Example applications for dstack - Deploy containerized apps to TEEs with end-to-end security in minutes
Getting Started • Use Cases • Core Patterns • Dev Tools • Starter Packs • Other Use Cases
This repository contains ready-to-deploy examples demonstrating how to build and run applications on dstack, the developer-friendly SDK for deploying containerized apps in Trusted Execution Environments (TEE).
- Docker and Docker Compose
- Node.js (for Phala CLI)
- Git
# Clone the repo
git clone https://github.com/Dstack-TEE/dstack-examples.git
cd dstack-examples
# Install Phala CLI
npm install -g phala
# Start the local simulator (no TEE hardware needed)
phala simulator startcd tutorial/01-attestation-oracle
docker compose run --rm \
-v ~/.phala-cloud/simulator/0.5.3/dstack.sock:/var/run/dstack.sock \
appphala auth login
phala deploy -n my-app -c docker-compose.yamlSee Phala Cloud for production TEE deployment.
Step-by-step guides covering core dstack concepts.
| Tutorial | Description |
|---|---|
| 01-attestation-oracle | Use the guest SDK to work with attestations directly — build an oracle, bind data to TDX quotes via report_data, verify with local scripts |
| 02-persistence-and-kms | Use getKey() for deterministic key derivation from a KMS — persistent wallets, same key across restarts |
| 03-gateway-and-ingress | Custom domains with automatic SSL, certificate evidence chain |
| 04-upgrades | Extend AppAuth.sol with custom authorization logic — NFT-gated clusters, on-chain governance |
Real-world applications you can build with dstack.
| Example | Description | Status |
|---|---|---|
| 8004-agent | Trustless AI agent with on-chain attestation and LLM access | Coming Soon |
| oracle | TEE oracle returning JSON + signature + attestation bundle | Coming Soon |
| mcp-server | Attested MCP tool server behind gateway | Coming Soon |
| telegram-agent | Telegram bot with TEE wallet and verified execution | Coming Soon |
Key building blocks for dstack applications.
Request TEE attestations via the SDK. Mount /var/run/dstack.sock in your compose file to access the TEE.
import { DstackClient } from '@phala/dstack-sdk'
const client = new DstackClient()
const info = await client.info() // app_id, instance_id, tcb_info
const quote = await client.getQuote(data) // TDX quote with custom report_data
const key = await client.getKey('/my/path') // deterministic key derivationvolumes:
- /var/run/dstack.sock:/var/run/dstack.sock| Example | Description | Status |
|---|---|---|
| timelock-nts | Raw socket usage (what the SDK wraps) | Available |
| attestation/configid-based | ConfigID-based verification | Available |
TLS termination, custom domains, external connectivity.
| Example | Description |
|---|---|
| dstack-ingress | Complete ingress solution — auto SSL via Let's Encrypt, multi-domain, DNS validation, evidence generation with TDX quote chain |
| custom-domain | Simpler custom domain setup via zt-https |
Persistent keys across deployments via KMS.
| Example | Description | Status |
|---|---|---|
| get-key-basic | dstack.get_key() — same key identity across machines |
Coming Soon |
Light client for reading chain state, anchoring outputs.
| Example | Description |
|---|---|
| lightclient | Ethereum light client (Helios) running in enclave |
Development and debugging tools. Not for production.
| Example | Description |
|---|---|
| webshell | Web-based shell access for debugging |
| ssh-over-gateway | SSH tunneling through dstack gateway |
| tcp-port-forwarding | Arbitrary TCP port forwarding |
Interesting demonstrations.
| Example | Description |
|---|---|
| tor-hidden-service | Run Tor hidden services in TEEs |
Full-stack templates with SDK integration. These demonstrate attestation, key derivation, and wallet generation.
| Template | Stack | Link |
|---|---|---|
| Next.js Starter | Next.js + TypeScript | phala-cloud-nextjs-starter |
| Python Starter | FastAPI + Python | phala-cloud-python-starter |
| Bun Starter | Bun + TypeScript | phala-cloud-bun-starter |
| Node.js Starter | Express + TypeScript | phala-cloud-node-starter |
Features: /api/tdx_quote (attestation), /api/eth_account (derived wallet), /api/info (TCB info)
External projects and templates worth exploring. These are maintained elsewhere but demonstrate interesting TEE patterns.
| Project | Description | Link |
|---|---|---|
| Oracle Template | Price aggregator with verifiable networking (hardened TLS) and multi-source validation | Gldywn/phala-cloud-oracle-template |
| VRF Template | Verifiable Random Function — hardware-backed cryptographic randomness | Phala-Network/phala-cloud-vrf-template |
| Open WebUI | Self-hosted AI chat interface in TEE | phala-cloud/templates/openwebui |
| n8n Automation | Workflow automation (400+ integrations) with OAuth in TEE | Marvin-Cypher/phala-n8n-template |
| Primus Attestor | zkTLS node — TEE + zero-knowledge proofs | primus-labs/primus-network-startup |
| NEAR Shade Agent | Blockchain oracle/agent for NEAR with TEE attestation | phala-cloud/templates/near-shade-agent |
| Presidio | Microsoft's PII de-identification running in TEE | HashWarlock/presidio |
| ByteBot | AI desktop agent — computer control in isolated TEE sandbox | phala-cloud/templates/bytebot |
Note: These templates use pre-built Docker images. For full auditability, review their source repos before deployment.
See the full Phala Cloud templates for more options.
Implementation details and infrastructure patterns.
| Example | Description |
|---|---|
| launcher | Generic launcher pattern for Docker Compose apps |
| prelaunch-script | Pre-launch script patterns (Phala Cloud) |
| private-docker-image-deployment | Using private Docker registries |
| attestation/rtmr3-based | RTMR3-based attestation (legacy) |
- dstack Documentation - Official platform documentation
- Main Repository - Core dstack framework
- Contributing Guide - How to contribute
./dev.sh help # Show available commands
./dev.sh validate <example> # Validate a specific example
./dev.sh validate-all # Validate all examples- Telegram: Join our community
- Issues: GitHub Issues
Apache 2.0 — see LICENSE.