// confidential LLM routing · hardware-attested · independently verifiable

The AI gateway that can't cheat you.

A router sits between you and the model. It could swap in a cheaper model, read your prompts, or quietly rewrite them on the way through. SafeRouter is built so it can do none of the three — enforced by hardware and cryptography, and open for anyone to verify.

The exact model you paid for.

Every call is signed into a public log naming the model that actually answered. Re-hash your own response and prove we never quietly swapped in something cheaper or dialed the quality down.

Your context — even we can't read it.

Your prompts are processed inside a hardware enclave whose memory the CPU keeps encrypted. Not AWS, not our operators, not us: no one can see what you send.

No hand in your prompt.

What you send is what the model sees. No injected instructions, no silent rewrites, no steering. The enclave forwards your context untouched, and the signed log proves it stayed that way.

// how it works

Guarantees, not promises. Here's how.

Every claim above is enforced by hardware and math, so you never have to take our word for it. Three mechanisms do the work.

01 · the enclave

A CPU-encrypted secure enclave

The gateway runs inside an AMD SEV-SNP enclave. The CPU encrypts its memory in hardware and measures the exact binary at boot, so the code touching your prompt is sealed off from AWS, from our operators, and from any host-level attacker.

SEV-SNP · VLEK
02 · attestation

Proof you can check yourself

The enclave's measurement is signed all the way up to AMD's root key. Anyone can pull the live attestation report and re-verify that signature in their own browser. If the enclave were running modified code, the signature wouldn't match.

Independently verifiable
03 · the log

A signed, tamper-evident log

Every call lands in an append-only hash chain with an Ed25519 receipt carrying the model, tokens, and a hash of the exchange. Editing one record breaks every record after it, and the signing key never leaves the enclave. Each response returns a call_id you can look up and re-verify byte-for-byte.

Hash chain · per-call proof
// the models

One key. Every major model.

Point one OpenAI-compatible endpoint at SafeRouter and reach the frontier labs and the strongest open models through the same confidential gateway. Text, image, and video all route through the enclave, so the guarantees above hold no matter which model answers.

OpenAI GPT
GPT-5.x family
Anthropic Claude
Claude Opus · Sonnet · Haiku
Google Gemini
Gemini Pro · Flash
DeepSeek
DeepSeek V4 Pro · Flash
Zhipu GLM
GLM-5 · 5.2 · 4.7
xAI Grok
Grok family
Moonshot Kimi
Kimi long-context
Alibaba Qwen
Qwen Max · Plus
video
ByteDance Seedance
text & image to video

// 9 model families · 70+ models · text, image & video · one OpenAI-compatible endpoint · live catalog on the models page

// token governance

Every token, under your control.

An API key is a spending faucet and a data door. SafeRouter turns each one into a governed instrument: scoped, capped, metered, and revocable. Hand out a key per app, per teammate, or per environment, and keep a live account of exactly what each one did.

Many keys, one account

Mint a separate key for every app, teammate, or environment. Each carries its own name, plan tier, and history, so nothing shares a single blast radius.

Hard limits and budgets

Set a spend ceiling and a rate tier per key or per group. When a key hits its budget it stops, so a runaway job can't drain the account.

Usage and cost, per key

See spend broken down by key, group, and model, backed by the same signed call log. Every dollar traces to the exact request that spent it.

Kill switch and audit

Roll keys up into teams and orgs with role-based access, revoke any key the instant it leaks, and keep a tamper-evident record of every call it ever made.