TERE

Runtime API Reference

Updated May 17, 20258 min read

The Runtime API provides the core functionality for deploying TERE applications and executing functions within Trusted Execution Environments. This API allows you to run your code in a secure environment with hardware-backed confidentiality and integrity guarantees.

Getting Started

To use the Runtime API, first install the TERE SDK:

bash
1npm install @praecise/tere

Initialize the client with your API key:

typescript
1import { TereClient } from '@praecise/tere';
2 
3// Initialize with your API key
4const client = new TereClient({
5  endpoint: 'https://api.tere.praecise.com',
6  apiKey: 'your-api-key'
7});

Developer Workflow

Here's the typical developer workflow for working with the Runtime API:

  1. 1

    Develop Your Application

    Write your application in JavaScript or TypeScript using the TERE SDK.

    typescript
    1// secure-app.ts
    2import { State, Crypto } from '@praecise/tere';
    3 
    4// Process sensitive data securely
    5export function processData(data: string): string {
    6  // Log the operation (without sensitive details)
    7  console.log('Processing confidential data...');
    8  
    9  // Perform secure computation on the data
    10  const processedData = data.toUpperCase();
    11  
    12  // Store the result securely
    13  const key = `processed-${Date.now()}`;
    14  State.set(key, processedData);
    15  
    16  return `Processed data: ${processedData.substring(0, 10)}...`;
    17}
  2. 2

    Package Your Application

    Use the TERE SDK to package your application for deployment to a TEE.

    typescript
    1// Using the SDK
    2import { TerePackager } from '@praecise/tere';
    3import fs from 'fs';
    4 
    5// Read your application code
    6const appCode = fs.readFileSync('./secure-app.ts', 'utf-8');
    7 
    8// Package as a TERE script (header and format are handled automatically)
    9const tereScript = TerePackager.createScript({
    10  code: appCode,
    11  name: 'Secure Processor',
    12  version: '1.0.0',
    13  description: 'Processes sensitive data securely'
    14});
    15 
    16// Save the packaged script
    17fs.writeFileSync('secure-processor.tere', tereScript);

    Or using the CLI:

    bash
    1tere package --input ./secure-app.ts --output secure-processor.tere
  3. 3

    Deploy to TEE

    Deploy your packaged application to a Trusted Execution Environment.

    typescript
    1// Using the SDK
    2const tereScript = fs.readFileSync('secure-processor.tere');
    3 
    4const deployment = await client.deploy({
    5  name: 'secure-processor',
    6  tereBinary: tereScript,
    7  description: 'Secure data processing application',
    8  config: {
    9    teeType: 'confidential_vm',
    10    securitySettings: {
    11      confidentialComputeType: 'SEV_SNP'
    12    }
    13  }
    14});
    15 
    16console.log('Script deployed with ID:', deployment.scriptId);

    Or using the CLI:

    bash
    1tere deploy --name "secure-processor" --file secure-processor.tere --tee-type confidential_vm
  4. 4

    Execute Functions

    Execute functions in your deployed application securely.

    typescript
    1// Using the SDK
    2const result = await client.execute({
    3  scriptId: deployment.scriptId,
    4  function: 'processData',
    5  arguments: ['sensitive data to process']
    6});
    7 
    8console.log('Result:', result.result);
    9console.log('Attestation:', result.attestation.substring(0, 20) + '...');

    Or using the CLI:

    bash
    1tere execute script_abc123 processData "sensitive data to process"
  5. 5

    Verify Attestation

    Verify that the execution took place in a genuine TEE.

    typescript
    1// Verify the attestation
    2const verification = await client.verifyAttestation({
    3  attestation: result.attestation
    4});
    5 
    6if (verification.valid) {
    7  console.log('TEE Type:', verification.details.teeType);
    8  console.log('Secure Boot:', verification.details.secureBoot ? 'Enabled' : 'Disabled');
    9  console.log('Result can be trusted');
    10} else {
    11  console.error('Attestation verification failed');
    12}

Core API Methods

client.deploy

Deploys a TERE script to a Trusted Execution Environment.

