tinfoil-go currently relies on a specific feature in go-sev-guest that hasn't been upstreamed yet. This requires adding the following line to your go.mod:
replace github.com/google/go-sev-guest v0.0.0-00010101000000-000000000000 => github.com/jraman567/go-sev-guest v0.0.0-20250117204014-6339110611c9Then run:
go get github.com/tinfoilsh/tinfoil-goThe Tinfoil Go client is a wrapper around the OpenAI Go client and provides secure communication with Tinfoil enclaves. It has the same API as the OpenAI client, with additional security features:
- Automatic verification that the endpoint is running in a secure Tinfoil enclave
- TLS certificate pinning to prevent man-in-the-middle attacks
- Attestation validation to ensure enclave integrity
package main
import (
"context"
"fmt"
"github.com/openai/openai-go"
"github.com/openai/openai-go/option"
"github.com/tinfoilsh/tinfoil-go" // imported as tinfoil
)
func main() {
// Create a client for a specific enclave and model repository
client, err := tinfoil.NewClientWithParams(
"llama3-3-70b.model.tinfoil.sh",
"tinfoilsh/confidential-llama3-3-70b",
option.WithAPIKey("xxx"),
)
if err != nil {
panic(err.Error())
}
chatCompletion, err := client.Chat.Completions.New(context.TODO(), openai.ChatCompletionNewParams{
Messages: []openai.ChatCompletionMessageParamUnion{
openai.UserMessage("Say this is a test"),
},
Model: "llama3-3-70b", // see https://docs.tinfoil.sh for supported models
})
if err != nil {
panic(err.Error())
}
fmt.Println(chatCompletion.Choices[0].Message.Content)
}// 1. Create a client
client, err := tinfoil.NewClientWithParams(
"enclave.example.com", // Enclave hostname
"org/repo", // GitHub repository
option.WithAPIKey("your-api-key"),
)
if err != nil {
panic(err.Error())
}
// 2. Use client as you would openai.Client
// see https://pkg.go.dev/github.com/openai/openai-go for API documentation// Manual verification
state, err := client.Verify()
if err != nil {
return fmt.Errorf("verification failed: %w", err)
}
// Get the raw HTTP client
httpClient, err := client.HTTPClient()
if err != nil {
return fmt.Errorf("failed to get HTTP client: %w", err)
}
// Make HTTP requests directly
resp, err := client.Get("/api/status", map[string]string{
"Authorization": "Bearer token",
})For usage in other languages through FFI, additional functions are available which avoid using FFI incompatible data structures (e.g., Go maps):
// Initialize a request and get an ID
requestID, err := client.InitPostRequest("/api/submit", []byte(`{"key":"value"}`))
// Add headers individually
client.AddHeader(requestID, "Content-Type", "application/json")
client.AddHeader(requestID, "Authorization", "Bearer token")
// Execute the request
resp, err := client.ExecuteRequest(requestID)This library is a drop-in replacement for the official OpenAI Go client that can be used with Tinfoil. All methods and types are identical. See the OpenAI Go client documentation for complete API usage and documentation.
Please report security vulnerabilities by either:
-
Emailing [email protected]
-
Opening an issue on GitHub on this repository
We aim to respond to security reports within 24 hours and will keep you updated on our progress.