Skip to main content
The attestation object contains verified TEE attestation data. It is available on every response from createAtlsFetch and on sockets created by createAtlsAgent.

Structure

interface AtlsAttestation {
  trusted: boolean
  teeType: string
  measurement: string | null
  tcbStatus: string
  advisoryIds: string[]
}

Fields

trusted
boolean
Whether attestation verification succeeded. If false, the connection should not be trusted.
teeType
string
TEE type identifier:
  • "tdx" - Intel TDX (Trust Domain Extensions)
  • "sgx" - Intel SGX (Software Guard Extensions) (future support)
measurement
string | null
Workload measurement hash:
  • For TDX: MRTD (Measurement Register for Trust Domain)
  • For SGX: MRENCLAVE (future support)
  • null if measurement is not available
tcbStatus
string
Platform security status. Common values:
  • "UpToDate" - Platform is fully patched (recommended for production)
  • "SWHardeningNeeded" - Platform requires software mitigations
  • "ConfigurationNeeded" - BIOS/hardware configuration issue
  • "OutOfDate" - Platform TCB level is outdated
  • "Revoked" - Platform or keys have been compromised (never use)
See TCB Status Values for detailed descriptions and production recommendations.
advisoryIds
string[]
List of applicable Intel security advisory IDs. Empty array if no advisories apply.

Accessing attestation data

With createAtlsFetch

import { createAtlsFetch } from "@concrete-security/atlas-node"

const fetch = createAtlsFetch({ target, policy })
const response = await fetch("/api/data")

// Access attestation on response
const attestation = response.attestation

console.log(attestation.trusted)      // true
console.log(attestation.teeType)      // "tdx"
console.log(attestation.measurement)  // "b24d3b24e9e3c16012376b52362ca098..."
console.log(attestation.tcbStatus)    // "UpToDate"
console.log(attestation.advisoryIds)  // []

With createAtlsAgent

import { createAtlsAgent } from "@concrete-security/atlas-node"
import https from "https"

const agent = createAtlsAgent({ target, policy })

https.get("https://enclave.example.com/api/data", { agent }, (res) => {
  // Access attestation on socket
  const attestation = res.socket.atlsAttestation
  
  console.log(attestation.trusted)      // true
  console.log(attestation.teeType)      // "tdx"
  console.log(attestation.tcbStatus)    // "UpToDate"
})

With attestation callback

const fetch = createAtlsFetch({
  target: "enclave.example.com",
  policy: productionPolicy,
  onAttestation: (attestation) => {
    // Log attestation for audit trail
    console.log(JSON.stringify({
      timestamp: new Date().toISOString(),
      teeType: attestation.teeType,
      measurement: attestation.measurement,
      tcbStatus: attestation.tcbStatus,
      advisoryIds: attestation.advisoryIds,
      trusted: attestation.trusted
    }))
  }
})

Usage examples

Verify attestation succeeded

const response = await fetch("/api/data")

if (!response.attestation.trusted) {
  throw new Error("Attestation verification failed")
}

const data = await response.json()

Check TCB status

const response = await fetch("/api/data")
const { tcbStatus } = response.attestation

if (tcbStatus === "UpToDate") {
  console.log("Platform is fully patched")
} else if (tcbStatus === "SWHardeningNeeded") {
  console.warn("Platform requires software mitigations")
} else if (tcbStatus === "OutOfDate") {
  console.error("Platform TCB is outdated")
} else if (tcbStatus === "Revoked") {
  throw new Error("Platform has been revoked - DO NOT USE")
}

Verify measurement matches expected value

const expectedMeasurement = "b24d3b24e9e3c16012376b52362ca098..."

const response = await fetch("/api/data")
const { measurement } = response.attestation

if (measurement !== expectedMeasurement) {
  throw new Error(`Measurement mismatch: expected ${expectedMeasurement}, got ${measurement}`)
}

Check for security advisories

const response = await fetch("/api/data")
const { advisoryIds } = response.attestation

if (advisoryIds.length > 0) {
  console.warn(`Active security advisories: ${advisoryIds.join(", ")}")
  // Decide whether to proceed based on your security policy
}

Audit logging

import { createAtlsFetch } from "@concrete-security/atlas-node"
import { writeFileSync, appendFileSync } from "fs"

const fetch = createAtlsFetch({
  target: "enclave.example.com",
  policy: productionPolicy,
  onAttestation: (attestation) => {
    const logEntry = {
      timestamp: new Date().toISOString(),
      teeType: attestation.teeType,
      measurement: attestation.measurement,
      tcbStatus: attestation.tcbStatus,
      advisoryIds: attestation.advisoryIds,
      trusted: attestation.trusted
    }
    
    appendFileSync(
      "attestation-audit.log",
      JSON.stringify(logEntry) + "\n"
    )
  }
})

Conditional policy enforcement

const fetch = createAtlsFetch({
  target: "enclave.example.com",
  policy: basePolicy,
  onAttestation: (attestation) => {
    // Enforce stricter requirements for production
    if (process.env.NODE_ENV === "production") {
      if (attestation.tcbStatus !== "UpToDate") {
        throw new Error(`Production requires UpToDate TCB, got ${attestation.tcbStatus}`)
      }
      
      if (attestation.advisoryIds.length > 0) {
        throw new Error(`Production cannot have active advisories: ${attestation.advisoryIds}`)
      }
    }
  }
})

TypeScript types

Full TypeScript definitions are included: 
import type { AtlsAttestation } from "@concrete-security/atlas-node"

function logAttestation(attestation: AtlsAttestation): void {
  console.log(`TEE Type: ${attestation.teeType}`)
  console.log(`Measurement: ${attestation.measurement}`)
  console.log(`TCB Status: ${attestation.tcbStatus}`)
  console.log(`Trusted: ${attestation.trusted}`)
}

Build docs developers (and LLMs) love

Get started for freeTalk to us