Where does encryption end?
Find the first component that holds a decryption key and can see the prompt.
Architecture guide
A plain-language guide to confidential AI inference. The most important question is: where does your prompt first become plaintext?
Based on primary protocol and attestation standards
Direct answer
Both designs can keep the prompt plaintext inside an attested TEE. With TEE-terminated TLS, the TEE holds the HTTPS private key and the gateway only forwards encrypted traffic. With application E2EE, the gateway may decrypt outer HTTPS, but the app has already encrypted the AI payload to a separate key bound to the TEE.
A TEE-only gateway is different: it decrypts the prompt before forwarding it to the TEE, so the gateway can read it. Think of the TEE as a protected room, attestation as its signed inspection report, and encryption as the locked delivery path into that room.
Find the first component that holds a decryption key and can see the prompt.
Verify that the decryption key belongs to the intended TEE, not merely to the provider.
Look for fresh, request-bound route evidence rather than an unrelated backend quote.
Three architectures
All three designs may advertise HTTPS and a TEE. Their privacy guarantees differ because the decryption key lives in a different place.
Direct attested channel
Your app opens a normal HTTPS connection, but the TLS private key is held inside the attested TEE. Load balancers may forward encrypted traffic; they do not decrypt it.
The client or an independent verifier must check a cryptographic binding between the attestation report and the key used by the TLS endpoint. A normal browser padlock proves the domain name, not that the key is inside a TEE.
Payload protected through the gateway
Your app first verifies a public encryption key from the attested TEE. It then encrypts the prompt to that key before sending the request through the ordinary HTTPS API.
The gateway may terminate the outer TLS connection, authenticate the account, bill the request, and route it. It sees ciphertext instead of the protected prompt. The response must receive equivalent protection. If the app accepts an unverified key supplied by the gateway, the gateway can substitute its own key and the E2EE claim fails.
Backend protection only
Your HTTPS connection ends at a conventional API gateway. The gateway decrypts the request and then sends it to a TEE backend, often over another protected connection.
The gateway can read the prompt. This design can still protect model execution from the backend host or cloud administrator, but it does not protect prompts from the API operator, gateway logs, or a compromised gateway.
Side-by-side
E2EE is not automatically better. The right design depends on the threat and the quality of its implementation.
| Question | TEE-Terminated TLS | Attested Application E2EE | TEE-only Gateway |
|---|---|---|---|
| First plaintext | Inside the attested TEE | Inside the attested TEE | At the API gateway |
| Gateway sees content | No, when it only passes TLS through | No, for fields inside the E2EE envelope | Yes |
| Client integration | Standard HTTPS plus attestation checks | Encryption SDK or protocol integration | Standard HTTPS |
| Attested key | TLS endpoint key | Application encryption key | Usually only a backend identity |
| Operational strength | Streaming and API compatibility | Works through TLS-terminating gateways and CDNs | Simple routing and compatibility |
| Main tradeoff | TEE must manage TLS identity and direct connections | More client, key, retry, and streaming complexity | Gateway remains trusted with plaintext |
| Route proof | Strong when the live TLS peer key is attested | Strong when requests and responses bind to the attested key | A separate backend quote is not enough |
Threat model
A threat model names the people and systems you do not want to trust. No single badge covers every threat, so this directory treats hardware, channel, workload, model, and route evidence separately.
Protected by all three designs. TLS hides content while it crosses the public network. IP addresses, endpoints, and traffic patterns can remain observable.
TEE protection is intended for this threat. A valid, policy-approved quote can show that execution is isolated from the host, subject to hardware, firmware, and side-channel limitations.
Protected only when the content key stays beyond the gateway. TEE-TLS requires passthrough. Application E2EE keeps the payload encrypted even when outer TLS ends there.
Not solved by encryption or isolation. Code that legitimately receives plaintext can log or export it. Measurements and source provenance tell you what ran; review and policy determine whether that code is acceptable.
A backend quote alone is insufficient. The evidence must connect the request to the claimed model and backend. Otherwise a valid enclave can exist while traffic takes another route.
Traffic size and timing normally remain visible. Account identity, billing, IP address, model route, and unencrypted headers may also be exposed even when the prompt is protected.
