CLOISTER
▸ The Manual

Read the manual.

Cloister is a gateway to LLM inference that runs inside a hardware-sealed enclave. You paste a code, you pay in TAO, the model answers, the host never sees your prompt. This page explains how that actually works.

In one paragraph

You generate a 16-character code in your browser. We never see it — only the Argon2 hash. You send TAO to a per-account address. You call POST /v1/chat/completions with that code as the bearer token. We forward the request to a TEE-enclaved model on a compute partner, charge your balance in TAO at the call-time price, and return the answer. Nobody on the path can read the plaintext.

02What a TEE is

A Trusted Execution Environment is a region of a CPU or GPU that runs code in encrypted memory, in a way the operating system, the hypervisor, the cloud provider, and the machine owner cannot read or modify. The chip itself enforces the boundary, in hardware, by refusing memory access from anything outside the enclave.

Three TEE families exist in production today:

  • Intel TDX — confidential VMs on Xeon Scalable
  • AMD SEV-SNP — confidential VMs on EPYC
  • NVIDIA H100 Confidential Compute — GPU-side encrypted execution for inference workloads

Every TEE-attested model in our catalog runs inside one of these. The chip returns an attestation — a signed statement saying "this exact code is running, in this exact enclave, on this real hardware." If the attestation doesn't verify, the request fails.

HOST · CAN'T READ TEE · SEALED CORE model runs here plaintext only inside ciphertext in ciphertext out
Anatomy of a single inference call — the host wraps the box but never reads inside

If the chip is honest about its hardware (the security assumption of every confidential-compute deployment in industry), the operator of the machine, the cloud, and Cloister itself cannot read what passes through. The only party who sees the plaintext is you and the model.

03Quick start

The shortest possible end-to-end flow, with one curl call:

  1. Go to cloister.space/app → click create code. Save the 16-character code somewhere you trust (password manager, paper, your head). We can't recover it.
  2. The app shows your deposit address — send TAO to it on Bittensor Finney. Balance updates within a couple of blocks.
  3. Call the API:
# one OpenAI-compatible call, your code as the bearer token
curl https://api.cloister.space/v1/chat/completions \
  -H "Authorization: Bearer cloi-XXXX-XXXX-XXXX-XXXX" \
  -H "Content-Type: application/json" \
  -d '{"model":"qwen3-32b","messages":[{"role":"user","content":"hi"}]}'

That's the whole product surface. We charge your TAO balance for the call, return upstream output verbatim.

04Endpoints

Cloister speaks an OpenAI-compatible subset. If your client supports a custom base URL, you can drop in https://api.cloister.space and most things work.

MethodPathPurpose
POST/v1/account/createGenerate a fresh 16-char code + account. Run once, save the code.
GET/v1/accountReturns your balance in plancks + τ + USD, last 4 chars of code, current oracle rate.
POST/v1/account/topup-addressReturns your HD-derived SS58 deposit address.
GET/v1/account/usageLast 50 events, each with model · token counts · TAO + USD cost · timestamp.
GET/v1/modelsCatalog of TEE-attested models we resell, with per-token rates.
POST/v1/chat/completionsThe main thing. OpenAI-shaped request → enclave → upstream response, debited.

Every authenticated endpoint takes the same bearer token (your 16-char code, with or without dashes). We strip dashes on receipt, hash with Argon2id, and look up the account row. No raw codes are ever stored.

05Auth model

There are no emails, passwords, or recovery questions. The 16-character code is the account. It's how we know it's you, and the only proof of ownership we accept.

X X X X – X X X X – X X X X – X X X X argon2id (32 MiB · 3 iter) $argon2id$v=19$m=32768,t=3,p=2$…$… ← stored
Codes are hashed before they hit the database — we never write the raw value to disk

The math: 16 × 5 bits of base32 = 80 bits of entropy. Brute-forcing the hashed value is infeasible. We rate-limit failed login lookups per IP so distributed scraping is also infeasible.

Practical implications you should know:

  • Lose the code = lose the balance. There is no support flow that will get it back, because there is no information to recover from. We're not being cute.
  • Share the code = share the wallet. Anyone with it can drain your balance.
  • Treat it like a seed phrase. Same shape, same threat model, same hygiene.

