Phala Cloud

June 27, 2026 · View on GitHub

Phala Cloud project dashboard showing CVM, app, workspace, GPU TEE, model, and billing controls

Phala Cloud

Deploy Docker workloads to Confidential VMs from the command line.

Cloud · Docs · Trust Center · Templates

Deploy on Phala Cloud

Phala Cloud lets you run existing containers inside hardware-backed Trusted Execution Environments. Bring a docker-compose.yml, deploy it as a Confidential VM, seal secrets to the measured build, and fetch attestation proof for what is running.

  • Deploy Docker Compose services as Confidential VMs with the phala CLI
  • Seal environment variables to the measured build instead of shipping raw secrets
  • Stream logs, SSH, copy files, and manage linked CVMs from the terminal
  • Fetch attestation proof for deployed workloads
  • Start from templates for agents, MCP servers, GPU inference, and apps

The main developer surface in this repository is the phala CLI.

Install the CLI

npm install -g phala

Or run it without installing:

npx phala <command>
bunx phala <command>

Authenticate with Phala Cloud:

phala login

Headless environment:

phala login --no-open
phala login phak_xxx

Deploy a Confidential VM

From a project that has a docker-compose.yml:

phala deploy -n my-app -c docker-compose.yml -e .env --wait

The CLI creates or updates a CVM, seals environment variables when you pass -e, schedules the workload on TDX infrastructure, and waits until the CVM is ready when --wait is set.

After the first deploy, link the directory to the CVM:

phala link
git add phala.toml

phala.toml contains no secrets. Once it exists, day-to-day commands can target the linked CVM automatically:

phala deploy          # update the linked CVM
phala ps              # list containers
phala logs -f         # stream app logs
phala ssh             # open a shell
phala cp ./file :~/   # copy to the linked CVM

Verify What Ran

Fetch the CVM attestation:

phala cvms attestation
phala cvms attestation --json > attestation.json

The attestation binds the running CVM to its measured runtime and compose hash, so users and auditors can verify that the deployed workload is the workload that was registered.

For confidential agents, mount the dstack socket inside the container to use KMS, Sign-RPC, and attestation from the workload:

services:
  agent:
    image: ghcr.io/your-org/agent:latest
    environment:
      - OPENAI_API_KEY=${OPENAI_API_KEY}
    volumes:
      - /var/run/dstack.sock:/var/run/dstack.sock
    ports:
      - "8080:8080"

Deploy with sealed credentials:

phala deploy -n my-agent -c docker-compose.yml -e .env --wait

Common CLI Commands

CommandPurpose
phala deployDeploy a new CVM or update the linked CVM
phala linkBind the current directory to a CVM with phala.toml
phala appsList deployed applications
phala cvmsManage CVMs: get, start, stop, restart, resize, delete, attest
phala logsRead container, serial, or CVM stderr logs
phala psList containers in a CVM
phala sshSSH into a CVM
phala cpCopy files to or from a CVM
phala instance-typesList available CPU/GPU TEE instance types
phala nodesList available TEE worker nodes
phala profilesManage multiple Phala Cloud workspaces

Full command docs live in cli/docs.

What Is in This Repository

PathPurpose
cliOfficial Phala Cloud CLI, published as phala on npm
jsTypeScript SDK, published as @phala/cloud
pythonPython SDK, published as phala-cloud
goGo SDK for Phala Cloud API automation
templatesCurated prebuilt templates for MCP servers, agents, model serving, apps, and infrastructure
skillsAgent-readable workflows for Claude Code, Codex, Cursor, and other coding agents
terraformTerraform provider submodule

SDKs

Use the CLI for deployment workflows. Use the SDKs when you need to integrate Phala Cloud into another product, service, or automation system.

TypeScript:

npm install @phala/cloud
import { createClient } from '@phala/cloud'

const client = createClient({
  apiKey: process.env.PHALA_CLOUD_API_KEY,
})

const me = await client.getCurrentUser()

Python:

pip install phala-cloud
from phala_cloud import create_client

client = create_client(api_key="<api-key>")
me = client.get_current_user()

Go:

go get github.com/Phala-Network/phala-cloud/sdks/go
client, err := phala.NewClient(phala.WithAPIKey("<api-key>"))

Templates

The templates directory contains prebuilt Phala Cloud deployments for:

  • MCP servers and AI agent tools
  • LLM inference and model-serving demos
  • AI research and GPU miner workspaces
  • Web apps and developer utilities
  • Blockchain, oracle, and data workloads
  • Confidential computing starter kits

Each prebuilt template includes a docker-compose.yml and README. The template catalog is generated from templates/config.json.

Validate template metadata before opening a PR:

python3 templates/validate.py

Agent Workflows

The skills directory turns Phala Cloud workflows into concise instructions that AI coding agents can follow.

Examples:

These files are designed to be fetched by coding agents and executed as step-by-step runbooks.

Terraform

This repository vendors the Terraform provider as a submodule in terraform.

Clone with submodules:

git clone --recurse-submodules git@github.com:Phala-Network/phala-cloud.git

If you already cloned without submodules:

git submodule update --init --recursive

Terraform Registry:

terraform {
  required_providers {
    phala = {
      source  = "phala-network/phala"
      version = "0.2.0-beta.1"
    }
  }
}

Provider page: https://registry.terraform.io/providers/phala-network/phala/latest

Development

Install dependencies:

bun install

CLI development:

cd cli
bun run src/index.ts --help
bun run check

SDK checks:

cd js && bun run check
cd python && make check
cd go && go test ./...

Contributing

Issues and pull requests are welcome. For templates, include validation output and a short smoke-test note. For CLI and SDK changes, include focused tests or a clear manual verification path.

See CONTRIBUTING.md.

License

This repository is licensed under the MIT License. Some packages and submodules may carry their own license files.