The Wraith Protocol API runs inside a Trusted Execution Environment (TEE). These endpoints let you verify that the server is healthy, inspect its runtime configuration, and obtain a cryptographic attestation proving that the TEE is running unmodified Wraith Protocol code and that your agent’s keys were derived inside the enclave. All endpoints require a Bearer token in the Authorization header except where noted.
GET /health
Check that the TEE server is running and accepting requests. Use this as a liveness probe.
Response
Always "ok" when the server is healthy.
Example
curl https://api.wraith.dev/health \
-H "Authorization: Bearer wraith_live_abc123"
const res = await fetch("https://api.wraith.dev/health", {
headers: { Authorization: "Bearer wraith_live_abc123" },
});
const { status } = await res.json();
if (status !== "ok") {
throw new Error("Wraith API is not healthy");
}
Response example
GET /tee/info
Return information about the TEE runtime environment. Use this to inspect which enclave platform is in use and confirm the server configuration before requesting an attestation.
Response
The response structure depends on the TEE platform. It typically includes the enclave platform identifier, code measurements (hashes of the running binary), and environment metadata.
Example
curl https://api.wraith.dev/tee/info \
-H "Authorization: Bearer wraith_live_abc123"
const res = await fetch("https://api.wraith.dev/tee/info", {
headers: { Authorization: "Bearer wraith_live_abc123" },
});
const info = await res.json();
console.log(info);
GET /tee/attest/:agentId
Request a remote attestation for a specific agent. The attestation is a cryptographic document that proves two things:
- The code is authentic — the TEE is running the exact Wraith Protocol binary, not a modified version.
- The key was derived inside the enclave — the agent’s private key was generated within the TEE and has never been exposed to the host operating system.
Use attestation when your integration requires trustless verification — for example, before sending large payments to an agent, or to prove to your own users that the custody model is correct.
Path parameters
The UUID of the agent you want to attest.
Response
Returns a platform-specific attestation document. On AWS Nitro Enclaves, this is a CBOR-encoded attestation document signed by the AWS Nitro attestation service. The document contains:
- PCR measurements — SHA-384 hashes of the enclave image, kernel, and application. Compare these against the published Wraith Protocol release hashes to verify authenticity.
- Agent public key — The agent’s public key, included in the attestation so you can verify it was bound to this enclave instance.
- Timestamp — When the attestation was generated.
Example
curl https://api.wraith.dev/tee/attest/550e8400-e29b-41d4-a716-446655440000 \
-H "Authorization: Bearer wraith_live_abc123"
const res = await fetch(
"https://api.wraith.dev/tee/attest/550e8400-e29b-41d4-a716-446655440000",
{ headers: { Authorization: "Bearer wraith_live_abc123" } }
);
const attestation = await res.json();
// Verify the attestation document against published PCR values
// See the TEE security docs for verification steps
console.log("Attestation received:", attestation);
Why attestation matters
Without attestation, you rely on trusting Wraith Protocol’s infrastructure. With attestation, you can independently verify:
- The server is a genuine TEE enclave, not a regular server that could log your agent’s keys.
- The running code matches the open-source Wraith Protocol release you have reviewed.
- Your agent’s keys were created and stored inside the enclave boundary.
Wraith Protocol publishes expected PCR values for each release. Compare the values in the attestation document against the published values for the release version shown in GET /tee/info.
Verification workflow
const agentId = "550e8400-e29b-41d4-a716-446655440000";
const headers = { Authorization: "Bearer wraith_live_abc123" };
// 1. Get TEE info to see which release is running
const infoRes = await fetch("https://api.wraith.dev/tee/info", { headers });
const info = await infoRes.json();
console.log("TEE version:", info.version);
// 2. Fetch the attestation document
const attestRes = await fetch(`https://api.wraith.dev/tee/attest/${agentId}`, { headers });
const attestation = await attestRes.json();
// 3. Verify against published PCR values for this release
// (See the Wraith Protocol release notes for expected PCR values)
const expectedPcr0 = "expected-hash-from-release-notes";
const valid = verifyAttestation(attestation, expectedPcr0);
if (!valid) {
throw new Error("Attestation verification failed — do not proceed");
}
console.log("TEE is running authentic Wraith Protocol code");
