Implementation

Technical steps to implement the API

Implementation Guide

Overview

The ExeQuantum API provides enterprise-grade access to NIST-standardized post-quantum algorithms, including:

• ML-KEM (Key Encapsulation Mechanism) - the NIST-selected standard for establishing shared secrets.

• ML-DSA (Digital Signature Algorithm) - the NIST-selected standard for authentication and integrity.

Together, these algorithms enable organizations to establish quantum-safe channels for end-to-end communication, TLS, and data integrity, without needing to build or maintain cryptographic primitives in-house.

---

Security Model

ExeQuantum never stores your private keys, shared secrets, or signatures.

API tokens provide secure, authenticated access. Permanent root tokens should be kept in trusted environments, while temporary tokens are recommended for client-facing or short-lived sessions.

All API endpoints are accessible across programming languages; code samples are provided in Python for clarity.

Deployment Options

ExeQuantum’s PQCaaS can be integrated flexibly depending on sovereignty and compliance requirements:

• On-Premise / Local Partner Cloud - API hosted within your infrastructure or by a certified national partner.

• ExeQuantum Cloud - secure, managed hosting by ExeQuantum.

• Hybrid - client-controlled key storage with ExeQuantum orchestration.

API dashboard

You can also copy it without showing it, if you need extra privacy.

It is highly recommended that you only use this token from secure environments, and only use temporary (ideally single use) tokens when making calls from more exposed environments like frontend. Steps to generate a temporary tokens will be described later in this documentation.

Below that, you'll see the dashboard that shows your API usage for the month. Keep an eye on it to track your usage.

Usage metric and cost

Implementation Steps

Step 0 - Generate Temporary Token (Recommended)

Temporary tokens reduce exposure of your root API key and are best practice for frontend or client-exposed environments.

import requests

response = requests.get(
    'https://api.exequantum.com/api/token/new',
    headers={'Authorization': 'bearer ' + AUTH_TOKEN}
)
temp_token = response.json()['new_token']
headers = {'Authorization': 'bearer ' + temp_token}

ML-KEM - Establishing Shared Secrets

A. Generate Key Pair (Initiator):

headers = {'Authorization': 'Bearer ' + AUTH_TOKEN}

response = requests.get(
    'https://api.exequantum.com/api/kem/generate_keys',
    headers=headers
)
keys = response.json()

public_key = keys['pk']
secret_key = keys['sk']
verification_key = keys['verification_key']
signature = keys['signature']

B. Encapsulate Shared Secret (Responder):

body = {
    'pk': public_key,
    'verification_key': verification_key,
    'signature': signature
}
response = requests.post(
    'https://api.exequantum.com/api/kem/encapsulate_key',
    headers=headers,
    json=body
)
enc = response.json()
cipher = enc['cipher']
shared_secret = enc['shared_key']

C. Decapsulate Shared Secret (Initiator):

body = {
    'cipher': cipher,
    'sk': secret_key
}
response = requests.post(
    'https://api.exequantum.com/api/kem/decapsulate_key',
    headers=headers,
    json=body
)
dec = response.json()
shared_secret = dec['shared_key']

Both parties now share the same quantum-safe secret for symmetric encryption (e.g., AES-256).

Optional - AES via API

ExeQuantum provides AES-256 encryption/decryption endpoints for convenience.

AES-256 - Step 1 (By encryptor):

body = {
    'unencrypted': 'hello world',
    'key': shared_secret
}
response = requests.post(
    'https://api.exequantum.com/api/aes/encrypt_text',
    headers=headers,
    json=body
)
encrypted_message = response.json()

AES-256 - Step 2 (By decryptor):

body = {
    'ciphertext': encrypted_message,
    'key': shared_secret
}
response = requests.post(
    'https://api.exequantum.com/api/aes/decrypt_text',
    headers=headers,
    json=body
)
decrypted_message = response.json()

print("Decrypted message:", decrypted_message)

ML-DSA - Digital Signatures

A. Sign Data:

body = 
    'data': data
}
response = requests.post(
    'https://api.exequantum.com/api/signature/sign',
    headers=headers,
    json=body
)

data = response.json()

pk = data['pk']
sk = data['sk']
signature = data['signature']

B. Verify Data:

body = {
    'data': data,
    'pk': pk,
    'signature': signature
}
response = requests.post(
    'https://api.exequantum.com/api/signature/verify',
    headers=headers,
    json=body
)

data = response.json()

verified = data['verified']

• Contact us for enterprise licensing, on-prem deployments, or source code handover.

---

Next Steps

• Request a Demo

• Download the STAC White Paper

• Contact Us

Generate Token

get

Parameters: expiry_time (optional), expire_after_attempts (optional)

Headers: Authorization token

Response: { 'new_token': string }

Documentation: This API endpoint generates a temporary token, that lasts a set amount of time and can be used for a set amount of attempts.

