How it works

The Loyal client is just one option for interacting with the network, and it follows MagicBlock’s Private Ephemeral Rollup flow end-to-end before it will send a request. The sequence is:

Generate a 32-byte nonce, send it to the TEE RPC, and validate the returned TDX quote via PCCS collateral. We rely on verifyTeeRpcIntegrity from the @magicblock-labs/ephemeral-rollups-sdk; if the quote fails verification, the UI halts.
With integrity confirmed, the wallet asks the RPC for a challenge that is scoped to its public key, signs it, and exchanges the signature for a short-lived authorization token using getAuthToken.
The token is appended as a query string when opening the Solana connection so every request is tied to the attested session.

import { verifyTeeRpcIntegrity, getAuthToken } from "@magicblock-labs/ephemeral-rollups-sdk";
import { Connection } from "@solana/web3.js";

const isIntegrityVerified = await verifyTeeRpcIntegrity(PRIVATE_ER_URL);
if (!isIntegrityVerified) throw new Error("TEE attestation failed");

const { publicKey, signMessage } = useWallet();
const authToken = await getAuthToken(PRIVATE_ER_URL, publicKey, signMessage);
const connection = new Connection(`${PRIVATE_ER_URL}?token=${authToken}`, "confirmed");

PER Lifetime and Anonymity Window

MagicBlock PER is a parallel execution layer that settles back to Solana; it is not one rollup instance per user.For privacy, two windows matter:

Session window: your PER auth token is short-lived (getAuthToken returns expiresAt). When it expires, the client must re-authenticate.
Delegation window: your private account access on PER starts when accounts are delegated and ends when they are undelegated/committed back to Solana.

Your practical anonymity set comes from overlapping delegated activity on the same PER endpoint and permission domain during that time, not from a single fixed “rollup lifetime.”To tune the tradeoff, choose delegation windows based on your threat model: longer windows can increase overlap (and therefore anonymity set), while shorter windows reduce exposure if keys, sessions, or delegated permissions are compromised. In practice, batch private actions when possible, keep windows only as long as needed, and undelegate promptly after completion.Once the handshake succeeds, the user links a Solana wallet and receives a PDA that anchors every chat session and settles payments automatically.Because the state lives on-chain, users are not tied to our interface. They can fork the frontend, self-host a minimal web or mobile client, or embed Loyal into an existing product while preserving the same conversations. Privacy-conscious users keep control over their history, export encrypted transcripts, or delete them without asking permission from a centralized provider.

The PDA-backed program coordinates requests, payments, permissioning, and routing. We compose MagicBlock’s Permission Program to manage encrypted state: PDAs group conversations, wallets, and application accounts under fine-grained access rules that live on Solana L1 and can be updated atomically.

We CPI into the Permission Program to mint groups with arbitrary membership, so a DAO, team, or family wallet can manage shared threads without leaking data.
Each group can delegate read access to specific ER accounts (write splits are on MagicBlock’s roadmap). Updating a group updates every member immediately.
When the frontend completes its challenge, the issued token maps back to a permissioned public key, unlocking only the accounts that key is authorized to read.

This semantic portability lets builders compose Loyal inside their own smart contracts. They can enforce spend limits, trigger downstream automations, or pipe responses into other protocols—all while inheriting the same privacy guarantees as any Solana-native workflow.

Architecture of the Loyal confidential oracles

Confidential oracles we run on Phala and Nillion execute the heavy lifting. A CPU TEE hosts the oracle runtime and GPU driver, establishes an encrypted channel to a GPU TEE, and keeps the host OS outside the trust boundary. GPU management firmware cannot see prompts or weights; it only provisions the enclave, which returns attestation reports before accepting work. Even streamed LLM responses stay encrypted as they traverse the PCIe link between enclaves and back to the PDA.The oracle interface is open: developers can deploy their own models, publish capability attestations, and earn per-inference payouts. Confidential compute ensures operators never see raw prompts or outputs, preserving both user privacy and proprietary model weights. Because the runtime resides inside TEEs, partners can also self-host or compete for jobs without weakening the security envelope.

Independent measurements (for example, H100/H200 GPU TEE studies) show confidential mode sustaining up to 99% of native throughput. The heavier the workload, the closer it tracks: Phi3-14B-128k, Llama3.1-70B, and other long-sequence runs keep efficiency high because compute time dwarfs encryption overhead.
Longer inputs/outputs and larger models amortize I/O, so token streaming remains responsive while still encrypted. Light workloads work too, but peak gains appear when the GPU is saturated.
We retain confidentiality without sacrificing usability, enabling private inference at production latency targets. Future oracle operators can rely on those benchmark papers to optimize model placement and hardware choices across Phala, Nillion, or their own infrastructure.

1

Attest the session

The client verifies the MagicBlock RPC via TDX quote validation, performs the wallet challenge, and appends the issued token to its Solana connection.

2

Submit the request

With a verified session, the user (or contract) sends an encrypted prompt through its PDA, anchoring spend and state to on-chain accounts.

3

Route to confidential oracles

The Loyal program records the message, splits payments, and signals the oracle marketplace; an attested GPU TEE picks up the job and runs the model.

4

Stream the results

The oracle streams the response back through the rollup to the client of choice—default UI, forked frontend, or embedded experience—while receipts and settlements finalize on-chain.

The end result is AI infrastructure that is censorship-resistant, privacy-preserving, and composable: users keep ownership of their data, developers build permissionlessly, and compute providers compete in the open.

About Loyal

Architecture

Launch

PER Lifetime and Anonymity Window

About Loyal

Architecture

Launch

​PER Lifetime and Anonymity Window

PER Lifetime and Anonymity Window