Deploy a container with an H200 GPU straight from your browser. Pay per second in ETH or USDC, with no account and no KYC. Then check the cryptographic attestation yourself before you send a single byte of data.
NAN runs your workload inside a hardware-isolated, attested enclave, so the operator can't read your memory, your keys, or your traffic, and you don't have to take our word for it. Every claim on this page is something you can check on-chain or in a signed attestation. We're equally explicit about the part that isn't hardware-enforced: how tenants are kept apart from each other on a shared GPU. See exactly how isolation works ↓
Each enclave produces an Intel TDX quote and an NVIDIA GPU attestation report. Verify them client-side against published measurements, then connect.
Funds live in an on-chain escrow you control. Top up with ETH or USDC, meter by the second, withdraw the remainder whenever you want.
The whole API is CORS-enabled. Spin up a server, stream logs, and pull attestation from front-end JavaScript. No backend required.
Full H200s in NVIDIA confidential-computing mode. The whole GPU is one attested trust domain (CC disables MIG, so there's no hardware sub-slicing). You buy a VRAM slice and a compute share; tenants share the card by time, isolated from each other at the process level. How that's enforced →
The path from an empty wallet to a verified GPU endpoint. Click a step to see exactly what crosses the wire.
Configure a container, connect your wallet, and provision a real confidential enclave. This console calls the same public REST API documented below. The request body and browser fetch() shown here are exactly what gets sent. Use Dry run to inspect the call before spending anything.
"Trustless" isn't a slogan. It's a chain of measurements that ends in your browser. Walk each link to see what gets verified and why the operator can't fake it.
Most "confidential GPU" pitches blur these together. NAN keeps them separate because they're enforced by different things and carry different guarantees. Here is precisely what protects you, and from whom.
Your enclave runs in a CPU TEE (Intel TDX) with the H200 in NVIDIA confidential-computing mode. The CPU↔GPU link is encrypted and the GPU is walled off from the host. NAN, the operator, cannot read your VRAM, RAM, keys, or traffic. This is enforced by hardware and proven by an attestation you verify in your browser before sending data. This is the strong guarantee, and it's the one you can check cryptographically.
CC seals the whole GPU as a single trust domain and disables MIG, so there's no hardware partition between tenants on one card. We isolate tenants the way an OS isolates processes: each tenant runs in its own dedicated worker process, never sharing one with another tenant. That boundary, not a hardware slice, is what keeps tenants apart, and we don't pretend otherwise.
Inter-tenant isolation is enforced by the operating system and the NVIDIA GPU driver, the one component every tenant's workload passes through. So tenants are isolated from each other at the process level, modulo the integrity of that shared driver, not by per-tenant hardware partitioning (which this GPU generation does not offer with confidential computing on). If your threat model requires hardware-enforced isolation from other tenants specifically, run a dedicated full-GPU deployment instead of a shared one. Isolation from us, the operator, is hardware-enforced and attested either way.
Pick a VRAM slice and a compute share of the H200. Both are enforced in software: a per-process memory cap and a scheduler cap on GPU compute, not a hardware MIG partition (CC disables MIG). Billing is the larger of your memory share (your GB of the card's 141 GB) or your compute share (your fraction of the GPU's throughput), times the full-GPU rate. Escrow drains while a deployment runs and stops the instant it does. Rates in USDC; pay the equivalent in ETH at settlement.
| Example | VRAM slice | Compute | Per hour | Per second |
|---|---|---|---|---|
| CPU only | n/a | n/a | $0.11 | $0.0000306 |
| Compute slice | ~18 GB | 13% | $0.78 | $0.0002167 |
| Memory slice | ~35 GB | ≤25% | $1.49 | $0.0004137 |
| Full GPU | 141 GB | 100% | $6.00 | $0.0016667 |
These are example points on a continuous scale, not a fixed menu. Because the slice is a software cap, VRAM isn't locked to fixed hardware profiles and compute is dialed in whole-percent steps (1% to 100% of the card, ≈1.3 SMs each). Request what you need and we bill the larger of your memory or compute share. The Compute slice is compute-bound (13% of throughput, modest VRAM); the Memory slice holds more VRAM with little compute, so it's billed on the memory share. A Full GPU deployment is the option to choose when you want no co-tenants on the card at all. It's the only configuration where isolation from other tenants is also hardware-enforced, not just process-level. Tenants on a shared card are isolated from each other at the process level (how →) and always isolated from the operator by confidential computing.
Everything the service does, fully scoped. Authenticate with an Ethereum signature, fund an on-chain escrow, and orchestrate confidential containers over plain HTTPS.