π°
io.github.treza-labs/treza
Manage secure enclaves (TEEs) with attestation, payments, and signing for AI agents.
0 installs
Trust: 37 β Low
Finance
Ask AI about io.github.treza-labs/treza
Powered by Claude Β· Grounded in docs
I know everything about io.github.treza-labs/treza. Ask me about installation, configuration, usage, or troubleshooting.
0/500
Loading tools...
Reviews
Documentation
TREZA SDK
TypeScript SDK for interacting with TREZA's privacy-preserving KYC system and secure enclave management platform.
Table of Contents
- Features
- AI Agent Integration
- x402 Payment Integration
- Quick Start
- Core Features
- Architecture
- API Reference
- Examples
- Documentation
- Development
- Support
- License
Features
Enclave Platform Features
- Secure Enclave Deployment - Deploy and manage AWS Nitro Enclaves with cryptographic attestation
- Lifecycle Management - Full control over enclave state (deploy, pause, resume, terminate)
- Attestation & Verification - Hardware-backed cryptographic proof of enclave integrity
- Comprehensive Logging - Access logs from ECS, Step Functions, Lambda, and applications
- Provider Management - Support for multiple cloud providers and regions
- Task Scheduling - Schedule and manage automated tasks within enclaves
- GitHub Integration - Connect enclaves directly to GitHub repositories
- Docker Support - Search and deploy Docker Hub images
- API Key Management - Fine-grained access control with permissions
Secure Key Management
- Enclave Signing - Transaction signing inside hardware-isolated Nitro Enclaves (recommended)
- Pluggable Signers - Swap between enclave, local, or browser wallet signing with one line
- No Key Exposure - Private keys never leave the TEE in production
- Attestation Verification - Cryptographic proof of enclave integrity before signing
x402 Payments
- Enclave as Payment Wallet - Use TEE-held keys to sign x402 payment headers
- Automatic Payments - Wrap
fetchoraxiosto handle 402 responses transparently - Bazaar Discovery - Find x402-payable services programmatically
- AI Agent Commerce - Agents can autonomously pay for APIs using enclave-managed funds
KYC Features
- Zero-Knowledge KYC - Verify identity without exposing personal data
- Blockchain Integration - Direct integration with KYCVerifier smart contracts
- Convenience Methods - Simple APIs for common KYC checks (age, country, document validity)
- Dual Verification - API-based (fast) OR blockchain-based (trustless)
- Multi-Chain Support - Ethereum, Sepolia, and compatible networks
AI Agent Support
- MCP Server -
@treza/mcpfor Claude, Cursor, and any MCP-compatible agent - OpenAPI 3.1 Spec - Machine-readable API schema for agent frameworks (LangChain, CrewAI, etc.)
- Agent Manifest - Auto-discoverable capabilities at
/.well-known/ai-plugin.json
Developer Experience
- TypeScript Support - Full type safety and IntelliSense
- Easy Integration - Works with any TypeScript/JavaScript project
- Code Generation - Auto-generate integration snippets in multiple languages
- No Authentication Required - Open API protected by rate limiting (KYC endpoints)
- Secure by Design - No personal data storage, cryptographic proofs only
AI Agent Integration
Treza enclaves are designed to work with AI agents out of the box. Three integration paths are available:
MCP Server (Recommended for AI Agents)
The @treza/mcp package exposes all Treza operations as MCP tools. Add it to any MCP-compatible client:
{
"mcpServers": {
"treza": {
"command": "npx",
"args": ["@treza/mcp"],
"env": {
"TREZA_BASE_URL": "https://app.trezalabs.com"
}
}
}
}
This gives agents access to 16 tools (enclave management, attestation verification, task scheduling, API key management) and 4 browsable resources.
OpenAPI Spec (For Agent Frameworks)
The full API is documented as an OpenAPI 3.1 spec, compatible with any agent framework that can ingest tool schemas:
https://app.trezalabs.com/.well-known/openapi.json
Agent Manifest (For Discovery)
A machine-readable manifest describing Treza's capabilities:
https://app.trezalabs.com/.well-known/ai-plugin.json
x402 Payment Integration
Use a Treza Enclave as an x402 payment wallet. Private keys sign payment headers inside the TEE β they never leave the hardware boundary. This enables AI agents and programmatic clients to automatically pay for x402-gated APIs using enclave-managed funds.