The reseller problem
The API provider owns the endpoint and customer relationship. The infrastructure provider operates the TEE, GPU, or managed confidential platform. An aggregator may use several infrastructure providers, even for models sold under one brand.
A strong request-bound route connects a fresh client challenge, requested model, backend identity, and response to the same attested key. Without that connection, attestation proves that a suitable backend exists, not that it served this request.
Choosing a design
Prefer TEE-terminated TLS when the service can prove the live TLS key is inside the TEE. It usually preserves normal clients, streaming, retries, and tool calls.
Prefer attested application E2EE when that intermediary must route requests but must not read prompts. Confirm both request and response protection.
TEE-only may be sufficient if you explicitly trust the API operator and gateway with plaintext. It should not be described as protection from that operator.
Common questions
Direct answers to the terms and limits shown throughout the directory. Each heading has a stable URL that can be cited or shared.
Confidential AI inference means running an AI model while limiting which surrounding systems and operators can read the prompt, response, or model data. It usually combines a TEE, remote attestation, and an encrypted channel. The actual guarantee depends on where that channel ends and what the attested software does.
A TEE is an isolated area of a processor or accelerator. It is designed to keep the data and code inside it hidden from the host operating system, hypervisor, and cloud administrator. It reduces who must be trusted, but it is not a guarantee that the application itself is safe.
Remote attestation is a signed hardware report. It can identify the TEE platform, security state, and a measurement of the software that started inside it. A verifier checks that report against the hardware vendor's root of trust and an explicit policy.
A valid quote does not prove that the measured code is well designed, that it has no logging or export feature, that it loaded the advertised model, or that your request reached it. Those claims need additional evidence such as reviewed source, reproducible builds, model measurements, key binding, and request-bound route evidence.
TLS termination is the point where an HTTPS connection is decrypted. Before that point, intermediaries can forward encrypted bytes but cannot read the prompt. After that point, the component holding the TLS private key can read it. The security question is therefore not whether HTTPS is present, but where its private key lives.
On this site, E2EE means that the client encrypts the AI payload to a key proven to belong to an attested TEE. An outer HTTPS connection can still end at an API gateway, but the gateway receives an encrypted prompt and cannot decrypt the protected payload.
No. Both can create a cryptographic channel from the client to an attested workload. TEE-terminated TLS is easier for standard HTTPS clients and streaming. Application E2EE can work through a gateway or CDN that terminates TLS, but it needs client-side encryption, key verification, replay protection, and careful response handling.
TLS protects the outer API connection, credentials, headers, and protocol behavior from network attackers. Application E2EE adds a second protection boundary for the prompt and response. The two layers solve different parts of the problem.
The public gateway terminates HTTPS and sees the plaintext prompt, then forwards the request to a TEE backend. The TEE can still protect model execution from the backend host or cloud operator, but the gateway and anyone able to control it remain in the prompt trust boundary.
Not by itself. A provider or reseller can show a valid quote from one backend while routing a request somewhere else. Strong route evidence binds a fresh client challenge, requested model, backend identity, and response to the same attested key or signed receipt.
It can contribute evidence, but the roles must be recorded separately. The API operator is the company you call and pay. The infrastructure operator runs the TEE or managed platform. A reseller may route different models to different infrastructure providers, so attribution should be per model route rather than assumed from the brand name.
Encryption normally does not hide IP addresses, account identity, billing events, request timing, traffic size, or every header. Model names and tool metadata may also remain visible when they are needed for routing. Hiding those signals requires additional protocol and network measures.
Yes. A TEE protects code and data from the surrounding host; it does not make that code trustworthy. Malicious or flawed code inside the TEE can log, return, or transmit plaintext. Software measurements, source provenance, reproducible builds, egress controls, and an understandable policy are therefore important.
Hardware verification answers only part of the question. We mark a check partial when the hardware or channel evidence passes but another link, such as image provenance, source mapping, model identity, freshness, or request routing, is missing. Partial means useful evidence exists, not that the complete end-to-end claim is proven.
Apply the guide
Use these definitions while comparing a provider, a model route, or a current attestation result.
Primary references
These sources define the underlying protocols and attestation architecture. Product claims still require provider-specific evidence.