Change two lines of code. Get hardware-enforced confidentiality and a receipt for every request.
Your OpenAI SDK works as-is. Ours verifies the enclave before a single byte leaves your machine.
import osfrom openai import OpenAIclient = OpenAI( base_url="https://api.tresor.co/v1", api_key=os.environ["TRESOR_API_KEY"],)resp = client.chat.completions.create( model="eu/auto/gpt-oss-120b", messages=[{"role": "user", "content": "Hello!"}],)print(resp.choices[0].message.content)import OpenAI from "openai";const client = new OpenAI({ baseURL: "https://api.tresor.co/v1", apiKey: process.env.TRESOR_API_KEY,});const resp = await client.chat.completions.create({ model: "eu/auto/gpt-oss-120b", messages: [{ role: "user", content: "Hello!" }],});console.log(resp.choices[0]?.message?.content);package mainimport ( "context" "fmt" "os" openai "github.com/sashabaranov/go-openai")func main() { cfg := openai.DefaultConfig(os.Getenv("TRESOR_API_KEY")) cfg.BaseURL = "https://api.tresor.co/v1" client := openai.NewClientWithConfig(cfg) resp, err := client.CreateChatCompletion( context.Background(), openai.ChatCompletionRequest{ Model: "eu/auto/gpt-oss-120b", Messages: []openai.ChatCompletionMessage{ {Role: "user", Content: "Hello!"}, }, }, ) if err != nil { panic(err) } fmt.Println(resp.Choices[0].Message.Content)}import osimport httpxfrom openai import OpenAIfrom attest import AttestedTransportclient = OpenAI( base_url="https://api.tresor.co/v1", api_key=os.environ["TRESOR_API_KEY"], http_client=httpx.Client(transport=AttestedTransport()),)resp = client.chat.completions.create( model="eu/auto/gpt-oss-120b", messages=[{"role": "user", "content": "Hello!"}],)print(resp.choices[0].message.content)import { createAttestedFetch } from "@tresorhq/attest";import OpenAI from "openai";const client = new OpenAI({ baseURL: "https://api.tresor.co/v1", apiKey: process.env.TRESOR_API_KEY, fetch: createAttestedFetch(),});const resp = await client.chat.completions.create({ model: "eu/auto/gpt-oss-120b", messages: [{ role: "user", content: "Hello!" }],});console.log(resp.choices[0]?.message?.content);package mainimport ( "fmt" "time" "github.com/tresorhq/attest/go/attest")func main() { releaseRoot, err := attest.LoadBundledReleaseRoot() if err != nil { panic(err) } tuple, err := attest.Verify(attest.Inputs{ Envelope: envelope, // GET /attestation BundleJWS: bundleJWS, // GET <trust_bundle_url> ReleaseRootPubKey: releaseRoot, LiveTLSSPKI: spki, // SHA-256 from live TLS Now: time.Now(), }) if err != nil { panic(err) } fmt.Println(tuple.WorkloadIdentityTag)}Every call goes through the same path: into an attested enclave, back with a receipt you can check.
Change two lines. Keep the rest.
Set base_url to api.trytresor.com/v1 and use a Tresor API key; chat completions, streaming, and transcription work exactly as your existing SDK expects. Compatible with Python, Node, Go, and any OpenAI client lib.
See the enclave. Pin the runtime. Then send.
Fetch live attestation evidence, match it against the signed trust bundle, and pin TLS to the expected enclave so no request goes out until the destination checks out. GET /attestation. Trust bundle at /.well-known/trust.json.
Proof attached to the request, not promised after.
Every successful call returns a receipt_id for a JWS that binds the request and response to live attestation evidence. JWS/ES256. Verify with any JWT library or the tresorhq-attest SDK.
Route on purpose. Or let auto handle it.
Address compound IDs like lux/tresor/kimi-k2.5 to pin every detail, or pass auto to let the router pick from a set you've approved. Region/provider/model selection per request or per key.
Resilience without silent rerouting.
Declare ordered fallback routes per key or per request, and the router only switches within the alternatives you explicitly named. Every failover event is recorded in the receipt and usage log.
Separate environments without sharing secrets.
Create, name, and revoke keys per service or environment, and every call carries a key_prefix so usage stays attributable. Per-key attribution in the dashboard and usage API.