Install Dependencies
npm install @treza/sdk ethers @x402/fetch @x402/core @x402/evm
Automatic Payments with Fetch
import { TrezaClient, createEnclaveFetch } from '@treza/sdk';
const client = new TrezaClient({
baseUrl: 'https://app.trezalabs.com',
});
// Wrap fetch β 402 responses are paid automatically
const paidFetch = await createEnclaveFetch(client, {
enclaveId: 'enc_abc123',
verifyAttestation: true, // verify enclave integrity before each payment
});
const response = await paidFetch('https://api.example.com/paid-endpoint');
const data = await response.json();
Using the x402 Client Directly
import { TrezaClient, createEnclaveX402Client } from '@treza/sdk';
import { wrapFetchWithPayment } from '@x402/fetch';
const client = new TrezaClient({ baseUrl: 'https://app.trezalabs.com' });
const { x402, account } = await createEnclaveX402Client(client, {
enclaveId: 'enc_abc123',
});
console.log('Payment wallet:', account.address);
// Use x402 client with any wrapper
const paidFetch = wrapFetchWithPayment(fetch, x402);
Custom viem Account
For advanced use cases, create a viem-compatible account directly:
import { TrezaClient, createEnclaveAccount } from '@treza/sdk';
import { x402Client } from '@x402/core/client';
import { registerExactEvmScheme } from '@x402/evm/exact/client';
const client = new TrezaClient({ baseUrl: 'https://app.trezalabs.com' });
const account = await createEnclaveAccount(client, { enclaveId: 'enc_abc123' });
// Register with x402 manually
const x402 = new x402Client();
registerExactEvmScheme(x402, { signer: account });
Discover Payable Services
import { discoverPayableServices } from '@treza/sdk';
const services = await discoverPayableServices({
maxPrice: '0.01',
network: 'eip155:8453', // Base mainnet
});
console.log('Available services:', services.length);
Quick Start
Installation
npm install @treza/sdk ethers
Environment Setup
Create a .env file:
# API Configuration
TREZA_API_URL=https://api.trezalabs.com/api
# For local development: http://localhost:3000/api
# Enclave Platform
TREZA_PLATFORM_URL=https://app.trezalabs.com
WALLET_ADDRESS=0x...your-wallet-address
# Blockchain Configuration (for KYC)
SEPOLIA_RPC_URL=https://rpc.sepolia.org
SEPOLIA_KYC_VERIFIER_ADDRESS=0xB1D98F688Fac29471D91234d9f8EbB37238Df6FA
# Enclave ID for signing (production)
TREZA_ENCLAVE_ID=enc_...your-enclave-id
See .env.example for all available configuration options.
Basic Usage - KYC with Enclave Signing (Recommended)
In production, private keys are managed inside Treza Nitro Enclaves and never leave the hardware-isolated TEE. The SDK provides pluggable signers so you can swap between enclave signing, local keys, or browser wallets with one line of code.
import { TrezaClient, TrezaKYCClient, EnclaveSigner } from '@treza/sdk';
// 1. Connect to the Treza platform
const platform = new TrezaClient({
baseUrl: process.env.TREZA_PLATFORM_URL,
});
// 2. Create an EnclaveSigner (keys never leave the TEE)
const signer = new EnclaveSigner(platform, {
enclaveId: process.env.TREZA_ENCLAVE_ID!,
verifyAttestation: true, // verify enclave integrity before signing
});
// 3. Initialize the KYC client with secure signing
const client = new TrezaKYCClient({
apiUrl: process.env.TREZA_API_URL!,
blockchain: {
rpcUrl: process.env.SEPOLIA_RPC_URL!,
contractAddress: process.env.SEPOLIA_KYC_VERIFIER_ADDRESS!,
signerProvider: signer,
},
});
// Submit proof on-chain (signed inside the enclave)
const txHash = await client.submitProofOnChain({
commitment: proof.commitment,
proof: proof.proof,
publicInputs: proof.publicInputs,
});
Local Development (Demo Only)
For local development and testing, you can use LocalSigner with a raw private key. Do not use this in production.
