Anonymous OpenAI alternative

2026-06-17 · ~1500 words

Use frontier AI through the OpenAI SDK without an OpenAI account. Pay crypto, leave no IP trail. This post explains what an anonymous-payment proxy actually hides, what it cannot, and how to switch in two lines.

▸ The default has three problems

Going direct to OpenAI, Anthropic, or Google means three things you cannot opt out of: an account tied to an email or phone, a credit card on file, and IP logging at the request layer. Each one is reasonable for the vendor and risky for some buyers.

The account ties every prompt to an identity. Vendor staff with billing-system access can in principle correlate a query to a real human. Subpoenas reach the same record. Account deplatforming is a real ongoing risk for security researchers, journalists, healthcare prototypers in restrictive jurisdictions, and anyone running agentic experiments that hit the policy edges.

The credit card adds a second identity surface: name, billing address, bank-issued tokenization. Even cards that don't carry your real name (privacy.com burner numbers, virtual cards) still ride a network that resolves to an account somewhere.

The IP log is the quiet one. Vendors retain request-source IPs by default for rate limiting, fraud analysis, and abuse response. Most users never look at the retention policy. The IP plus a timestamp plus a token count is enough to fingerprint usage patterns over time.

▸ What anonymity actually buys

An anonymous-payment proxy sits between you and a frontier vendor. You pay the proxy in cryptocurrency. The proxy pays the vendor in bulk through a normal billing relationship. From the vendor's perspective, the proxy is a single high-volume customer. From your perspective, there is no account anywhere that names you.

This works for closed-weight frontier models (GPT, Claude, Gemini, Grok, Llama) because the vendor still needs to read the prompt to answer it. The proxy adds a vendor-blinding layer in front. The vendor does not know who you are. The vendor still knows what you asked.

For open-weight models, you can go further. If the proxy runs inference inside a confidential-computing TEE (Intel TDX on the CPU, NVIDIA Confidential Computing on the GPU), the prompt is decrypted only inside attested memory. The proxy operator cannot read it. The hardware vendor cannot read it. You get a cryptographic guarantee, not a policy promise.

▸ The two-tier model

Phantom exposes both layers under one OpenAI-compatible API. The catalog is split into two tiers:

• TEE-attested tier. Open-weight models (Kimi, Qwen, DeepSeek, Llama, Mistral, Gemma, etc.) running inside Intel TDX + NVIDIA Confidential Computing. Per-response attestation exposed at /v1/inference-attest. The proxy operator and the hardware host cannot read your prompt.
• Closed-weight proxy tier. Frontier vendor APIs (Claude, GPT, Gemini, Grok). The proxy reaches them through a TDX gateway. You are anonymous to the vendor. The vendor reads your prompt because that is the only way they can answer it.

The markup is tiered to match: +30% over wholesale on the TEE tier, +50% on the proxy tier. The 30% pays for the anonymity layer. The extra 20% on the proxy tier pays for the brittle TOS surface (vendor terms shift, KYC pressure grows, account-deplatforming risk on the proxy's own vendor account is real).

Buyers who care most about privacy of prompt content should stay on the TEE tier. Buyers who care about anonymity to the vendor (but accept that the vendor reads the prompt) can use the proxy tier without changing clients.

▸ The switch is two lines

Phantom is OpenAI-wire-compatible. Anything that already speaks https://api.openai.com/v1 works by changing base_url and api_key:

from openai import OpenAI

client = OpenAI(
    base_url="https://phantom.codes/v1",
    api_key="sk-A1xZ9k7eF...",
)

resp = client.chat.completions.create(
    model="phantom/kimi-k2.6",
    messages=[{"role": "user", "content": "ship it"}],
)

Streaming, tool calling, function calling, vision, embeddings, image generation all forward transparently. The wire protocol is identical. Same SDK, same call signature, same return shape.

For tool-driven coding agents (Cline, Aider, Continue, opencode, OpenHands), the integration is one environment variable: OPENAI_API_BASE=https://phantom.codes/v1. See the client configurations post for copy-paste setups for every common tool.

▸ What an anonymous proxy cannot do

Honest framing matters more than marketing. Here is what Phantom is NOT.

• Phantom is not a TEE-attested API. Only the upstream inference (on the TEE tier) is TEE-attested. The proxy itself holds plaintext in RAM while it forwards the request. The "we can't see your prompts" guarantee is enforced by the upstream TEE, not by the proxy.
• Phantom is not a cryptographically private proxy. The proxy decrypts the incoming request from the client (TLS) and re-encrypts to the upstream. Plaintext exists in proxy RAM for the duration of the forward.
• Phantom is not unsubpoenable. A subpoena reaches the proxy operator. The hand-over is: hashed key IDs, token counts per key, payment flow. Phantom holds no prompts, no completions, no IPs to surrender, because we never log them. The DB is SQLCipher-encrypted at rest, but the passphrase lives on the same host. Defense-in-depth against leaked backups, not against host compromise.
• Phantom is not refundable. No card to charge back. No email to mail. Buy small first.

The honest summary: Phantom hides who you are from the vendor and from anyone watching IPs. Phantom does not, and cannot, hide your prompts from a host-level adversary in the moment. The TEE tier closes that gap for open-weight models. For closed-weight frontier models, the gap stays open by definition.

▸ Where the privacy actually comes from

Three layers stack:

1. Identity layer. No account, no email, no card, no IP log. The proxy operator does not know you and cannot identify you to anyone.
2. Payment layer. XMR for maximum on-chain privacy. BTC, ETH, USDT, USDC, LTC, SOL, DOGE accepted but those chains are publicly traceable on their own ledgers regardless of the proxy's posture.
3. Compute layer. TEE tier only. The Intel TDX enclave decrypts the request inside attested memory. The NVIDIA CC GPU runs inference without exposing tensors. The operator and the host cannot read prompt content. Verify per request.

Each layer is independent. You can adopt one without the others. Pay crypto direct to OpenAI and you keep the account, the prompt log, and the IP trail. Use a TEE provider direct and you get attestation but you still register an email. Phantom stacks all three.

▸ Picking the bundle

Bundles are $10 starter, $50 standard, $200 pro, $500 enterprise. Custom amounts $1 to $1000 (practical floor around $10 because hosted checkout enforces per-coin minimums). Bundle validity is 90 days. Credit is 1:1 with USD paid. No volume bonus on custom amounts.

For first-time buyers, the $10 starter is the right pick. It is enough to verify the whole flow (crypto pay, key issuance, a few hundred chat completions). If the flow works, you scale up.

Refunds: none. No card to charge back, no email to mail. This is the trade for no-KYC. Start small.

Lost the key? Re-fetch at /recover.html with the payment ID. The payment ID is bearer-equivalent to the key, so guard it. Lose both and the purchase is unclaimable.

▸ Where to start

• 60-second quickstart
• Side-by-side comparison with OpenAI direct
• Side-by-side with OpenRouter
• Configurations for every common client
• How to verify a TEE quote

Or just buy the $10 starter and test the flow.