06Pricing & TAO

Per-call cost is per-token, paid in TAO. We do not subscribe, we do not bundle, we do not have tiers.

The formula:

cost_tao = (prompt_tokens × in_rate + completion_tokens × out_rate) × 1.15
       ÷ tao_usd_rate_at_call_time
  • in_rate, out_rate — the upstream USD/M-token price for that model
  • × 1.15 — flat 15% markup, applied uniformly
  • tao_usd_rate_at_call_time — CoinGecko spot for TAO, refreshed every 5 minutes, snapshotted on the usage event so historical costs don't drift

Accounting is done in plancks (1 TAO = 1,000,000,000 plancks) as BigInt — no float drift, no rounding surprises.

If the oracle is offline

If our TAO/USD oracle hasn't refreshed and has no cached value, /v1/chat/completions returns 503. We'd rather refuse a call than risk mis-pricing it. Existing balance and account state remain unaffected.

07Deposits

Every account gets its own SS58 deposit address, derived from a master sr25519 seed via the BIP-39 derivation path //account/<id>. Each address is unique, so we know exactly which TAO transfer belongs to which account.

YOUR WALLET τ in DERIVED ADDRESS //account/<id> swept MASTER SS58 credits balance ↑ watcher subscribes to balances.Transfer events on Finney
Deposit path — your wallet → derived address → watcher detects → swept to master → balance credited

A long-running watcher subscribes to finalized blocks on Bittensor Finney, scans balances.Transfer events, matches incoming amounts to derived addresses, and atomically credits the account. Sweeps to the master leave a 1 mTAO reserve on each derived address (transaction-fee buffer).

Deposits are typically credited within one or two finalized blocks. If yours isn't, check the explorer at https://taostats.io/account/<your-address> — if Bittensor shows the transfer, our watcher will catch it on its next pass.

08Models

We only list TEE-attested chutes. If a model is not running inside a verifiable enclave, we will not resell it — adding non-TEE inference kills the entire pitch. The current catalog is exposed via GET /v1/models and the website's models section; it's updated when chutes adds or rotates a TEE deployment.

Each model exposes:

  • slug — what you pass in the model field
  • $/M input tokens — upstream chutes price × 1.15
  • $/M output tokens — same markup
  • TEE family — TDX, SEV-SNP, or H100 CC

09About chutes.ai

The TEE-enclaved model deployments we proxy to live on chutes.ai, a GPU-compute platform on Bittensor's commodity-compute subnet. We use chutes because their TEE catalog is the most credible production-grade option we've found.

No association

Cloister is not affiliated with, endorsed by, or operated by chutes.ai. We are an independent reseller. We hold a regular paid account, the same way any developer can. Chutes does not vouch for us, has no visibility into our business, and bears no responsibility for our service. Where chutes' terms apply, they apply to our master account — your relationship is with Cloister, not chutes. If our service stops working tomorrow, that does not implicate chutes in any way.

Why we make this explicit: privacy-first projects often get conflated with the upstream infrastructure they depend on. To be precise — we route requests to chutes' TEE endpoints over standard, paid API access. That's the entire relationship.

10Limitations

What Cloister is not:

  • Not enterprise-grade. No SLA, no support contract, no procurement flow.
  • Not compliant. No SOC2, no HIPAA, no ISO. The product is built around physical zero-knowledge, but we don't carry auditor stamps.
  • Not for regulated workloads. If your use case requires named-vendor attestations or contractual confidentiality, this isn't the venue.
  • Not a chat UI. We sell API access. The dashboard exists for balance management and a try-it textbox; there is no conversation memory, no agent harness, no UI features beyond raw inference.
  • Not a fiat onramp. The only way money enters the system is TAO on Bittensor Finney.
  • Not recoverable. Codes lost are accounts lost. This is by design.

11Disclaimer

For the full experimental-status, no-liability, and ticker-related notes, see the disclaimer page. In short: this is a side project shipped early, it may break or disappear, and $CLOI is a placeholder ticker for vibes only — not a security, not an investment, not a promise.