import { TrezaKYCClient, LocalSigner } from '@treza/sdk';
const client = new TrezaKYCClient({
apiUrl: 'http://localhost:3000/api',
blockchain: {
rpcUrl: 'http://localhost:8545',
contractAddress: '0x...',
signerProvider: new LocalSigner(process.env.PRIVATE_KEY!),
},
});
Read-Only Usage (No Signing)
Many KYC operations don't require signing at all:
import { TrezaKYCClient } from '@treza/sdk';
const client = new TrezaKYCClient({
apiUrl: process.env.TREZA_API_URL!,
blockchain: {
rpcUrl: process.env.SEPOLIA_RPC_URL!,
contractAddress: process.env.SEPOLIA_KYC_VERIFIER_ADDRESS!,
},
});
// Check if user is an adult (read-only, no signer needed)
const isAdult = await client.isAdult(proofId);
console.log('User is 18+:', isAdult);
// Get all claims
const claims = await client.getClaims(proofId);
console.log(claims);
// {
// country: 'US',
// isAdult: true,
// documentValid: true,
// documentType: 'passport'
// }
// Verify requirements
const result = await client.meetsRequirements(proofId, {
mustBeAdult: true,
allowedCountries: ['US', 'CA', 'GB'],
mustHaveValidDocument: true,
});
if (result.meets) {
console.log('User meets all requirements!');
} else {
console.log('Requirements not met:', result.reason);
}
Basic Usage - Enclave Platform
import { TrezaClient } from '@treza/sdk';
// Initialize client
const client = new TrezaClient({
baseUrl: process.env.TREZA_PLATFORM_URL
});
// Create a secure enclave from a Docker image
const enclave = await client.createEnclave({
name: 'My Secure Enclave',
description: 'Privacy-preserving computation',
region: 'us-west-2',
walletAddress: process.env.WALLET_ADDRESS,
providerId: 'aws-nitro',
sourceType: 'registry',
providerConfig: {
sourceType: 'registry',
dockerImage: 'nginx:alpine',
instanceType: 'm6i.xlarge',
cpuCount: '2',
memoryMiB: '1024',
workloadType: 'service',
},
});
// Or deploy directly from a GitHub repository (Treza auto-builds the image)
const enclaveFromGitHub = await client.createEnclave({
name: 'My GitHub Enclave',
description: 'Built from source',
region: 'us-west-2',
walletAddress: process.env.WALLET_ADDRESS,
providerId: 'aws-nitro',
sourceType: 'github',
providerConfig: {
sourceType: 'github',
instanceType: 'm6i.xlarge',
cpuCount: '2',
memoryMiB: '1024',
workloadType: 'service',
},
githubConnection: {
isConnected: true,
username: 'my-org',
selectedRepo: 'my-org/my-repo',
selectedBranch: 'main',
accessToken: process.env.GITHUB_TOKEN, // required for private repos
},
});
console.log('Enclave created:', enclave.id);
// Status progresses: PENDING_BUILD β BUILDING β PENDING_DEPLOY β DEPLOYING β DEPLOYED
console.log('Status:', enclave.status);
console.log('Build ID:', enclaveFromGitHub.buildId);
// Get attestation and verify
const attestation = await client.getAttestation(enclave.id);
console.log('Trust Level:', attestation.verification.trustLevel);
console.log('PCR Measurements:', attestation.attestationDocument.pcrs);
// Verify enclave integrity
const verification = await client.verifyAttestation(enclave.id);
console.log('Is Valid:', verification.isValid);
console.log('Compliance:', verification.complianceChecks);
See Quick Reference for more examples and complete API documentation.
