Migration guide#

Python Attestation SDK is deprecated and is no longer recommended for new projects. While existing integrations may continue to function temporarily, we strongly advise planning a migration to the replacement SDK.

We are consolidating on the C++ SDK to provide better performance, a unified codebase, and tighter platform integration. Going forward all new attestation features and platform support will be delivered exclusively through the C++ SDK.

Status and key dates for Python SDK#

  • Deprecation date: 2026-03-15 (no new features; discouraged for new projects)

  • End of support: 2026-09-15 (no fixes, security patches, or official help after this date)

During the deprecation period (March 15 – September 15, 2026), we will continue to issue critical security patches but no new features. After the end-of-support date, this SDK may become incompatible with our service at any time and will not receive further updates.

C++ Replacement SDK#

Please use our supported SDK instead:

All new integrations should use the replacement SDK, and existing users should migrate before the end-of-support date.

Getting help#

API mapping#

The table below maps common Python SDK operations to their C++ SDK (C API) equivalents.

Operation

Python SDK

C++ SDK (C API)

Import / include

from nv_attestation_sdk import attestation

#include <nvat.h>

Initialize SDK

client = attestation.Attestation()

nvat_sdk_opts_create(&opts) nvat_sdk_init(opts) nvat_attestation_ctx_create(&ctx)

Set service key

client.set_service_key(key)

nvat_attestation_ctx_set_service_key(ctx, key)

Set nonce

client.set_nonce(hex_str)

nvat_nonce_from_hex(&nonce, hex_str)

Select GPU + local verifier

client.add_verifier(Devices.GPU, Environment.LOCAL, "", "")

nvat_attestation_ctx_set_device_type(ctx, NVAT_DEVICE_GPU) nvat_attestation_ctx_set_verifier_type(ctx, NVAT_VERIFY_LOCAL)

Select GPU + remote verifier

client.add_verifier(Devices.GPU, Environment.REMOTE, url, "")

nvat_attestation_ctx_set_verifier_type(ctx, NVAT_VERIFY_REMOTE) nvat_attestation_ctx_set_default_nras_url(ctx, url)

Select NVSwitch device

client.add_verifier(Devices.SWITCH, ...)

nvat_attestation_ctx_set_device_type(ctx, NVAT_DEVICE_SWITCH)

Collect evidence + attest

evidence = client.get_evidence() result = client.attest(evidence)

nvat_attest_device(ctx, nonce, &eat, &claims)

Get attestation token

token = client.get_token()

eat output param from nvat_attest_device()

Validate token with policy

client.validate_token(json_policy)

nvat_relying_party_policy_create_rego_from_str(&rp, rego_policy) nvat_attestation_ctx_set_relying_party_policy(ctx, rp)

Inspect claims

client.decode_token(token)

nvat_claims_collection_serialize_json(claims, &json)

Cleanup

N/A (garbage collected)

nvat_attestation_ctx_free(&ctx) nvat_sdk_shutdown()

Key differences#

  • The C++ SDK combines evidence collection and attestation into a single nvat_attest_device() call.

  • All resources must be explicitly freed. Follow the pattern: create → use → free.

  • The C++ SDK uses return codes (nvat_rc_t) instead of exceptions. Always check return values.

Example: local GPU attestation#

Before (Python)#

from nv_attestation_sdk import attestation

client = attestation.Attestation()
client.set_name("myNode")
client.add_verifier(attestation.Devices.GPU,
                    attestation.Environment.LOCAL, "", "")

evidence = client.get_evidence()
result = client.attest(evidence)
token = client.get_token()
print("Attestation passed:", result)

After (C)#

#include <nvat.h>

nvat_sdk_opts_t opts = NULL;
nvat_attestation_ctx_t ctx = NULL;
nvat_str_t eat = NULL;
nvat_claims_collection_t claims = NULL;

nvat_sdk_opts_create(&opts);
nvat_sdk_init(opts);
nvat_attestation_ctx_create(&ctx);

nvat_rc_t rc = nvat_attest_device(ctx, NULL, &eat, &claims);
printf("Attestation %s\n", rc == NVAT_RC_OK ? "passed" : "failed");

// Cleanup
nvat_str_free(&eat);
nvat_claims_collection_free(&claims);
nvat_attestation_ctx_free(&ctx);
nvat_sdk_opts_free(&opts);
nvat_sdk_shutdown();

Example: remote GPU attestation#

Before (Python)#

from nv_attestation_sdk import attestation
import os

NRAS_URL = "https://nras.attestation.nvidia.com/v4/attest/gpu"
client = attestation.Attestation()
client.set_name("myNode")
client.set_service_key(os.getenv("NVIDIA_ATTESTATION_SERVICE_KEY"))
client.add_verifier(attestation.Devices.GPU,
                    attestation.Environment.REMOTE, NRAS_URL, "")

evidence = client.get_evidence()
result = client.attest(evidence)
token = client.get_token()

After (C)#

#include <nvat.h>
#include <stdlib.h>

// ... SDK init (see above) ...
nvat_attestation_ctx_create(&ctx);
nvat_attestation_ctx_set_verifier_type(ctx, NVAT_VERIFY_REMOTE);

const char* key = getenv("NVIDIA_ATTESTATION_SERVICE_KEY");
if (key) nvat_attestation_ctx_set_service_key(ctx, key);

nvat_rc_t rc = nvat_attest_device(ctx, NULL, &eat, &claims);
// ... check rc, use eat/claims, then free resources ...

Example: policy validation#

Before (Python)#

# ... after attestation (see above) ...
import json

with open("policy.json") as f:
    policy = json.dumps(json.load(f))

is_valid = client.validate_token(policy)
print("Policy match:", is_valid)

After (C)#

const char* rego_policy =
  "package policy\n"
  "import future.keywords.every\n"
  "default nv_match := false\n"
  "nv_match {\n"
  "  every result in input {\n"
  "    result.secboot\n"
  "    result.dbgstat == \"disabled\"\n"
  "  }\n"
  "}\n";

nvat_relying_party_policy_t rp;
nvat_relying_party_policy_create_rego_from_str(&rp, rego_policy);
nvat_attestation_ctx_set_relying_party_policy(ctx, rp);
nvat_relying_party_policy_free(&rp);

// Policy is evaluated during nvat_attest_device().
// NVAT_RC_OK = pass, NVAT_RC_RP_POLICY_MISMATCH = fail.
nvat_rc_t rc = nvat_attest_device(ctx, NULL, &eat, &claims);

Note: The Python SDK uses JSON-based authorization rules for policy validation after attestation. The C++ SDK uses Rego (Open Policy Agent) policies that are evaluated during attestation. See the policy examples for details.

On this page