Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/concrete-security/atlas/llms.txt

Use this file to discover all available pages before exploring further.

Overview

The AttestedStream class provides direct access to the raw attested TLS stream without any HTTP protocol handling. This is the lowest-level API, useful for custom protocols or debugging. For HTTP requests, use createAtlsFetch or AtlsHttp instead.

Class methods

connect

Connect to a TEE server via WebSocket proxy and perform the aTLS protocol. 
static async connect(
  wsUrl: string,
  serverName: string,
  policy: Policy
): Promise<AttestedStream>
wsUrl
string
required
WebSocket proxy URL with optional target query parameter.Examples:
  • "ws://127.0.0.1:9000?target=vllm.example.com:443"
  • "ws://proxy.example.com:9000"
serverName
string
required
TLS server name for SNI and certificate validation.Example: "vllm.example.com"
policy
Policy
required
Attestation verification policy object.See Policy configuration for details.
return
AttestedStream
An AttestedStream instance with:
  • readable: Native ReadableStream for receiving data
  • send(data): Method to send data
  • attestation(): Attestation verification result

readable

Get the native ReadableStream for receiving data from the TEE. 
get readable(): ReadableStream<Uint8Array>
return
ReadableStream<Uint8Array>
A native Web ReadableStream that yields raw bytes from the attested TLS connection.This stream can be passed directly to new Response(readable) or used with a reader.

attestation

Get the attestation verification result from the connection handshake. 
attestation(): AttestationSummary
return
AttestationSummary
Attestation summary object containing:
trusted
boolean
Whether the attestation was successfully verified
teeType
string
The TEE type (e.g., “Tdx”)
tcbStatus
string
TCB status from Intel (e.g., “UpToDate”, “SWHardeningNeeded”)
advisoryIds
string[]
List of security advisory IDs

send

Send raw bytes to the TEE over the attested TLS connection. 
async send(data: Uint8Array): Promise<void>
data
Uint8Array
required
Raw bytes to send over the attested TLS connection
return
Promise<void>
Resolves when the data has been written and flushed

closeWrite

Close the write side of the stream. 
async closeWrite(): Promise<void>
return
Promise<void>
Resolves when the write side has been closed

Stream design

The AttestedStream provides:
  • Zero-copy reads: Response data streams directly through the native ReadableStream
  • Simple writes: Send data via the async send() method
  • Bidirectional: Read and write sides can operate independently

Examples

Raw HTTP request

import init, { AttestedStream } from "@concrete-security/atlas-wasm";

await init();

const stream = await AttestedStream.connect(
  "ws://127.0.0.1:9000?target=vllm.example.com:443",
  "vllm.example.com",
  { type: "dstack_tdx" }
);

console.log(stream.attestation()); // { trusted: true, teeType: "Tdx", ... }

// Send raw HTTP request
await stream.send(
  new TextEncoder().encode("GET / HTTP/1.1\r\nHost: vllm.example.com\r\n\r\n")
);

// Read raw response
const reader = stream.readable.getReader();
while (true) {
  const { done, value } = await reader.read();
  if (done) break;
  console.log(new TextDecoder().decode(value));
}

Custom protocol

const stream = await AttestedStream.connect(
  "ws://127.0.0.1:9000?target=custom.example.com:8080",
  "custom.example.com",
  { type: "dstack_tdx" }
);

// Verify attestation
const att = stream.attestation();
if (!att.trusted) {
  throw new Error("Attestation failed");
}

// Send custom protocol message
const message = new Uint8Array([0x01, 0x02, 0x03, 0x04]);
await stream.send(message);

// Read response
const reader = stream.readable.getReader();
const { value } = await reader.read();
console.log("Received:", value);

Streaming with backpressure

const stream = await AttestedStream.connect(
  "ws://127.0.0.1:9000?target=api.example.com:443",
  "api.example.com",
  { type: "dstack_tdx" }
);

// Send request
await stream.send(
  new TextEncoder().encode("GET /stream HTTP/1.1\r\nHost: api.example.com\r\n\r\n")
);

// Create Response from readable stream (Web API)
const response = new Response(stream.readable);
const text = await response.text();
console.log(text);

Closing the write side

const stream = await AttestedStream.connect(
  "ws://127.0.0.1:9000?target=api.example.com:443",
  "api.example.com",
  { type: "dstack_tdx" }
);

// Send data
await stream.send(new TextEncoder().encode("Hello"));

// Signal no more writes (half-close)
await stream.closeWrite();

// Can still read response
const reader = stream.readable.getReader();
const { value } = await reader.read();
console.log(new TextDecoder().decode(value));

Use cases

  • Custom protocols: Implement non-HTTP protocols over attested TLS
  • Debugging: Inspect raw TLS traffic for debugging
  • Low-level control: Full control over when and how data is sent/received
  • Protocol development: Build higher-level protocol implementations
For standard HTTP requests, prefer createAtlsFetch or AtlsHttp.

Build docs developers (and LLMs) love

Get started for freeTalk to us