Two layers of trust.
Private inference needs two guarantees a centralized API can't give you: that nobody saw your prompt, and that the operator who ran it has something to lose if they cheat. We build them in that order — confidentiality first (hardware), then accountability (economics). Everything below is labelled by where it actually is. We don't describe a phase in the present tense until it ships.
Confidentiality
Inference runs inside an attested Trusted Execution Environment. The operator — and anyone with access to the box — is cryptographically blind to your prompt. Clients verify the enclave's attestation before sending anything.
Accountability
Operators restake to join the network and are slashed for failed attestation, downtime, or breaking the privacy contract. Confidentiality says they can't read you; accountability says it costs them to misbehave.
No one in this category has both. TEE networks prove confidentiality but carry no economic stake; restaking networks prove accountability but run inference in the clear. The combination is the point.
The gateway
A drop-in, OpenAI-compatible API. Swap one line and your traffic is encrypted in transit, routed, metered, and never persisted.
- Encrypted-in-transit gateway
Prompts sealed on ingress (AES-256-GCM); plaintext lives only in the egress shim, never on disk or in logs.
- OpenAI-compatible surface
Chat (streaming + non-streaming), embeddings, models, a stable Sable model catalog, region pinning, privacy tiers.
- Publicly-verifiable signed receipts
Every response carries a secp256k1 / EIP-191 receipt over content-free metadata + a fingerprint. Verify it without trusting us.
- Agent-grade key controls
Argon2id-hashed keys, per-key spend caps, model allowlists, expiry, rate limits, SIWE-gated dashboard, webhooks.
What's honest about the standard tier: it's encrypt-in-transit only — the upstream model host still sees plaintext. The confidential tier closes that, and it's live today for sable-confidential-24b (see below).
Confidential execution (TEE)
Run inference inside an attested enclave the host can't read. The attested-backend path is LIVE for sable-confidential-24b; owning the enclave ourselves is the remaining work.
- Attested enclave — live (via backend)
Today confidential traffic routes to an attested Intel TDX + NVIDIA H100 CC backend whose hardware quote the gateway verifies against a pinned measurement. Next: run the shim in an enclave Sable measures itself.
- Pre-flight client attestation — live
GET /v1/attestation exposes the verified enclave status, and the SDK's verifyAttestation() checks it before you send — trust the chip, not the company.
- Tiers bound to hardware — live (one model)
The confidential tier is fail-closed: a request is refused unless the enclave attests. Live for sable-confidential-24b; extending to more models is in progress.
- Receipt → attestation — live
The signed receipt now carries a verified TEE attestation block (verification "tee-attested", response_bound true) alongside the gateway signature. Same envelope, stronger claim.
The make-or-break bet — and the fast path shipped: confidential traffic for one model routes to an attested TDX backend whose quote and per-response signature we verify in-gateway. The durable moat — owning the measured enclave — is what 'building' still refers to.
Proof of inference
A per-request proof that the right model ran on the right input — not just that a Sable key signed some metadata.
- Attested transcripts
TEE attestation + signed transcripts bind model identity, input hash, and output together.
- Verifiable inference (ZK)
The long-term substrate: a cryptographic proof that a specific model produced a specific output. Heavy research; ZK-ML is moving fast.
Decentralization & accountability
A permissionless operator set with real skin in the game. We compose with an established restaking layer for crypto-economic security rather than reinventing it.
- Restake-secured operator set
Operators restake to join; slashing enforces the privacy contract — forged attestation, downtime, or a contract violation burns stake.
- On-chain audit trail
Receipt commitments (content-free) anchored to a data-availability layer for a tamper-evident public record of what ran, when.
- Decentralized routing
Sealed-envelope hops between nodes; each node sees only the encrypted form except its own egress step.
- Network token — last, if ever
Payments / premium routing / rewards layered on top of the restaking security. Never the thing securing the network, never a pump.
Why rent it: hand-rolling stake + slashing + a token from scratch is the slow, risky path. Established restaking infrastructure already secures billions in staked ETH; we compose with it rather than rebuild it.
Dates are deliberately absent. We'd rather ship a phase and move its label to Live than promise a quarter. If a claim isn't marked Live, we don't make it on the rest of the site either.