Core Features
KYC Features
Convenience Methods
The SDK provides simple methods for common KYC checks:
// Check specific claims
const isAdult = await client.isAdult(proofId);
const country = await client.getCountry(proofId);
const hasValidDoc = await client.hasValidDocument(proofId);
const docType = await client.getDocumentType(proofId);
// Get all claims at once
const claims = await client.getClaims(proofId);
// Verify multiple requirements
const result = await client.meetsRequirements(proofId, {
mustBeAdult: true,
allowedCountries: ['US', 'CA', 'GB'],
mustHaveValidDocument: true,
allowedDocumentTypes: ['passport', 'drivers_license']
});
Dual Verification
Choose between API-based (fast) or blockchain-based (trustless) verification:
// Via API (fast)
const isAdult = await client.isAdult(proofId);
// Via blockchain (trustless)
const isAdultOnChain = await client.isAdult(proofId, true);
Blockchain Operations
Direct interaction with KYCVerifier smart contracts:
// Check if user has valid KYC on-chain
const hasKYC = await client.hasValidKYC(userAddress);
// Get proof details from blockchain
const proof = await client.getProofFromChain(proofId);
// Get user's latest proof ID
const proofId = await client.getUserProofId(userAddress);
Architecture
KYC Platform
βββββββββββββββββββββββββββββββββββββββ
β Your Application β
β (Node.js / Browser / React) β
βββββββββββββββ¬ββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββ
β TREZA SDK β
β β’ TrezaKYCClient β
β β’ Convenience methods β
β β’ Type-safe API β
βββββββββββββββ¬ββββββββββββββββββββββββ
β
βββββββ΄ββββββ
β β
βΌ βΌ
βββββββββββββ ββββββββββββββββββ
β API β β Blockchain β
β (Fast) β β (Trustless) β
β β β β
β β’ Verify β β β’ KYCVerifier β
β Claims β β Contract β
β β’ Get β β β’ On-chain β
β Proofs β β Proofs β
βββββββββββββ ββββββββββββββββββ
Enclave Platform
βββββββββββββββββββββββββββββββββββββββ
β Your Application β
β (Node.js / Browser / React) β
βββββββββββββββ¬ββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββ
β TREZA SDK β
β β’ TrezaClient β
β β’ Enclave Management β
β β’ Attestation & Verification β
β β’ Task Scheduling β
β β’ GitHub & Docker Integration β
βββββββββββββββ¬ββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββ
β TREZA Platform API β
β β’ Enclave Orchestration β
β β’ Lifecycle Management β
β β’ Log Aggregation β
β β’ Attestation Services β
βββββββββββββββ¬ββββββββββββββββββββββββ
β
βββββββ΄ββββββββββ
β β
βΌ βΌ
βββββββββββββββ βββββββββββββββββββ
β AWS Nitro β β Verification β
β Enclaves β β Infrastructure β
β β β β
β β’ Hardware β β β’ PCR Checks β
β Isolation β β β’ Certificate β
β β’ Crypto β β Validation β
β Attest. β β β’ Compliance β
βββββββββββββββ βββββββββββββββββββ
Key Management & Signing
The Treza SDK provides a pluggable signing architecture. Instead of storing private keys in .env files, you choose a SignerProvider that matches your environment:
| Signer | Environment | How It Works |
|---|---|---|
EnclaveSigner | Production (recommended) | Keys are generated and stored inside a Treza Nitro Enclave. Signing requests go through the Platform API to the TEE. Keys never leave the enclave. |
LocalSigner | Development/Testing | Wraps a raw private key string. Emits a warning if used in production. |
BrowserWalletSigner | Client-side dApps | Delegates to MetaMask or any injected Web3 wallet. Prompts the user to sign. |
Signing Flow (EnclaveSigner)
Your App --> TrezaKYCClient --> EnclaveSigner --> Platform API --> Nitro Enclave
|
Signs transaction
(key never leaves TEE)
|
Your App <-- TrezaKYCClient <-- EnclaveSigner <-- Platform API <-- Signed TX
Using EnclaveSigner
import { TrezaClient, EnclaveSigner, TrezaKYCClient } from '@treza/sdk';
const platform = new TrezaClient();
const signer = new EnclaveSigner(platform, {
enclaveId: 'enc_abc123',
verifyAttestation: true, // verify TEE integrity before each sign
});
const client = new TrezaKYCClient({
apiUrl: 'https://api.trezalabs.com/api',
blockchain: {
rpcUrl: 'https://rpc.sepolia.org',
contractAddress: '0x...',
signerProvider: signer,
},
});
Custom Signers
You can implement the SignerProvider interface to integrate any key management system (AWS KMS, HashiCorp Vault, hardware wallets, etc.):
import { SignerProvider } from '@treza/sdk';
import { ethers } from 'ethers';
class MyCustomSigner implements SignerProvider {
readonly type = 'custom';
async getSigner(provider?: ethers.Provider): Promise<ethers.Signer> {
// Your custom signing logic here
}
async getAddress(): Promise<string> {
// Return the signing address
}
}
API Reference
TrezaClient
Main client for enclave platform management.
