Skip to main content
TeeSQL speaks the standard PostgreSQL wire protocol, so any Postgres driver connects once the mutual RA-TLS handshake is established. The libraries listed here add the attestation layer: they fetch a TDX-attested client certificate, verify the database’s TDX quote, and only then bridge bytes to the driver. Use them whenever your application code must refuse to query an unattested database.

Prerequisites

  • Your application running inside an Intel TDX CVM (or against the dstack simulator for local dev)
  • A connection string — see Connection string
  • An Intel Trust Authority API key, or the local DCAP verifier (Rust today; Python wheel pending)

Standard Postgres compatibility

Any standard Postgres client works against TeeSQL once TLS is configured correctly — see SSL & TLS. Such clients do not verify the database’s TDX attestation; they only verify the X.509 chain, which means a misconfigured operator could swap the backing CVM without the client noticing. Use a TeeSQL RA-TLS library when that matters.

RA-TLS client libraries

LanguagePackageDriverVerifier(s)
TypeScript / Node.jsprisma-ra-tlsPrisma + pgIntelApiVerifier, NoopVerifier, custom
Pythonpsycopg-ra-tlspsycopg 3IntelApiVerifier, NoopVerifier (DCAP wheel pending)
Rustsqlx-ra-tlssqlx 0.8 + PostgresDcapVerifier (default, local), IntelApiVerifier, NoopVerifier
All three share the same shape: a localhost TCP forwarder owns the mutual RA-TLS handshake, your driver speaks plain Postgres to that forwarder, the handshake happens once at process start.

Minimal example

from psycopg_ratls import connect
from ra_tls_verify import IntelApiVerifier
import os

verifier = IntelApiVerifier(api_key=os.environ["INTEL_TRUST_AUTHORITY_API_KEY"])

conn = connect(os.environ["DATABASE_URL"], verifier=verifier)
rows = conn.execute("SELECT current_user, current_database()").fetchall()
print(rows)

Development verifiers

In simulator mode the database’s certificate is self-signed and there is no TDX quote to verify. All three libraries ship a NoopVerifier for this case — never use it in production. 
from psycopg_ratls import connect
from ra_tls_verify import NoopVerifier

conn = connect(
    "postgresql://teesql_readwrite:test-secret@localhost:5433/postgres",
    verifier=NoopVerifier(),
    allow_simulator=True,
)

ORM integration

Prisma

prisma-ra-tls is a Prisma driver adapter. Enable the preview feature in schema.prisma:
schema.prisma
generator client {
  provider        = "prisma-client-js"
  previewFeatures = ["driverAdapters"]
}

datasource db {
  provider = "postgresql"
  url      = env("DATABASE_URL")
}
Install peer dependencies: 
npm install prisma-ra-tls pg @prisma/adapter-pg
Pass the adapter when constructing PrismaClient (see the TypeScript example above). Requires Node.js ≥ 18 and Prisma ≥ 5.10. Drizzle, TypeORM, Sequelize, Knex, and SQLAlchemy adapters are not currently available.

Verification options

Each library exposes the same knobs for pinning the database identity:
OptionPurpose
allowedMrTd / allowed_mrtdsHex MRTD allowlist — the measurement of the database CVM image. Always pin in production.
allowDebugMode / allow_debug_modeAccept TDs marked debuggable. Never enable in production.
allowSimulator / allow_simulatorAccept a self-signed cert with no TDX quote. Never enable in production.
clientAttestation / forwarder defaultPresent a TDX-attested client certificate from /var/run/dstack.sock.
cacheTtlMs (TS)How long a successful verification is reused. Default 1 hour.
See Verify attestation for how to derive the right MRTD value for your cluster.

Verifier-only libraries

If you need to verify a TDX quote without going through a database driver — for example, to check the sidecar’s /attestation endpoint — use the verification primitives directly:
  • Python: ra-tls-verifyextract_tdx_quote, IntelApiVerifier, NoopVerifier. The Python DcapVerifier wheel is pending.
  • Rust: ra-tls-parse for cert/chain parsing into rustls types; quote verification via dcap-qvl (used internally by sqlx-ra-tls).

Worked example

teesql-example-python is a runnable FastAPI app that demonstrates the production shape: two long-lived psycopg connections (teesql_readwrite for writes, teesql_read for a polling task), OperationalError reconnect-once on failover, and a WebSocket fan-out backed by the secondary. Fork it as the starting point for your own service.
Last modified on May 1, 2026