Documentation Index
Fetch the complete documentation index at: https://docs.phala.com/llms.txt
Use this file to discover all available pages before exploring further.
The @phala/cloud SDK provides a type-safe JavaScript/TypeScript client for the Phala Cloud API. It includes built-in API versioning, Zod schema validation, and comprehensive error handling.
Installation
Quick Start
import { createClient } from "@phala/cloud";
const client = createClient({ apiKey: "phak_your_api_key" });
// Get current user info
const user = await client.getCurrentUser();
console.log(user.user.username);
// List all CVMs
const cvms = await client.getCvmList();
console.log(cvms.items);
Client Creation
createClient(config?)
Creates a full-featured client with all action methods.
import { createClient } from "@phala/cloud";
// Minimal — reads API key from PHALA_CLOUD_API_KEY env var
const client = createClient();
// Explicit configuration
const client = createClient({
apiKey: "phak_your_api_key",
baseURL: "https://cloud-api.phala.com/api/v1",
version: "2026-01-21",
timeout: 30000,
});
Configuration Options
| Option | Type | Default | Description |
|---|
apiKey | string | PHALA_CLOUD_API_KEY env var | API key for authentication |
baseURL | string | https://cloud-api.phala.com/api/v1 | API base URL (or PHALA_CLOUD_API_PREFIX env var) |
version | ApiVersion | "2026-01-21" | API version to use |
timeout | number | 30000 | Request timeout in milliseconds |
useCookieAuth | boolean | false | Use cookie-based auth instead of API key |
headers | Record<string, string> | — | Additional request headers |
onResponseError | function | — | Custom response error handler |
Tree-Shaking with createBaseClient
For smaller bundles, use createBaseClient with individual action imports:
import { createBaseClient, getCurrentUser, getCvmList } from "@phala/cloud";
const client = createBaseClient({ apiKey: "phak_your_api_key" });
// Call actions as standalone functions
const user = await getCurrentUser(client);
const cvms = await getCvmList(client);
Extending the Base Client
createClient already includes all built-in actions as methods. The .extend() method on createBaseClient is useful when you want to selectively include actions (for tree-shaking) or add your own custom actions:
import { createBaseClient, getCurrentUser, getCvmList } from "@phala/cloud";
const client = createBaseClient({ apiKey: "phak_your_api_key" }).extend({
getCurrentUser,
getCvmList,
});
// Only the actions you included are available as methods
const user = await client.getCurrentUser();
Available Actions
Actions marked with V return different response types depending on the client’s API version.
Authentication & User
| Method | Description |
|---|
getCurrentUser() V | Get current user, workspace, and credits info |
CVM Query
| Method | Description |
|---|
getCvmList(request?) V | List all CVMs (paginated) |
getCvmInfo(request) V | Get single CVM details |
getCvmStats(request) | Get CVM system stats |
getCvmNetwork(request) | Get CVM network info |
getCvmState(request) | Get CVM current state |
getCvmDockerCompose(request) | Get Docker Compose config |
getCvmComposeFile(request) | Get compose file content |
getCvmContainersStats(request) | Get container stats |
getCvmAttestation(request) | Get TEE attestation |
getCvmPreLaunchScript(request) | Get pre-launch script |
getCvmStatusBatch(request) | Get status of multiple CVMs |
getCvmUserConfig(request) | Get user-level CVM config |
checkCvmIsAllowed(request) | Check on-chain deployment allowance |
CVM Lifecycle
| Method | Description |
|---|
provisionCvm(request) | Create a new CVM |
commitCvmProvision(request) | Commit a CVM provision |
startCvm(request) | Start a CVM |
stopCvm(request) | Stop a CVM |
shutdownCvm(request) | Shutdown a CVM |
restartCvm(request) | Restart a CVM |
deleteCvm(request) | Delete a CVM |
replicateCvm(request) | Create a copy of a CVM |
watchCvmState(request) | Watch CVM state changes via SSE |
CVM Configuration
| Method | Description |
|---|
updateCvmEnvs(request) | Update environment variables |
updateDockerCompose(request) | Update Docker Compose config |
updatePreLaunchScript(request) | Update pre-launch script |
updateCvmResources(request) | Update resource allocation |
updateCvmVisibility(request) | Update visibility settings |
updateOsImage(request) | Update OS image |
getAvailableOsImages(request?) | List available OS images |
provisionCvmComposeFileUpdate(request) | Provision a compose file update |
commitCvmComposeFileUpdate(request) | Commit a compose file update |
patchCvm(request) | Unified partial CVM update |
confirmCvmPatch(request) | Confirm on-chain KMS patch (Phase 2) |
commitCvmUpdate(request) | Commit update with token (multisig) |
refreshCvmInstanceId(request) | Refresh a CVM instance ID |
