Tutorial — Security & verification

Run confidential compute in a TEE

TEE providers on Tenzro produce hardware-signed attestations that bind the running code, inputs, and outputs to the enclave that produced them. Verifiers reject any quote that fails its vendor's certificate chain.

Level: Advanced
Time: ~25 min
Prerequisites: TNZO balance
Stack: TypeScript · TEE

Find a TEE provider

Filter providers by vendor — TDX, SEV-SNP, Nitro, or NVIDIA GPU CC.

const providers = await tz.call("list_tee_providers", {
  vendor: "intel_tdx"
});

Submit the workload

Inputs are sealed to the enclave's public key — only the running binary can decrypt.

const job = await tz.call("tee_submit_job", {
  provider: providers[0].did,
  image: "ghcr.io/acme/private-scorer:latest",
  inputs_sealed: encrypted
});

Verify the attestation

The job receipt carries a vendor-signed quote bound to the code measurement and output hash.

await tz.call("verify_tee_attestation", {
  quote: job.attestation, expected_measurement: codeHash
});

Settle on result

Only attested outputs unlock payment. The settlement engine refuses unsigned results.

await tz.call("tee_claim_result", { job_id: job.id });

Open the docs →Browse all tutorials

← All tutorials