sablenetwork
Documentation — all sections

Privacy tiers

Every request executes under one of three tiers. The default comes from the API key; you can override per-call with the sable_privacy_tier body field.

| Tier | Routing | Use case | | --- | --- | --- | | standard | Encrypted in transit, software isolation. The model host sees the prompt. | Throughput-bound workloads, public data. | | confidential | Runs inside an attested Intel TDX enclave — the host can't see the prompt. Live for sable-confidential-24b. | Agent memory, business data. | | sovereign | Confidential + jurisdiction-pinned routing. | Regulated data, sovereign deployments. |

# Pin a request to a specific privacy tier.
resp = client.chat.completions.create(
  model="sable-deepseek-v3",
  messages=[{"role":"user","content":"Summarize this filing"}],
  extra_body={"sable_privacy_tier": "sovereign"},
)

The honest version, tier by tier

standard is encrypt-in-transit. The request is decrypted at one auditable egress frame and sent to a model host that runs it and sees the prompt. You still get: no prompt or completion stored anywhere, logs that hold only metadata, a signed receipt, and region pinning that's actually enforced. The host seeing the prompt is the limit of what software isolation can promise — which is why confidential exists.

confidential is live for sable-confidential-24b. That model runs inside an attested Intel TDX enclave (with NVIDIA H100 confidential computing) on an attested backend. Before routing, the gateway cryptographically verifies the enclave's TDX quote against a pinned measurement; after the response, it verifies a per-response signature from the key bound into that quote. Both results are stamped into your signed receipt as an attestation block (verification: "tee-attested", response_bound: true) — so you can confirm, yourself, that your request ran in a real enclave the host could not see into. A confidential request for a model we can't attest is refused, never silently downgraded to a plaintext host.

One operational consequence of that fail-closed rule, stated plainly: when the enclave workload is redeployed upstream, its attested measurement changes, and the gateway refuses confidential requests (HTTP 502, attestation_failed) until we verify the new build and re-pin. During such a window standard traffic is unaffected; the confidential tier's live posture is always visible on /status and GET /v1/attestation. Build agents that use this tier to handle a 502 by retrying later — not by falling back to standard silently (that decision should be yours, not ours).

What's still ahead: more confidential models, and moving the enclave from an attested third-party backend to hardware Sable measures itself (so the trust root is our binary, not the backend's attestation). sovereign adds jurisdiction pinning on top — the region-pinning half is already enforced and recorded in the receipt today.

Closed, vendor-hosted models are a harder limit. Anything with open_weight: false in /v1/models, like OpenAI's gpt-4o-mini, is standard tier only: it runs on the vendor's own servers, so encrypt-in-transit is as far as its privacy can ever go.