Skip to content

Add verify_ssl parameter to LLM client for self-signed cert support #186

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
kylexqian wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Add verify_ssl parameter to LLM client for self-signed cert support #186

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
5fcf233
Add verify_ssl parameter to LLM client for self-signed cert support
kylexqian Mar 13, 2026
1aceb72
Add security warning for verify_ssl=False in docs and docstring
kylexqian Mar 13, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions docs/CLAUDE_SDK_USERS.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,13 @@ Each service has its own client class:
# LLM inference (Base Sepolia OPG tokens for x402 payments)
llm = og.LLM(private_key="0x...")

# Connect directly to a known TEE IP instead of using the on-chain registry.
# WARNING: verify_ssl=False disables TLS certificate verification and exposes
# the connection to man-in-the-middle attacks. Only use this when you trust
# the network path to the server. Never use in production without understanding
# the risks.
llm = og.LLM(private_key="0x...", llm_server_url="https://1.2.3.4", verify_ssl=False)

# On-chain model inference (OpenGradient testnet gas tokens)
alpha = og.Alpha(private_key="0x...")

Expand Down
23 changes: 22 additions & 1 deletion src/opengradient/client/llm.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,26 @@ class LLM:

result = await llm.chat(model=TEE_LLM.CLAUDE_HAIKU_4_5, messages=[...])
result = await llm.completion(model=TEE_LLM.CLAUDE_HAIKU_4_5, prompt="Hello")

Args:
private_key (str): Ethereum private key for signing x402 payments.
rpc_url (str): RPC URL for the OpenGradient network. Used to fetch the
active TEE endpoint from the on-chain registry when ``llm_server_url``
is not provided.
tee_registry_address (str): Address of the on-chain TEE registry contract.
llm_server_url (str, optional): Bypass the registry and connect directly
to this TEE endpoint URL (e.g. ``"https://1.2.3.4"``).
verify_ssl (bool): Whether to verify the server's TLS certificate.
Defaults to ``True``. Set to ``False`` when connecting directly via
``llm_server_url`` to a TEE with a self-signed certificate.

.. warning::
Disabling SSL verification (``verify_ssl=False``) removes
protection against man-in-the-middle attacks. Only use this
when you trust the network path to the TEE and have verified
the server identity through another means (e.g. the on-chain
registry). Never use in production without understanding the
risks.
"""

def __init__(
Expand All @@ -76,6 +96,7 @@ def __init__(
rpc_url: str = DEFAULT_RPC_URL,
tee_registry_address: str = DEFAULT_TEE_REGISTRY_ADDRESS,
llm_server_url: Optional[str] = None,
verify_ssl: bool = True,
):
self._wallet_account: LocalAccount = Account.from_key(private_key)

Expand All @@ -90,7 +111,7 @@ def __init__(
self._tee_payment_address = tee_payment_address

ssl_ctx = build_ssl_context_from_der(tls_cert_der) if tls_cert_der else None
self._tls_verify: Union[ssl.SSLContext, bool] = ssl_ctx if ssl_ctx else True
self._tls_verify: Union[ssl.SSLContext, bool] = ssl_ctx if ssl_ctx else verify_ssl

# x402 client and signer
signer = EthAccountSignerv2(self._wallet_account)
Expand Down
Loading