1",api_key=RP_KEY)r = c.chat.completions.create(…)
OpenAI Python SDK
`base_url="https://api.redpill.ai/v1"` and you’re done. Existing code keeps working; receipts attach to the response object.
One unified verifier
Whether the model runs on Intel TDX + H100 or AMD SEV + B300, the receipt format is identical. One verification path covers your whole TEE-LLM fleet — even when you mix providers.
UNIFIED PROOF
unified verifierall match
phalaLlama 3.1
near aiDeepSeek V3
tinfoilQwen2.5
chutesMistralone format · any provider
OPENROUTER
openrouter · phala2026-05-30
3.5Btokens / day
Llama · open$0.40 / M
Llama · phala$0.40 / M
DeepSeek · open$0.27 / M
DeepSeek · phala$0.27 / M
No premium for privacy
Confidential routes through Phala on OpenRouter price the same as the open route. Privacy is no longer a procurement line item — just a header you opted into.
two-hop RA-TLS · X.509 with TDX-quote extension
tunneled · no plaintext intermediary
hop 01 · client → gateway
CN=phala-gatewayTDX-quote ext (1.3.6.1.4.1…)
hop 02 · gateway → model CVM
CN=vllm-llama-3.1-70bTDX+H100 quote ext
RA-TLSmTLSX.509tunneled
Two-hop RA-TLS, all the way to the model
The first TLS hop terminates inside the dstack-gateway CVM (whose certificate carries its TDX quote). The second terminates inside the model CVM. There is no plaintext intermediary — just two confidential VMs whose X.509 certificates ARE their attestations.
response · /v1/chat/completions
200x-phala-receipt-sig0x9c1a…f7e2x-phala-compose-hash0xa1b2…d1f3x-phala-app-idvllm-llama-3.1-70bx-phala-no-logtrue · by build
verify offlinechains to DstackApp.sol
Signed receipt + on-chain compose-hash, every response
Every response carries x-phala-receipt-sig + x-phala-compose-hash. The signature chains to the TDX root and the on-chain DstackApp.sol entry — verify offline that the build that ran is the build that was registered.
in production today · 3 live partners
Confidential inference, in production.
OpenRouter routes its enterprise tier through Phala. NEAR AI ships verifiable agent inference. OODA AI runs decentralized GPU TEE.
02web3 · live
NEAR AI
verifiable agent inference
“Verifiable agent inference for autonomous, on-chain workflows. Every model call lands on-chain with proof.”
100% receipts
on-chain verified · zk inference
03public-co · live
OODA AI
NASDAQ-listed · decentralized GPUs
“Decentralized GPUs with hardware attestation guarantees. No host root, no off-band access, no policy promises.”
12M tokens / day
TDX + H100 · hardware-attested
OpenAI-compatible
drop-in /v1 surface
TDX + H100/H200/B300
CPU + GPU TEE
5–15% overhead
vs bare-metal
No host root
compose-hash IS the policy
AI solution paths
Use private models where AI touches secrets.
The private model endpoint is the first entry point. The same privacy primitive extends to agents, data workflows, and training.
Agents
Private AI agents
Run agents with keys, tools, memory, and actions inside a verified runtime instead of a visible automation cloud.
Training
Private model training
Adapt models on proprietary data while keeping datasets, gradients, checkpoints, and evaluation traces inside the boundary.
private training run
Observe without exposing weights.
01
dataset
sealed
02
fine-tune
running
03
eval
private
04
checkpoint
verified
loss curve
proof attached
attestation.json
Data
Private AI data
Move models to sensitive records and return approved outputs without exposing raw data to the model operator.
source
EHR data
source
Customer records
source
Internal docs
TEE clean room
query without raw access
approved output
aggregate only
no row exportproof linked
Deploy private inference
Two-hop RA-TLS. Signed receipts. On-chain no-log.
Drop-in with the OpenAI SDK you already use. Point at api.redpill.ai. Get a signed receipt with every response.
- 01OpenAI-compatible base URL
- 02TDX + H100 / H200 / Blackwell
- 03Signed receipt per response
- 04On-chain compose-hash registry
- 055–15% TEE overhead vs bare-metal
