0xKey
Verifiable Cloud

Infrastructure you can verify, not just trust

0xKey runs inside AWS Nitro Enclaves. Every enclave produces a hardware-signed attestation you can verify yourself — replacing blind trust with cryptographic proof.

Hardware-isolated Enclave Architecture

One enclave. Three independent verification paths.

Keys and policies run inside an AWS Nitro Enclave. The exact code that touches your keys is verifiable through hardware attestation, reproducible builds, and open source — any one is sufficient on its own.

Your Application

Calls the 0xKey API to create wallets, sign transactions, and evaluate policies.

API Request
AWS Nitro Enclave
  • ·Hardware-isolated memory & CPU
  • ·Key generation & signing
  • ·CEL policy evaluation
  • ·Nitro-signed attestation
Signed Response + Attestation
Hardware Attestation

AWS Nitro signs a measurement of the exact code running.

Reproducible Build

Build from source; the SHA-256 must match the attestation.

Open Source

Read every line of enclave code before you trust it.

Self-Verification

How to verify the enclave yourself

Three steps. No trust required.

1

Request attestation

Call the attestation endpoint on any running enclave to receive a signed report.

// See docs for the exact endpoint
const attestation = await client.enclave.attest();
2

Verify the report

The report contains the enclave's measurement (a hash of the running code) signed by AWS Nitro hardware.

attestation.codeHash // SHA-256 of running binary
3

Compare against source

Build the enclave from our open-source repository and confirm the binary hash matches.

git clone github.com/0xkey-io/enclave
docker build --target enclave .
# Hash must match attestation.codeHash

Real-time Enclave Verification

Request an attestation report from any running enclave and verify it against our published open-source binary hash — at any time, from anywhere.

Hardware-signed Attestation

Every enclave produces an AWS Nitro attestation report signed by hardware. The report contains the exact measurement of the code running — cryptographically bound to AWS's hardware root of trust.

Reproducible Builds

Enclave code is compiled with reproducible builds. Compile the source yourself and compare the SHA-256 against what's running in production.

Tamper-proof Audit Trail

Every key operation generates a cryptographically chained log entry. Logs cannot be altered retroactively — providing a forensics-ready audit trail.

Independent Security Audits

Enclave code and infrastructure reviewed by top security firms.

View security details
Complete

Trail of Bits

Q1 2025

Complete

Zellic

Q2 2025

In Progress

Cure53

Q3 2025

Planned

SOC 2 Type II

2026

06 / Start shipping

Build accounts, not wallets.

Start with a free developer key. Ship your first policy-gated, agent-signed transaction in minutes.