Porten Open app →
Menu
Build Earn Models Pricing Docs Open app →
Documentation

Sovereign inference — your hardware, your region

For regulated and public-sector workloads you can guarantee that inference runs only on machines you own and only in the region you choose. The policy is enforced at routing time, not merely promised: if no compliant node can serve, the request fails — it never falls back to hardware or a region you didn't allow.

This builds on Regions & data sovereignty and Run a node.

What you get

  • Own hardware only — requests route exclusively to nodes you operate.
  • Your jurisdiction — pinned to the EU (or a region you set).
  • Fail-closed — no compliant node → a clean 503, never a silent leak.
  • Managed for you — on-demand model loading, scheduling, routing and uptime. Your team ships against one OpenAI-compatible API without operating ML infra.

1. Bring your hardware online

On each of your machines (run them in the EU for an EU-sovereign setup):

curl -fsSL https://porten.ai/install.sh | sh

It installs the node, you approve it in your account from the browser, and it registers as yours. See Run a node. A node carries the region it's onboarded in — make sure yours are tagged for your jurisdiction.

2. Lock the key down

In Build → API keys, on the key your application uses:

  • Fleet → "My nodes only" — routing is restricted to nodes you own.
  • Region → EU (the region picker) — routing is restricted to EU nodes.

Both constraints are stored on the key and applied together at routing time. Operators can also set them per key via the admin API.

3. Point your app at the API

curl https://porten.ai/v1/chat/completions \
  -H "Authorization: Bearer $PORTEN_API_KEY" \
  -d '{"model":"…","messages":[{"role":"user","content":"…"}]}'

Every request from this key now runs only on your hardware, in your region.

4. Verify it's enforced (fail-closed)

Stop your nodes (or take them off the network) and send a request. You get:

503 {"error":{"code":"no_available_node","type":"service_unavailable", ... }}

— rather than the request routing somewhere else. That's the guarantee: no compliant node, no inference. It can't silently spill to a machine or region you didn't allow.

Total control: self-host the platform

For an air-gapped or fully in-house deployment, run the entire platform — the Hub included — on your own infrastructure. It's a single Go binary plus Postgres and Redis (a Docker Compose stack), so nothing, including the control plane, leaves your network. A self-host bundle is available on request.

What about the control plane?

With the hosted platform, a request transits the Hub (European-owned) on its way to your node and back — inference still happens only on your hardware, but the prompt passes through the Hub in transit. With a self-hosted Hub it never leaves your network at all. Hardware-enforced privacy on shared infrastructure (confidential compute via TEE + remote attestation) is on the roadmap.

📄 Reading as a machine? This page is available as raw Markdown at https://porten.ai/docs/sovereign.md — or grab the whole site via llms.txt / llms-full.txt.