Constructor
new TrezaClient(config?: TrezaConfig)
Config Options:
baseUrl: Base API URL (default:https://app.trezalabs.com)timeout: Request timeout in milliseconds (default:30000)
Enclave Methods
Core Operations:
getEnclaves(walletAddress)- Get all enclavesgetEnclave(enclaveId)- Get specific enclavecreateEnclave(request)- Create new enclaveupdateEnclave(request)- Update enclavedeleteEnclave(enclaveId, walletAddress)- Delete enclave
Lifecycle Management:
pauseEnclave(enclaveId, walletAddress)- Pause enclaveresumeEnclave(enclaveId, walletAddress)- Resume enclaveterminateEnclave(enclaveId, walletAddress)- Terminate enclaveperformEnclaveAction(request)- Generic lifecycle action
Logging:
getEnclaveLogs(enclaveId, logType?, limit?)- Get logs- Log types:
'all','ecs','stepfunctions','lambda','application','errors'
- Log types:
Attestation & Verification:
getAttestation(enclaveId)- Get attestation document with PCR measurementsgetVerificationStatus(enclaveId)- Quick verification statusverifyAttestation(enclaveId, request?)- Comprehensive verification with compliance checksgenerateIntegrationSnippet(enclaveId, language?)- Generate code snippets- Languages:
'javascript','python','curl','java'
- Languages:
Provider Methods
getProviders()- Get all available providersgetProvider(providerId)- Get specific provider
Task Methods
getTasks(walletAddress)- Get all taskscreateTask(request)- Create scheduled taskupdateTask(request)- Update taskdeleteTask(taskId, walletAddress)- Delete task
API Key Methods
getApiKeys(walletAddress)- Get all API keyscreateApiKey(request)- Create API key with permissionsupdateApiKey(request)- Update API keydeleteApiKey(apiKeyId, walletAddress)- Delete API key
GitHub Methods
getGitHubAuthUrl(state?)- Get OAuth authorization URLexchangeGitHubCode(request)- Exchange OAuth code for tokengetGitHubRepositories(accessToken)- Get user repositoriesgetRepositoryBranches(request)- Get repository branches
Docker Methods
searchDockerImages(query)- Search Docker HubgetDockerTags(repository)- Get available tags for image
TrezaKYCClient
Client for KYC verification operations.
Constructor
new TrezaKYCClient(config: TrezaKYCConfig)
Config Options:
apiUrl: API endpoint URL (required)apiKey: API key for authenticated requests (optional)blockchain: Blockchain configuration (optional)rpcUrl: Ethereum RPC URLcontractAddress: KYCVerifier contract addresssignerProvider: ASignerProviderfor secure key management (recommended)privateKey: (deprecated) Raw private key for write operations β usesignerProviderinstead
Methods
Convenience Methods:
isAdult(proofId, useBlockchain?)- Check if user is 18+getCountry(proofId, useBlockchain?)- Get user's nationalityhasValidDocument(proofId, useBlockchain?)- Check document validitygetDocumentType(proofId, useBlockchain?)- Get document typegetClaims(proofId, useBlockchain?)- Get all public claimsmeetsRequirements(proofId, requirements, useBlockchain?)- Verify requirements
Core Methods:
submitProof(params)- Submit proof to APIverifyProof(proofId)- Verify proof via APIgetProof(proofId)- Get proof details
Blockchain Methods:
hasValidKYC(userAddress)- Check if user has valid KYC on-chaingetProofFromChain(proofId)- Get proof from blockchaingetUserProofId(userAddress)- Get user's latest proof IDsubmitProofOnChain(params)- Submit proof to blockchainverifyProofOnChain(params)- Verify proof on blockchain
Examples
Age-Gated Content
async function checkAccess(proofId: string) {
const client = new TrezaKYCClient({ apiUrl: process.env.TREZA_API_URL });
const isAdult = await client.isAdult(proofId);
if (isAdult) {
return { access: 'granted' };
} else {
return { access: 'denied', reason: 'Must be 18+' };
}
}
Country Restrictions