refreshCvmInstanceIds(request) | Batch refresh CVM instance IDs |
Apps
| Method | Description |
|---|
getAppList(request?) V | List apps |
getAppInfo(request) V | Get app details |
getAppCvms(request) V | List CVMs for an app |
getAppRevisions(request) | List app revision history |
getAppRevisionDetail(request) | Get app revision details |
getAppFilterOptions() | Get available filter options for app list |
getAppAttestation(request) | Get app TEE attestation |
getAppDeviceAllowlist(request) | Get app device allowlist status |
checkAppIsAllowed(request) | Check on-chain app allowance |
checkAppCvmsIsAllowed(request) | Batch check app CVMs allowance |
Workspace
| Method | Description |
|---|
listWorkspaces(request?) | List workspaces |
getWorkspace(request) | Get workspace details |
getWorkspaceNodes(request) | Get workspace nodes |
getWorkspaceQuotas(request) | Get workspace resource quotas |
Nodes, Instance Types & OS Images
| Method | Description |
|---|
getAvailableNodes() | List available TEE nodes |
listAllInstanceTypeFamilies() | List all instance type families |
listFamilyInstanceTypes(request) | List instance types in a family |
getOsImages(request?) | List public OS images (paginated) |
KMS (Key Management)
| Method | Description |
|---|
getKmsInfo(request) | Get KMS info |
getKmsList(request?) | List KMS instances |
getKmsOnChainDetail(request) | Get on-chain KMS details |
getAppEnvEncryptPubKey(request) | Get env encryption public key |
nextAppIds(request?) | Get next available app IDs |
SSH Keys
| Method | Description |
|---|
listSshKeys() | List SSH keys |
createSshKey(request) | Add an SSH key |
deleteSshKey(request) | Remove an SSH key |
importGithubProfileSshKeys(request) | Import SSH keys from GitHub profile |
syncGithubSshKeys() | Sync SSH keys from GitHub |
On-Chain Contract Actions
These functions interact directly with the blockchain, not the Phala Cloud API. They require ETH for gas (write operations) or a public client (read operations).
| Method | Description |
|---|
deployAppAuth(request) | Deploy an AppAuth smart contract |
addComposeHash(request) | Register a compose hash on-chain |
addDevice(request) | Add a device to the on-chain allowlist |
removeDevice(request) | Remove a device from the on-chain allowlist |
setAllowAnyDevice(request) | Toggle the allow-any-device flag |
getAllowedDevices(request) | Query the on-chain device allowlist |
checkDeviceAllowed(request) | Check if a device is allowed on-chain |
checkComposeHashAllowed(request) | Check if a compose hash is allowed on-chain |
checkOnChainPrerequisites(request) | Batch check all on-chain prerequisites |
Safe Methods
Every action has a safe variant that returns a SafeResult instead of throwing:
const result = await client.safeGetCvmInfo({ id: "cvm-abc123" });
if (result.success) {
console.log(result.data);
} else {
console.error(result.error.message);
}
SafeResult type:
type SafeResult<T, E = SafeError> =
| { success: true; data: T; error?: never }
| { success: false; data?: never; error: E };
Custom Schema Validation
Every action accepts an optional schema parameter for custom response validation.
For actions without required request parameters, pass schema as the first argument:
import { z } from "zod";
const MySchema = z.object({ username: z.string() });
const user = await client.getCurrentUser({ schema: MySchema });
// user is typed as { username: string }
// Disable validation (returns unknown)
const raw = await client.getCurrentUser({ schema: false });
schema as the second argument:
const MyCvmSchema = z.object({ id: z.string(), name: z.string() });
const cvm = await client.getCvmInfo({ id: "cvm-abc123" }, { schema: MyCvmSchema });
Event Handling
Listen for error events across all API calls:
client.on("error", (error) => {
console.error("API Error:", error.message);
});
// Listen once
client.once("error", (error) => {
console.error("First error:", error.message);
});
// Remove listener
client.off("error", handler);
Debug Logging
Enable detailed cURL-format request/response logging:
DEBUG=phala::api-client node your-script.js
Environment Variables
| Variable | Description |
|---|
PHALA_CLOUD_API_KEY | API key for authentication |
PHALA_CLOUD_API_PREFIX | Base URL for the API |
Webhook Signature Verification
The SDK provides utilities for verifying webhook signatures, exported from a separate subpath to avoid bundling node:crypto into browser builds:
import { verifyWebhookSignature, parseWebhookEvent } from "@phala/cloud/webhook";
// Verify a single signature
const isValid = verifyWebhookSignature({
secret: "whsec_...",
timestamp: req.headers["x-webhook-timestamp"],
body: rawBody,
signature: req.headers["x-webhook-signature"],
});
// Or parse and verify in one step
const event = parseWebhookEvent({
headers: req.headers,
body: rawBody,
secret: "whsec_...",
});