Parameters

options: DeployOptionsRequired

Deployment options including the script name and binary

Returns

Promise<DeployResponse>

Response containing the script ID and instance information

Examples

Basic deployment

javascript
1// Read the TERE file
2const tereBinary = fs.readFileSync('secure-processor.tere');
3 
4// Deploy to a TEE
5const deployment = await client.deploy({
6  name: 'secure-processor',
7  tereBinary,
8  description: 'Secure data processing application'
9});
10 
11console.log('Script ID:', deployment.scriptId);

With custom configuration

javascript
1const deployment = await client.deploy({
2  name: 'high-security-app',
3  tereBinary,
4  description: 'Application with enhanced security',
5  config: {
6    teeType: 'confidential_vm',
7    resourceLimits: {
8      cpuCores: 4,
9      memoryMb: 8192
10    },
11    securitySettings: {
12      secureBoot: true,
13      confidentialComputeType: 'SEV_SNP'
14    }
15  }
16});
client.execute

Executes a function in a deployed TERE script.

Parameters

options: ExecuteOptionsRequired

Execution options including script ID, function name, and arguments

Returns

Promise<ExecuteResponse>

Response containing the execution result and attestation

Examples

Execute a function

javascript
1// Execute with simple arguments
2const result = await client.execute({
3  scriptId: 'script_abc123',
4  function: 'processData',
5  arguments: ['data to process']
6});
7 
8console.log('Result:', result.result);

Asynchronous execution

javascript
1// Execute asynchronously for long-running tasks
2const jobResult = await client.execute({
3  scriptId: 'script_abc123',
4  function: 'processLargeDataset',
5  arguments: [largeDataset],
6  waitForResult: false
7});
8 
9console.log('Job ID:', jobResult.jobId);
10 
11// Check job status later
12const result = await client.getJobStatus(jobResult.jobId);
13if (result.result) {
14  console.log('Job completed with result:', result.result);
15}
client.getJobStatus

Retrieves the status of an asynchronous execution job.

Parameters

jobId: stringRequired

The ID of the job to check

Returns

Promise<ExecuteResponse>

Response containing the job status and result if completed

Examples

Check job status

javascript
1// Check if an async job has completed
2const jobStatus = await client.getJobStatus('job_def456');
3 
4if (jobStatus.result) {
5  console.log('Job completed with result:', jobStatus.result);
6  console.log('Resource usage:', jobStatus.resourceUsage);
7} else {
8  console.log('Job is still running...');
9}
client.listScripts

Lists all deployed TERE scripts.

Returns

Promise<ScriptInfo[]>

Array of script information objects

Examples

List all scripts

javascript
1// Get all deployed scripts
2const scripts = await client.listScripts();
3 
4console.log('Found', scripts.length, 'scripts');
5 
6// Print details about each script
7scripts.forEach(script => {
8  console.log(`ID: ${script.id}`);
9  console.log(`Name: ${script.name}`);
10  console.log(`Status: ${script.status}`);
11  console.log(`Type: ${script.teeType}`);
12  console.log('-----');
13});
client.getScript

Gets detailed information about a specific deployed script.

Parameters

scriptId: stringRequired

ID of the script to retrieve

Returns

Promise<ScriptInfo>

Detailed information about the script

Examples

Get script details

javascript
1// Get details about a specific script
2const scriptInfo = await client.getScript('script_abc123');
3 
4console.log('Script details:');
5console.log('Name:', scriptInfo.name);
6console.log('Description:', scriptInfo.description);
7console.log('TEE Type:', scriptInfo.teeType);
8console.log('Creation Time:', scriptInfo.creationTime);
9console.log('Status:', scriptInfo.status);

Instance Management

These methods help you manage the lifecycle of your deployed TEE instances:

client.startInstance

Starts a stopped TEE instance.

Parameters

scriptId: stringRequired

ID of the script to start

Returns

Promise<void>

No return value on success

Examples

Start a stopped instance

javascript
1// Start a TEE instance
2await client.startInstance('script_abc123');
3console.log('Instance started successfully');
client.stopInstance

Stops a running TEE instance.

Parameters

scriptId: stringRequired

ID of the script to stop

Returns

Promise<void>

No return value on success

Examples

Stop a running instance

javascript
1// Stop a TEE instance when not in use to save costs
2await client.stopInstance('script_abc123');
3console.log('Instance stopped successfully');
client.deleteScript

Permanently deletes a deployed script and its associated TEE instance.

