> ## Documentation Index
> Fetch the complete documentation index at: https://docs.darkbloom.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Provider attestation — GET /v1/providers/attestation

> GET /v1/providers/attestation — public attestation data. No auth required. Returns trust level, SE public key, and MDA chain for independent verification.

The attestation endpoint returns cryptographic attestation data for every provider currently connected to the network. No authentication is required — this data is intentionally public so that any third party can independently verify the hardware and security posture of the providers that are serving inference requests.

For hardware-attested providers, the response includes the full Apple Managed Device Attestation (MDA) certificate chain. You can verify this chain against Apple's Enterprise Attestation Root CA to confirm that Apple has certified the device properties independently of Darkbloom.

## Authentication

Not required. This endpoint is public.

## Response

<ResponseField name="providers" type="object[]">
  Array of attestation records, one per connected provider.

  <Expandable title="provider attestation fields">
    <ResponseField name="provider_id" type="string">
      Internal provider identifier.
    </ResponseField>

    <ResponseField name="trust_level" type="string">
      The verified trust level for this provider.

      * `"self_signed"` — Secure Enclave signature and periodic challenge-response verified. The coordinator confirms the device is running an unmodified binary with SIP and Secure Boot active.
      * `"hardware"` — All of the above, plus Apple MDM cross-verification and an Apple MDA certificate chain signed by Apple's Enterprise Attestation Root CA.
    </ResponseField>

    <ResponseField name="status" type="string">
      Current provider status. `"online"` when the provider is accepting requests.
    </ResponseField>

    <ResponseField name="chip_name" type="string">
      Apple Silicon chip name as reported during attestation, e.g. `"Apple M3 Max"`.
    </ResponseField>

    <ResponseField name="hardware_model" type="string">
      Mac hardware model identifier, e.g. `"Mac14,6"`.
    </ResponseField>

    <ResponseField name="serial_number" type="string">
      Device serial number from the Secure Enclave attestation.
    </ResponseField>

    <ResponseField name="memory_gb" type="integer">
      Unified memory size in GB.
    </ResponseField>

    <ResponseField name="gpu_cores" type="integer">
      GPU core count.
    </ResponseField>

    <ResponseField name="models" type="string[]">
      Model IDs this provider is currently serving.
    </ResponseField>

    <ResponseField name="secure_enclave" type="boolean">
      Whether the Secure Enclave is present and was used during attestation.
    </ResponseField>

    <ResponseField name="sip_enabled" type="boolean">
      Whether System Integrity Protection was verified as enabled at attestation time.
    </ResponseField>

    <ResponseField name="secure_boot_enabled" type="boolean">
      Whether Secure Boot was verified as enabled.
    </ResponseField>

    <ResponseField name="authenticated_root_enabled" type="boolean">
      Whether Authenticated Root (sealed system volume) was verified as enabled.
    </ResponseField>

    <ResponseField name="se_public_key" type="string">
      The provider's Secure Enclave P-256 public key in base64. Use this to verify the `x-se-signature` and `x-response-hash` values from inference responses, confirming that the response was produced by this specific device.
    </ResponseField>

    <ResponseField name="mdm_verified" type="boolean">
      Whether Apple MDM SecurityInfo cross-checked this device's hardware integrity (SIP, Secure Boot, FileVault).
    </ResponseField>

    <ResponseField name="acme_verified" type="boolean">
      Whether the ACME device-attest-01 challenge proved the Secure Enclave key belongs to a genuine Apple device.
    </ResponseField>

    <ResponseField name="mda_verified" type="boolean">
      Whether Apple Managed Device Attestation was verified with a certificate chain from Apple's Enterprise Attestation Root CA.
    </ResponseField>

    <ResponseField name="mda_cert_chain_b64" type="string[]">
      DER-encoded certificates in the MDA chain, each base64-encoded. Present only for `mda_verified: true` providers. Decode each entry from base64 to DER, then verify the chain against Apple's Enterprise Attestation Root CA (see below).
    </ResponseField>