async function checkEligibility(proofId: string) {
const client = new TrezaKYCClient({ apiUrl: process.env.TREZA_API_URL });
const country = await client.getCountry(proofId);
const allowedCountries = ['US', 'CA', 'GB'];
if (allowedCountries.includes(country)) {
return { eligible: true };
} else {
return { eligible: false, reason: `Not available in ${country}` };
}
}
KYC-Gated Platform
async function verifyKYC(proofId: string) {
const client = new TrezaKYCClient({ apiUrl: process.env.TREZA_API_URL });
const result = await client.meetsRequirements(proofId, {
mustBeAdult: true,
mustHaveValidDocument: true,
allowedCountries: ['US', 'CA', 'MX', 'GB'],
});
return result.meets;
}
Enclave Platform
The TREZA SDK provides comprehensive management of secure AWS Nitro Enclaves with cryptographic attestation for privacy-preserving computation.
Getting Started with Enclaves
import { TrezaClient } from '@treza/sdk';
// Initialize client
const client = new TrezaClient({
baseUrl: 'https://app.trezalabs.com', // optional, this is the default
timeout: 30000 // optional, request timeout in ms
});
const WALLET_ADDRESS = '0x...'; // Your wallet address
Enclave Management
Create and Deploy an Enclave
// Get available providers
const providers = await client.getProviders();
const awsProvider = providers.find(p => p.id === 'aws-nitro');
// Create enclave from a Docker image (registry)
const enclave = await client.createEnclave({
name: 'Trading Bot Enclave',
description: 'Secure enclave for automated trading',
region: 'us-west-2',
walletAddress: WALLET_ADDRESS,
providerId: 'aws-nitro',
sourceType: 'registry',
providerConfig: {
sourceType: 'registry',
dockerImage: 'myorg/trading-bot:latest',
instanceType: 'm6i.xlarge',
cpuCount: '2',
memoryMiB: '1024',
workloadType: 'service',
}
});
// Create enclave from a GitHub repo (Treza auto-builds the Docker image)
const enclaveFromGit = await client.createEnclave({
name: 'API Service Enclave',
description: 'Built directly from GitHub',
region: 'us-west-2',
walletAddress: WALLET_ADDRESS,
providerId: 'aws-nitro',
sourceType: 'github',
providerConfig: {
sourceType: 'github',
instanceType: 'm6i.xlarge',
cpuCount: '2',
memoryMiB: '1024',
workloadType: 'service',
},
githubConnection: {
isConnected: true,
username: 'my-org',
selectedRepo: 'my-org/my-api',
selectedBranch: 'main',
accessToken: process.env.GITHUB_TOKEN,
}
});
console.log('Enclave created:', enclave.id);
// For registry source: PENDING_DEPLOY β DEPLOYING β DEPLOYED
// For GitHub source: PENDING_BUILD β BUILDING β PENDING_DEPLOY β DEPLOYING β DEPLOYED
console.log('Status:', enclave.status);
console.log('Build ID:', enclaveFromGit.buildId); // CodeBuild job ID (GitHub source only)
List and Get Enclaves
// Get all enclaves for your wallet
const enclaves = await client.getEnclaves(WALLET_ADDRESS);
// Get specific enclave details
const enclave = await client.getEnclave(enclaveId);
console.log(`${enclave.name} - Status: ${enclave.status}`);
Update an Enclave
const updated = await client.updateEnclave({
id: enclaveId,
walletAddress: WALLET_ADDRESS,
description: 'Updated description',
providerConfig: {
instanceType: 't3.medium'
}
});
Enclave Lifecycle Management
Control enclave state with pause, resume, and terminate operations:
// Pause an enclave (stops compute, reduces costs)
const paused = await client.pauseEnclave(enclaveId, WALLET_ADDRESS);
console.log('Status:', paused.enclave.status); // PAUSED
// Resume a paused enclave
const resumed = await client.resumeEnclave(enclaveId, WALLET_ADDRESS);
console.log('Status:', resumed.enclave.status); // DEPLOYED
// Terminate an enclave (permanent deletion)
const terminated = await client.terminateEnclave(enclaveId, WALLET_ADDRESS);
