API Reference

Complete REST API documentation with request/response examples.

Base URL

https://api.quantumapi.eu/api/v1

Authentication — single credential

Every request authenticates with the X-Api-Key header. The key alone is sufficient — there is no JWT exchange, no session cookie, no second credential. The middleware order is enforced server-side (ApiKeyAuthorizationHandler runs before any other authorization handler), so a valid API key produces an authenticated tenant context for the whole request without needing a Bearer token alongside it.

curl https://api.quantumapi.eu/api/v1/applications \
  -H "X-Api-Key: qapi_..."

API key scopes

Each API key carries an explicit list of scopes. A scope grants the corresponding HTTP verbs on its resource —:read covers GET, :write covers POST/PUT/PATCH/DELETE. Calls without the right scope return 403 witherror: "insufficient_scope".

Scope	Grants access to	Shipped in
secrets:read / secrets:write	GET /secrets, POST /secrets, …	0.1.x-beta
keys:read / keys:write	GET /keys, POST /keys, /rotate, /import, …	0.1.x-beta
encryption:write	/encrypt, /decrypt, /sign, /verify	0.1.x-beta
ssh:read / ssh:write	GET/POST /ssh/ca, /ssh/certificates	0.15.0-beta
certificates:read / certificates:write	GET/POST /certificates, /cas, /cas/{id}/crl	0.15.0-beta
applications:read / applications:write	GET/POST /applications, OIDC client management	0.18.0-rc.1
endusers:read / endusers:write	GET/POST /endusers, /block, /unblock, /permanent	0.18.0-rc.1
roles:read / roles:write	GET/POST /roles, role assignments per application	0.20.0-rc.4
audit:read	GET /audit, audit log queries	0.1.x-beta
billing:read	GET /billing/subscription, /billing/usage	0.1.x-beta

?include= — opt-in field hydration

Several GET endpoints return a minimal projection by default and let you ask for additional fields via the include query parameter (comma-separated). Two shortcuts are supported on every endpoint that accepts include: metadata selects every supported metadata field, andall selects everything (including the secret value where applicable).

Endpoint	Supported tokens
GET /secrets/{id}	customFields, notes, labels, description, expiresAt, folderId, isActive, isFavorite, hasTotp, isTravelSafe, createdAt, updatedAt, createdBy, updatedBy, `metadata`, `all`
GET /keys/{id}/public	name, description, keyType, isPostQuantum, isActive, isDefault, isFavorite, createdAt, expiresAt, lastRotatedAt, labels, state, scheduledDeletionDate, `metadata`, `all` — not honoured for the `?format=jwk` response (JWK fields are fixed by RFC 7517)

# Get a secret with custom fields, notes and labels in one call
GET /api/v1/secrets/sec_abc123?include=customFields,notes,labels

# Or use the metadata shortcut
GET /api/v1/secrets/sec_abc123?include=metadata

# Public key with rotation history fields
GET /api/v1/keys/key_xyz789/public?include=lastRotatedAt,labels,state

Settings & Security RBAC

Tenant-wide configuration changes require an elevated role. PATCH /api/v1/settings/security is restricted to tenant:owner and tenant:admin; tenant:developer,tenant:viewer, and any API key (regardless of scopes) receive 403 witherror: "forbidden". The same rule applies to other PATCH /api/v1/settings/*endpoints that mutate security or compliance posture.

PATCH /api/v1/settings/security
X-Api-Key: qapi_...                       # API key → 403, even with settings:write
# (use a session token from a tenant:admin/owner browser sign-in instead)

End-user lifecycle endpoints

End-user state transitions are atomic across the Identity context (login enabled / blocked) and the EaaS context (end-user record). On /block and /unblock a save failure on the EaaS save triggers a compensating revert on Identity, so the two contexts cannot drift. /permanent reorders deletion so Identity removal happens before the EaaS cascade — if the cascade fails partway, a retry self-heals without orphaning the Identity user. See #674.

Method	Endpoint	Behavior
POST	/endusers/{id}/block	Disables Identity sign-in + flags EaaS record. Compensating revert on EaaS save failure. Idempotent.
POST	/endusers/{id}/unblock	Re-enables Identity sign-in. Same compensating-revert semantics as /block.
DELETE	/endusers/{id}/permanent	Permanent removal. Identity removed first; EaaS cascade follows so a partial failure is safely retryable.

Non-blocking team invitations

POST /api/v1/team/invitations returns within milliseconds even when SMTP is slow. The response is sent as soon as the invitation row is persisted; the invitation email is dispatched on a background task with a fresh DI scope, so an SMTP timeout (up to ~30s upstream) no longer blocks the HTTP request. The response payload includes emailDispatchStatus: "queued" so clients can show a "sending…" state and surface failures via the audit log.

POST /api/v1/team/invitations
X-Api-Key: qapi_...
Content-Type: application/json

{
  "email": "newhire@example.com",
  "role": "tenant:developer"
}

# Response (typically <50ms)
{
  "invitationId": "inv_abc123",
  "email": "newhire@example.com",
  "role": "tenant:developer",
  "expiresAt": "2026-05-08T12:00:00Z",
  "emailDispatchStatus": "queued"
}

Core Endpoints

Method	Endpoint	Description
POST	/encrypt	Encrypt plaintext
POST	/decrypt	Decrypt ciphertext
POST	/sign	Create signature
POST	/verify	Verify signature
GET	/keys	List keys
POST	/keys	Generate key
POST	/keys/{keyId}/rotate	Rotate key
GET	/keys/{keyId}/public	Get public key (supports ?include=)
GET	/secrets	List secrets
POST	/secrets	Create secret
GET	/secrets/{id}	Get secret (supports ?include=)
GET	/applications	List OIDC applications (applications:read)
GET	/endusers	List end-users (endusers:read)
POST	/endusers/{id}/block	Block end-user (atomic across Identity + EaaS)
POST	/endusers/{id}/unblock	Unblock end-user
DELETE	/endusers/{id}/permanent	Permanent end-user removal
POST	/team/invitations	Invite a tenant team member (non-blocking)
PATCH	/settings/security	Update tenant security settings (tenant:admin/owner)
GET	/health	Service health