Skip to main content

Overview

The AttestedStream class provides direct access to the raw attested TLS stream without any HTTP protocol handling. This is the lowest-level API, useful for custom protocols or debugging. For HTTP requests, use createAtlsFetch or AtlsHttp instead.

Class methods

connect

Connect to a TEE server via WebSocket proxy and perform the aTLS protocol. 
static async connect(
  wsUrl: string,
  serverName: string,
  policy: Policy
): Promise<AttestedStream>
wsUrl
string
required
WebSocket proxy URL with optional target query parameter.Examples:
  • "ws://127.0.0.1:9000?target=vllm.example.com:443"
  • "ws://proxy.example.com:9000"
serverName
string
required
TLS server name for SNI and certificate validation.Example: "vllm.example.com"
policy
Policy
required
Attestation verification policy object.See Policy configuration for details.
return
AttestedStream
An AttestedStream instance with:
  • readable: Native ReadableStream for receiving data
  • send(data): Method to send data
  • attestation(): Attestation verification result

readable

Get the native ReadableStream for receiving data from the TEE. 
get readable(): ReadableStream<Uint8Array>
return
ReadableStream<Uint8Array>
A native Web ReadableStream that yields raw bytes from the attested TLS connection.This stream can be passed directly to new Response(readable) or used with a reader.

attestation

Get the attestation verification result from the connection handshake. 
attestation(): AttestationSummary
return
AttestationSummary
Attestation summary object containing:
trusted
boolean
Whether the attestation was successfully verified
teeType
string
The TEE type (e.g., “Tdx”)
tcbStatus
string
TCB status from Intel (e.g., “UpToDate”, “SWHardeningNeeded”)
advisoryIds
string[]
List of security advisory IDs

send

Send raw bytes to the TEE over the attested TLS connection. 
async send(data: Uint8Array): Promise<void>
data
Uint8Array
required
Raw bytes to send over the attested TLS connection
return
Promise<void>
Resolves when the data has been written and flushed

closeWrite

Close the write side of the stream. 
async closeWrite(): Promise<void>
return
Promise<void>
Resolves when the write side has been closed

Stream design

The AttestedStream provides:
  • Zero-copy reads: Response data streams directly through the native ReadableStream
  • Simple writes: Send data via the async send() method
  • Bidirectional: Read and write sides can operate independently

Examples

Raw HTTP request

import init, { AttestedStream } from "@concrete-security/atlas-wasm";

await init();

const stream = await AttestedStream.connect(
  "ws://127.0.0.1:9000?target=vllm.example.com:443",
  "vllm.example.com",
  { type: "dstack_tdx" }
);

console.log(stream.attestation()); // { trusted: true, teeType: "Tdx", ... }

// Send raw HTTP request
await stream.send(
  new TextEncoder().encode("GET / HTTP/1.1\r\nHost: vllm.example.com\r\n\r\n")
);

// Read raw response
const reader = stream.readable.getReader();
while (true) {
  const { done, value } = await reader.read();
  if (done) break;
  console.log(new TextDecoder().decode(value));
}

Custom protocol

const stream = await AttestedStream.connect(
  "ws://127.0.0.1:9000?target=custom.example.com:8080",
  "custom.example.com",
  { type: "dstack_tdx" }
);

// Verify attestation
const att = stream.attestation();
if (!att.trusted) {
  throw new Error("Attestation failed");
}

// Send custom protocol message
const message = new Uint8Array([0x01, 0x02, 0x03, 0x04]);
await stream.send(message);

// Read response
const reader = stream.readable.getReader();
const { value } = await reader.read();
console.log("Received:", value);

Streaming with backpressure

const stream = await AttestedStream.connect(
  "ws://127.0.0.1:9000?target=api.example.com:443",
  "api.example.com",
  { type: "dstack_tdx" }
);

// Send request
await stream.send(
  new TextEncoder().encode("GET /stream HTTP/1.1\r\nHost: api.example.com\r\n\r\n")
);

// Create Response from readable stream (Web API)
const response = new Response(stream.readable);
const text = await response.text();
console.log(text);

Closing the write side

const stream = await AttestedStream.connect(
  "ws://127.0.0.1:9000?target=api.example.com:443",
  "api.example.com",
  { type: "dstack_tdx" }
);

// Send data
await stream.send(new TextEncoder().encode("Hello"));

// Signal no more writes (half-close)
await stream.closeWrite();

// Can still read response
const reader = stream.readable.getReader();
const { value } = await reader.read();
console.log(new TextDecoder().decode(value));

Use cases

  • Custom protocols: Implement non-HTTP protocols over attested TLS
  • Debugging: Inspect raw TLS traffic for debugging
  • Low-level control: Full control over when and how data is sent/received
  • Protocol development: Build higher-level protocol implementations
For standard HTTP requests, prefer createAtlsFetch or AtlsHttp.

Build docs developers (and LLMs) love

Get started for freeTalk to us