console.log('Status:', terminated.enclave.status); // DESTROYED
Attestation & Cryptographic Verification
TREZA enclaves provide hardware-backed cryptographic proof of integrity:
// Get full attestation document with PCR measurements
const attestation = await client.getAttestation(enclaveId);
console.log('PCR0 (Enclave Image):', attestation.attestationDocument.pcrs[0]);
console.log('PCR1 (Kernel):', attestation.attestationDocument.pcrs[1]);
console.log('PCR2 (Application):', attestation.attestationDocument.pcrs[2]);
console.log('Trust Level:', attestation.verification.trustLevel); // HIGH, MEDIUM, LOW
// Quick verification status check
const status = await client.getVerificationStatus(enclaveId);
console.log('Is Verified:', status.isVerified);
console.log('Trust Level:', status.trustLevel);
// Comprehensive verification with compliance checks
const verification = await client.verifyAttestation(enclaveId, {
nonce: 'your-unique-nonce-here' // For replay attack protection
});
console.log('Valid:', verification.isValid);
console.log('PCR Verification:', verification.verificationDetails.pcrVerification);
console.log('Certificate Chain:', verification.verificationDetails.certificateChain);
console.log('Compliance:', verification.complianceChecks);
// {
// soc2: true,
// hipaa: true,
// fips: true,
// commonCriteria: true
// }
console.log('Risk Score:', verification.riskScore); // Lower is better
console.log('Recommendations:', verification.recommendations);
Integration Code Generation
Generate ready-to-use code snippets for third-party integration:
// Generate JavaScript/TypeScript snippet
const jsCode = await client.generateIntegrationSnippet(enclaveId, 'javascript');
// Generate Python snippet
const pyCode = await client.generateIntegrationSnippet(enclaveId, 'python');
// Generate cURL commands
const curlCode = await client.generateIntegrationSnippet(enclaveId, 'curl');
// Generate Java snippet
const javaCode = await client.generateIntegrationSnippet(enclaveId, 'java');
Comprehensive Logging
Access logs from all enclave components:
// Get all logs
const allLogs = await client.getEnclaveLogs(enclaveId);
// Get specific log types
const ecsLogs = await client.getEnclaveLogs(enclaveId, 'ecs', 100);
const appLogs = await client.getEnclaveLogs(enclaveId, 'application', 100);
const errorLogs = await client.getEnclaveLogs(enclaveId, 'errors', 50);
const lambdaLogs = await client.getEnclaveLogs(enclaveId, 'lambda', 100);
const stepFunctionLogs = await client.getEnclaveLogs(enclaveId, 'stepfunctions', 100);
// Log structure
console.log(allLogs.logs.application?.[0]);
// {
// timestamp: 1700000000000,
// message: 'Application started',
// source: 'application',
// stream: 'app-stream-1',
// type: 'stdout'
// }
Task Scheduling
Schedule automated tasks within enclaves:
// Create a scheduled task
const task = await client.createTask({
name: 'Daily Data Sync',
description: 'Sync data every day at midnight',
enclaveId: enclaveId,
schedule: '0 0 * * *', // Cron expression
walletAddress: WALLET_ADDRESS
});
// List all tasks
const tasks = await client.getTasks(WALLET_ADDRESS);
// Update task schedule
const updated = await client.updateTask({
id: task.id,
walletAddress: WALLET_ADDRESS,
schedule: '0 */6 * * *', // Every 6 hours
status: 'running'
});
// Delete a task
await client.deleteTask(task.id, WALLET_ADDRESS);
GitHub Integration
Connect enclaves to GitHub repositories for automated deployments:
// Get GitHub OAuth URL
const auth = await client.getGitHubAuthUrl();
console.log('Authorize at:', auth.authUrl);
// After user authorization, exchange code for token
const tokenResponse = await client.exchangeGitHubCode({
code: 'oauth-code-from-callback'
});
// Get user's repositories