Parameters

scriptId: stringRequired

ID of the script to delete

options: DeleteOptions

Options for deletion, such as whether to preserve state data

Returns

Promise<void>

No return value on success

Examples

Delete a script

javascript
1// Delete a script when no longer needed
2await client.deleteScript('script_abc123');
3console.log('Script deleted successfully');

Delete with options

javascript
1// Delete a script but preserve its state data
2await client.deleteScript('script_abc123', {
3  preserveState: true
4});
5console.log('Script deleted but state preserved');

Using the CLI

The TERE CLI provides command-line access to the same Runtime API functionality:

bash
1# Install the CLI
2npm install -g @tere/cli
3 
4# Login to the service
5tere login --api-key your-api-key
6 
7# Deploy a TERE script
8tere deploy --name "my-app" --file my-app.tere
9 
10# Execute a function
11tere execute script_abc123 processData "input data"
12 
13# List all deployed scripts
14tere scripts list
15 
16# Get details about a script
17tere scripts get script_abc123
18 
19# Start a stopped instance
20tere instances start script_abc123
21 
22# Stop a running instance
23tere instances stop script_abc123
24 
25# Delete a script
26tere scripts delete script_abc123

Best Practices

  • Use Asynchronous Execution for Long Tasks

    For operations that may take longer than a few seconds, use asynchronous execution (set waitForResult: false) and poll for results using getJobStatus.

  • Always Verify Attestation

    When receiving results from a TEE execution, always verify the attestation to ensure it was processed in a genuine TEE with the expected security properties.

    javascript
    1// Execute and verify
    2const result = await client.execute({...});
    3 
    4// Verify the attestation
    5const verification = await client.verifyAttestation({
    6  attestation: result.attestation
    7});
    8 
    9if (verification.valid) {
    10  // Process the secure result
    11} else {
    12  // Handle attestation verification failure
    13}
  • Optimize Script Size

    Keep your application code as small as possible to improve loading time and reduce memory usage. Remove unnecessary dependencies and comments.

  • Manage TEE Instances Efficiently

    Stop TEE instances when not in use to save costs, and start them again when needed. Use appropriate resource limits for your workload.

Error Handling

The TERE SDK provides detailed error information:

javascript
1try {
2  const result = await client.execute({
3    scriptId: 'script_abc123',
4    function: 'processData',
5    arguments: ['data']
6  });
7} catch (error) {
8  if (error instanceof TereError) {
9    console.error('TERE error:', error.message);
10    console.error('Error code:', error.code);
11    
12    // Handle specific error types
13    if (error.code === 'function_not_found') {
14      console.error('The function does not exist in this script');
15    } else if (error.code === 'execution_error') {
16      console.error('Error during execution:', error.details);
17    }
18  } else {
19    console.error('Unexpected error:', error);
20  }
21}

SDK Interfaces

Here are the TypeScript interfaces for the key objects in the TERE SDK:

typescript
1// Deploy options
2interface DeployOptions {
3  name: string;                // Name of the script
4  tereBinary: Buffer | string; // The TERE script binary
5  description?: string;        // Optional description
6  config?: {
7    teeType?: 'confidential_vm' | 'confidential_gke';
8    provider?: string;
9    location?: string;
10    resourceLimits?: {
11      cpuCores?: number;
12      memoryMb?: number;
13      storageGb?: number;
14    };
15    securitySettings?: {
16      secureBoot?: boolean;
17      integrityMonitoring?: boolean;
18      vtpm?: boolean;
19      confidentialComputeType?: 'SEV' | 'SEV_SNP' | 'TDX';
20    };
21  };
22}
23 
24// Execute options
25interface ExecuteOptions {
26  scriptId: string;           // ID of the script to execute
27  function: string;           // Function name to call
28  arguments: any[];           // Arguments to pass to the function
29  waitForResult?: boolean;    // Whether to wait for completion (default: true)
30  callerId?: string;          // Optional caller identity for access control
31}
32 
33// Script info
34interface ScriptInfo {
35  id: string;                 // Unique script ID
36  name: string;               // Script name
37  description: string;        // Script description
38  teeType: string;            // TEE type
39  provider: string;           // Cloud provider
40  location: string;           // Region/zone
41  creationTime: string;       // Creation timestamp
42  status: string;             // Current status (active, stopped, etc.)
43}
44 
45// Execute response
46interface ExecuteResponse {
47  result: any;                // Function result
48  attestation: string;        // Attestation proof
49  resourceUsage?: {
50    gasUsed: number;
51    executionTimeMs: number;
52    memoryBytes: number;
53  };
54  jobId?: string;             // Job ID for async execution
55}

Related Documentation

Attestation Guide →

Learn about remote attestation to verify TEE authenticity

State Management API →

Learn how to store and retrieve data securely in TEEs