    <ResponseField name="mda_serial" type="string">
      Device serial number from the MDA certificate. Should match `serial_number`.
    </ResponseField>

    <ResponseField name="mda_udid" type="string">
      Device UDID from the MDA certificate.
    </ResponseField>

    <ResponseField name="mda_os_version" type="string">
      macOS version reported in the MDA certificate.
    </ResponseField>

    <ResponseField name="mda_sepos_version" type="string">
      Secure Enclave OS version reported in the MDA certificate.
    </ResponseField>
  </Expandable>
</ResponseField>

<ResponseField name="apple_root_ca_url" type="string">
  URL to Apple's Certificate Authority page where you can download the Enterprise Attestation Root CA.
</ResponseField>

<ResponseField name="apple_enterprise_root_ca" type="string">
  Name of the CA to verify against: `"Apple Enterprise Attestation Root CA"`.
</ResponseField>

<ResponseField name="verification_instructions" type="string">
  Human-readable instructions for verifying the MDA certificate chain.
</ResponseField>

## Independent verification

To verify a hardware-attested provider using the MDA certificate chain:

1. Fetch the attestation data from `GET /v1/providers/attestation`.
2. For each provider with `mda_verified: true`, take the `mda_cert_chain_b64` array.
3. Decode each element from base64 to its raw DER bytes.
4. Download the Apple Enterprise Attestation Root CA from [apple.com/certificateauthority](https://www.apple.com/certificateauthority/).
5. Verify the DER chain against the root CA using any standard X.509 library.

If verification passes, Apple has independently confirmed that the device is a genuine Apple device with the attested hardware properties.

## Example

```bash cURL theme={null}
curl https://api.darkbloom.dev/v1/providers/attestation
```

### Example response

```json theme={null}
{
  "providers": [
    {
      "provider_id": "prov_a1b2c3d4",
      "trust_level": "hardware",
      "status": "online",
      "chip_name": "Apple M3 Max",
      "hardware_model": "Mac14,6",
      "serial_number": "FVFXYZ123456",
      "memory_gb": 128,
      "gpu_cores": 40,
      "models": ["qwen3.5-27b-claude-opus-8bit"],
      "secure_enclave": true,
      "sip_enabled": true,
      "secure_boot_enabled": true,
      "authenticated_root_enabled": true,
      "se_public_key": "BHv9k2...base64...",
      "mdm_verified": true,
      "acme_verified": true,
      "mda_verified": true,
      "mda_cert_chain_b64": [
        "MIIBxTCCAW...base64...",
        "MIICSzCCAd...base64..."
      ],
      "mda_serial": "FVFXYZ123456",
      "mda_udid": "00001234-000A1234B1234567",
      "mda_os_version": "14.5",
      "mda_sepos_version": "20.100.5"
    },
    {
      "provider_id": "prov_e5f6g7h8",
      "trust_level": "self_signed",
      "status": "online",
      "chip_name": "Apple M2",
      "hardware_model": "Mac13,2",
      "serial_number": "C02XY1234567",
      "memory_gb": 32,
      "gpu_cores": 19,
      "models": ["mlx-community/gemma-4-26b-a4b-it-8bit"],
      "secure_enclave": true,
      "sip_enabled": true,
      "secure_boot_enabled": true,
      "authenticated_root_enabled": true,
      "se_public_key": "BKm3p7...base64...",
      "mdm_verified": false,
      "acme_verified": false,
      "mda_verified": false
    }
  ],
  "apple_root_ca_url": "https://www.apple.com/certificateauthority/",
  "apple_enterprise_root_ca": "Apple Enterprise Attestation Root CA",
  "verification_instructions": "Download each provider's mda_cert_chain_b64, decode from base64 to DER, then verify the certificate chain against Apple's Enterprise Attestation Root CA. If verification passes, Apple has confirmed this is a real Apple device with the attested properties."
}
```