Query parameters

expiry_timeintegerOptionalDefault: 300

expire_after_attemptsintegerOptionalDefault: 1

Responses

200

Successful Response

application/json

Responseany

422

Validation Error

application/json

get

/api/token/new

HTTPcURLJavaScriptPython

GET /api/token/new HTTP/1.1
Accept: */*

No content

Generate Keys

get

Parameters: None

Headers: Authorization token

Response: { 'pk': string, 'verification_key': string }

Documentation: This API endpoint generates a key pair, a public key (pk) and a secret key (sk). It also generates a verification key and a signature for digital verification purposes. The public key can be sent over to the message sender for encapsulation. The secret key gets stored privately for later retrieval.

Responses

200

Successful Response

application/json

Responseany

get

/api/kem/generate_keys

HTTPcURLJavaScriptPython

GET /api/kem/generate_keys HTTP/1.1
Accept: */*

200

Successful Response

No content

Encapsulate Key

post

Body: pk, signature, verif_key

Headers: Authorization token

Response: { 'cipher': string, 'shared_key': string }

Documentation: This API endpoint uses the public key to encapsulate the key, which generates a random cipher and a shared secret. The cipher can be sent back to the message sender to use for decapsulation.

Body

application/json

pkstringRequired

signaturestringRequired

verif_keystringRequired

Responses

200

Successful Response

application/json

Responseany

422

Validation Error

application/json

post

/api/kem/encapsulate_key

HTTPcURLJavaScriptPython

POST /api/kem/encapsulate_key HTTP/1.1
Content-Type: application/json
Accept: */*
Content-Length: 51

{
  "pk": "text",
  "signature": "text",
  "verif_key": "text"
}

No content

Decapsulate Key

post

Parameters: cipher, pk

Headers: Authorization token

Response: { 'shared_key': string }

Documentation: This API endpoint uses the the random cipher to generate a shared secret. If done correctly, this shared secret will now be only in the possession of the message sender and receiver and can be used as a symmetrical key to encrypt and decrypt any further data communication.

Body

application/json

cipherstringRequired

skstringRequired

Responses

200

Successful Response

application/json

Responseany

422

Validation Error

application/json

post

/api/kem/decapsulate_key

HTTPcURLJavaScriptPython

POST /api/kem/decapsulate_key HTTP/1.1
Content-Type: application/json
Accept: */*
Content-Length: 29

{
  "cipher": "text",
  "sk": "text"
}

No content

Sign

post

Body: data

Headers: Authorization token

Response: { 'signature': string, 'pk': string }

Documentation: This API endpoint generates a digital signature on the data.

Body

application/json

datastringRequired

Responses

200

Successful Response

application/json

Responseany

422

Validation Error

application/json

post

/api/signature/sign

HTTPcURLJavaScriptPython

POST /api/signature/sign HTTP/1.1
Content-Type: application/json
Accept: */*
Content-Length: 15

{
  "data": "text"
}

No content

Verify

post

body: data, pk, signature

Headers: Authorization token

Response: { 'verified': boolean }

Documentation: This API endpoint uses the signature and a public key to verify the origin of the data

Body

application/json

datastringRequired

pkstringRequired

signaturestringRequired

Responses

200

Successful Response

application/json

Responseany

422

Validation Error

application/json

post

/api/signature/verify

HTTPcURLJavaScriptPython

POST /api/signature/verify HTTP/1.1
Content-Type: application/json
Accept: */*
Content-Length: 46

{
  "data": "text",
  "pk": "text",
  "signature": "text"
}

No content

Encrypt Text

post

Body: unencrypted

Headers: Authorization token

Response: Encrypted message text

Documentation: This API endpoint uses the shared key to perform an AES encryption on a string (can be base64 or hex).

Body

application/json

unencryptedstringRequired

keystringRequired

Responses

200

Successful Response

application/json

Responseany

422

Validation Error

application/json

post

/api/aes/encrypt_text

HTTPcURLJavaScriptPython

POST /api/aes/encrypt_text HTTP/1.1
Content-Type: application/json
Accept: */*
Content-Length: 35

{
  "unencrypted": "text",
  "key": "text"
}

No content

Decrypt Text

post

Body: key, ciphertext

Headers: Authorization token

Response: Decrypted message text

Documentation: This API endpoint uses the shared key to perform an AES decryption on a fstringile.

Body

application/json

ciphertextstringRequired

keystringRequired

Responses

200

Successful Response

application/json

Responseany

422

Validation Error

application/json

post

/api/aes/decrypt_text

HTTPcURLJavaScriptPython

POST /api/aes/decrypt_text HTTP/1.1
Content-Type: application/json
Accept: */*
Content-Length: 34

{
  "ciphertext": "text",
  "key": "text"
}

No content