Implementation
Technical steps to implement the API
Implementation Guide
Overview
The ExeQuantum API provides enterprise-grade access to NIST-standardized post-quantum algorithms, including:
ML-KEM (Key Encapsulation Mechanism) - the NIST-selected standard for establishing shared secrets.
ML-DSA (Digital Signature Algorithm) - the NIST-selected standard for authentication and integrity.
Together, these algorithms enable organizations to establish quantum-safe channels for end-to-end communication, TLS, and data integrity, without needing to build or maintain cryptographic primitives in-house.
Security Model
ExeQuantum never stores your private keys, shared secrets, or signatures.
API tokens provide secure, authenticated access. Permanent root tokens should be kept in trusted environments, while temporary tokens are recommended for client-facing or short-lived sessions.
All API endpoints are accessible across programming languages; code samples are provided in Python for clarity.
Deployment Options
ExeQuantum’s PQCaaS can be integrated flexibly depending on sovereignty and compliance requirements:
On-Premise / Local Partner Cloud - API hosted within your infrastructure or by a certified national partner.
ExeQuantum Cloud - secure, managed hosting by ExeQuantum.
Hybrid - client-controlled key storage with ExeQuantum orchestration.
You can also copy it without showing it, if you need extra privacy.
It is highly recommended that you only use this token from secure environments, and only use temporary (ideally single use) tokens when making calls from more exposed environments like frontend. Steps to generate a temporary tokens will be described later in this documentation.
Below that, you'll see the dashboard that shows your API usage for the month. Keep an eye on it to track your usage.
Implementation Steps
Step 0 - Generate Temporary Token (Recommended)
Temporary tokens reduce exposure of your root API key and are best practice for frontend or client-exposed environments.
import requests
response = requests.get(
'https://api.exequantum.com/api/token/new',
headers={'Authorization': 'bearer ' + AUTH_TOKEN}
)
temp_token = response.json()['new_token']
headers = {'Authorization': 'bearer ' + temp_token}ML-KEM - Establishing Shared Secrets
A. Generate Key Pair (Initiator):
headers = {'Authorization': 'Bearer ' + AUTH_TOKEN}
response = requests.get(
'https://api.exequantum.com/api/kem/generate_keys',
headers=headers
)
keys = response.json()
public_key = keys['pk']
secret_key = keys['sk']
verification_key = keys['verification_key']
signature = keys['signature']B. Encapsulate Shared Secret (Responder):
body = {
'pk': public_key,
'verification_key': verification_key,
'signature': signature
}
response = requests.post(
'https://api.exequantum.com/api/kem/encapsulate_key',
headers=headers,
json=body
)
enc = response.json()
cipher = enc['cipher']
shared_secret = enc['shared_key']C. Decapsulate Shared Secret (Initiator):
body = {
'cipher': cipher,
'sk': secret_key
}
response = requests.post(
'https://api.exequantum.com/api/kem/decapsulate_key',
headers=headers,
json=body
)
dec = response.json()
shared_secret = dec['shared_key']Both parties now share the same quantum-safe secret for symmetric encryption (e.g., AES-256).
Optional - AES via API
ExeQuantum provides AES-256 encryption/decryption endpoints for convenience.
AES-256 - Step 1 (By encryptor):
body =
'unencrypted': 'hello world',
'key': shared_secret
}
response = requests.post(
'https://api.exequantum.com/api/aes/encrypt_text',
headers=headers,
json=body
)
encrypted_message = response.json()AES-256 - Step 2 (By decryptor):
body = {
'ciphertext': encrypted_message,
'key': shared_secret
}
response = requests.post(
'https://api.exequantum.com/api/aes/decrypt_text',
headers=headers,
json=body
)
decrypted_message = response.json()
print("Decrypted message:", decrypted_message)ML-DSA - Digital Signatures
A. Sign Data:
body =
'data': data
}
response = requests.post(
'https://api.exequantum.com/api/signature/sign',
headers=headers,
json=body
)
data = response.json()
pk = data['pk']
sk = data['sk']
signature = data['signature']B. Verify Data:
body = {
'data': data,
'pk': pk,
'signature': signature
}
response = requests.post(
'https://api.exequantum.com/api/signature/verify',
headers=headers,
json=body
)
data = response.json()
verified = data['verified']Contact us for enterprise licensing, on-prem deployments, or source code handover.
Next Steps
Parameters: expiry_time (optional), expire_after_attempts (optional)
Headers: Authorization token
Response: { 'new_token': string }
Documentation: This API endpoint generates a temporary token, that lasts a set amount of time and can be used for a set amount of attempts.
3001Successful Response
Validation Error
GET /api/token/new HTTP/1.1
Host:
Accept: */*
No content
Parameters: None
Headers: Authorization token
Response: { 'pk': string, 'verification_key': string }
Documentation: This API endpoint generates a key pair, a public key (pk) and a secret key (sk). It also generates a verification key and a signature for digital verification purposes. The public key can be sent over to the message sender for encapsulation. The secret key gets stored privately for later retrieval.
Successful Response
GET /api/kem/generate_keys HTTP/1.1
Host:
Accept: */*
Successful Response
No content
Body: pk, signature, verif_key
Headers: Authorization token
Response: { 'cipher': string, 'shared_key': string }
Documentation: This API endpoint uses the public key to encapsulate the key, which generates a random cipher and a shared secret. The cipher can be sent back to the message sender to use for decapsulation.
Successful Response
Validation Error
POST /api/kem/encapsulate_key HTTP/1.1
Host:
Content-Type: application/json
Accept: */*
Content-Length: 51
{
"pk": "text",
"signature": "text",
"verif_key": "text"
}No content
Parameters: cipher, pk
Headers: Authorization token
Response: { 'shared_key': string }
Documentation: This API endpoint uses the the random cipher to generate a shared secret. If done correctly, this shared secret will now be only in the possession of the message sender and receiver and can be used as a symmetrical key to encrypt and decrypt any further data communication.
Successful Response
Validation Error
POST /api/kem/decapsulate_key HTTP/1.1
Host:
Content-Type: application/json
Accept: */*
Content-Length: 29
{
"cipher": "text",
"sk": "text"
}No content
Body: data
Headers: Authorization token
Response: { 'signature': string, 'pk': string }
Documentation: This API endpoint generates a digital signature on the data.
Successful Response
Validation Error
POST /api/signature/sign HTTP/1.1
Host:
Content-Type: application/json
Accept: */*
Content-Length: 15
{
"data": "text"
}No content
body: data, pk, signature
Headers: Authorization token
Response: { 'verified': boolean }
Documentation: This API endpoint uses the signature and a public key to verify the origin of the data
Successful Response
Validation Error
POST /api/signature/verify HTTP/1.1
Host:
Content-Type: application/json
Accept: */*
Content-Length: 46
{
"data": "text",
"pk": "text",
"signature": "text"
}No content
Body: unencrypted
Headers: Authorization token
Response: Encrypted message text
Documentation: This API endpoint uses the shared key to perform an AES encryption on a string (can be base64 or hex).
Successful Response
Validation Error
POST /api/aes/encrypt_text HTTP/1.1
Host:
Content-Type: application/json
Accept: */*
Content-Length: 35
{
"unencrypted": "text",
"key": "text"
}No content
Body: key, ciphertext
Headers: Authorization token
Response: Decrypted message text
Documentation: This API endpoint uses the shared key to perform an AES decryption on a fstringile.
Successful Response
Validation Error
POST /api/aes/decrypt_text HTTP/1.1
Host:
Content-Type: application/json
Accept: */*
Content-Length: 34
{
"ciphertext": "text",
"key": "text"
}No content
Last updated