The best of open source, isolated and verifiable in Zero-Access TEEs.
Self-serve API access that scales with your usage.
Pay as you go
prepaid credits, no subscription
Custom contracts with negotiated rates, SLA, and compliance.
Custom
monthly commitment + overage
Live route catalogue as used by current API calls.
1 route available
| Route ID | Input | Output |
|---|---|---|
global/tinfoil/deepseek-v4-pro | $1.50/M | $5.25/M |
2 routes available
| Route ID | Input | Output |
|---|---|---|
eu/privatemode/gemma-4-31b | €0.77/M | €1.27/M |
global/tinfoil/gemma-4-31b | $0.45/M | $1.00/M |
1 route available
| Route ID | Input | Output |
|---|---|---|
global/redpill/glm-5.2 | $1.40/M | $4.40/M |
2 routes available
| Route ID | Input | Output |
|---|---|---|
eu/privatemode/gpt-oss-120b | €0.43/M | €1.70/M |
global/tinfoil/gpt-oss-120b | $0.15/M | $0.60/M |
1 route available
| Route ID | Input | Output |
|---|---|---|
global/redpill/gpt-oss-20b | $0.04/M | $0.15/M |
3 routes available
| Route ID | Input | Output |
|---|---|---|
eu/privatemode/kimi-k2.6 | €1.55/M | €7.74/M |
global/chutes/kimi-k2.6 | $0.95/M | $4.00/M |
global/tinfoil/kimi-k2.6 | $1.50/M | $5.25/M |
1 route available
| Route ID | Input | Output |
|---|---|---|
global/tinfoil/llama3-3-70b | $1.75/M | $2.75/M |
1 route available
| Route ID | Input | Output |
|---|---|---|
global/redpill/mistral-24b-uncensored | $0.20/M | $0.90/M |
1 route available
| Route ID | Input | Output |
|---|---|---|
global/redpill/qwen-2.5-7b-instruct | $0.04/M | $0.10/M |
1 route available
| Route ID | Input | Output |
|---|---|---|
global/redpill/qwen3.5-27b | $0.30/M | $2.40/M |
1 route available
| Route ID | Input | Output |
|---|---|---|
eu/privatemode/voxtral-mini-3b | — | €0.0040/min |
1 route available
| Route ID | Input | Output |
|---|---|---|
global/tinfoil/voxtral-small-24b | $0.20/M | $0.60/M |
1 route available
| Route ID | Input | Output |
|---|---|---|
eu/privatemode/whisper-large-v3 | — | €0.014/min |
1 route available
| Route ID | Input | Output |
|---|---|---|
global/tinfoil/whisper-large-v3-turbo | — | $0.010/req |
Public AI tools read everything you send. On-prem is private but impractical. Tresor gives you both: cloud convenience, infrastructure-grade privacy.
I can only use AI in coaching when it fully protects the sacred trust between practitioner and client; confidentiality is non-negotiable.
Tove Thyes
Transformational Coach and Energy Medicine Practitioner
As a software strategist, I treat privacy as the blueprint that lets my team turn client visions into AI people can trust.
Igor Miazek
CEO & Founder, Techs
At Dance, we build experiences people trust. Tresor’s approach to privacy-first AI is a simply a great match.
Christian Springub
CEO & Co-Founder, Dance
As a therapist, I can only use AI that protects client privacy. Tresor delivers exactly that.
Magali Cahen
Psychologist and Therapist, Independent
The only way to earn trust in AI is to make privacy a design principle, not a feature. Tresor’s system does exactly that.
Ingmar Schuster
CEO & Co-Founder, Provolut
In the AI era, rigorous risk-based security and GDPR-aligned privacy are non-negotiable foundations for any trustworthy system.
Davy Cox
Founder, Brainframe
Executive Summary
Tresor is built on a simple promise: your conversations belong to you, not us. Every message you type is protected by end-to-end encryption and processed only inside secure computing environments that even Tresor cannot inspect. Teams can now collaborate inside shared workspaces without ever handing Tresor access to their plaintext. This whitepaper explains the principles and safeguards behind Tresor’s zero-access design, showing how we deliver practical confidentiality without trade-offs in usability.