const repos = await client.getGitHubRepositories(tokenResponse.access_token);
// Get branches for a specific repository
const branches = await client.getRepositoryBranches({
accessToken: tokenResponse.access_token,
repository: 'username/repo-name'
});
// Create enclave with GitHub connection
const enclave = await client.createEnclave({
name: 'GitHub-connected Enclave',
description: 'Auto-deploys from GitHub',
region: 'us-east-1',
walletAddress: WALLET_ADDRESS,
providerId: awsProvider.id,
githubConnection: {
isConnected: true,
username: tokenResponse.user.login,
selectedRepo: 'username/repo-name',
selectedBranch: 'main',
accessToken: tokenResponse.access_token
}
});
Docker Integration
Search and use Docker Hub images:
// Search for Docker images
const searchResults = await client.searchDockerImages('nodejs');
console.log('Found images:', searchResults.count);
searchResults.results.forEach(img => {
console.log(`${img.name}: ${img.description} (β ${img.stars})`);
});
// Get available tags for an image
const tags = await client.getDockerTags('library/node');
tags.tags.forEach(tag => {
console.log(`${tag.name} - ${tag.size} bytes - Updated: ${tag.lastUpdated}`);
});
API Key Management
Create and manage API keys with fine-grained permissions:
// Create an API key with specific permissions
const apiKey = await client.createApiKey({
name: 'Production API Key',
walletAddress: WALLET_ADDRESS,
permissions: ['enclaves:read', 'enclaves:write', 'tasks:read', 'logs:read']
});
console.log('API Key:', apiKey.key); // Only shown once!
console.log('Permissions:', apiKey.permissions);
// List all API keys
const keys = await client.getApiKeys(WALLET_ADDRESS);
// Update API key permissions
const updated = await client.updateApiKey({
id: apiKey.id,
walletAddress: WALLET_ADDRESS,
permissions: ['enclaves:read', 'logs:read'], // Reduced permissions
status: 'active'
});
// Revoke an API key
await client.deleteApiKey(apiKey.id, WALLET_ADDRESS);
Documentation
KYC Documentation
- Quick Reference - Common use cases and examples
- Environment Configuration - Complete configuration guide
- Setup Guide - Interactive setup script
- KYC Examples - Working code examples
Enclave Platform Documentation
- Basic Usage Example - Complete SDK walkthrough
- Compliance Integration - Enterprise compliance examples
- Production Readiness - Production deployment guide
Development
Setup
git clone https://github.com/treza-labs/treza-sdk.git
cd treza-sdk
npm install
Build
npm run build
Run Examples
KYC Examples
# Setup environment
./setup-env.sh
# Check adult status
npx tsx examples/kyc/check-adult.ts <proofId>
# Submit proof
npx tsx examples/kyc/submit-proof.ts
# Verify proof
npx tsx examples/kyc/verify-proof.ts <proofId>
Enclave Platform Examples
# Complete SDK demonstration
npx tsx examples/basic-usage.ts
# Examples include:
# - Provider management
# - Enclave lifecycle (create, pause, resume, terminate)
# - Comprehensive logging
# - Docker Hub integration
# - Attestation and verification
# - Task scheduling
# - API key management
# - GitHub integration
# - Complete setup workflows
Support
- Documentation: QUICK_REFERENCE.md
- GitHub Issues: Report bugs
- Website: trezalabs.com
License
MIT License - see LICENSE file for details.
Packages
| Package | Description | npm |
|---|---|---|
@treza/sdk | Core SDK for enclaves, KYC, and signing | |
@treza/react | React components and hooks |  |
@treza/mcp | MCP server for AI agents |  |
Links
- GitHub: github.com/treza-labs/treza-sdk
- npm: @treza/sdk
- MCP Server: @treza/mcp
- OpenAPI Spec: app.trezalabs.com/.well-known/openapi.json
- Smart Contracts: treza-contracts
- CLI: treza-cli
- Mobile App: treza-mobile
- Backend API: treza-app