Authentication

QuantumSafe uses API keys for authentication. All API requests must include your key in the Authorization header. 
Authorization: Bearer qs_sec_live_abc123...

API Key Types

There are two types of API keys, each with different permissions:
Key TypePrefixPermissionsUsage
Publishableqs_pub_Scanner endpoints onlyFrontend / client-side
Secretqs_sec_All endpointsServer-side only
Never expose your Secret key in client-side code. Secret keys have full API access including key generation and signing. If compromised, rotate immediately via the dashboard.

Environment Prefixes

Each key type has environment variants:
EnvironmentKey PatternBase URL
Liveqs_pub_live_* / qs_sec_live_*https://api.qsafe.dev/v1

Publishable Keys

Publishable keys (qs_pub_) are safe to include in frontend applications. They can only access:
  • POST /v1/scan/wallet — Scan wallet addresses for quantum vulnerability
They cannot access key generation, signing, or verification endpoints. 
// Safe for frontend use
const qs = new QuantumSafe({
  apiKey: "qs_pub_live_pk_abc123...",
});

// This works
const scan = await qs.scan.wallet({ address: "0x..." });

// This will return AUTH_003 (Insufficient permissions)
const key = await qs.keys.generate({ algorithm: "ml-dsa-65" });

Secret Keys

Secret keys (qs_sec_) have full API access and must only be used server-side. 
// Server-side only
const qs = new QuantumSafe({
  apiKey: "qs_sec_live_sk_abc123...",
});

// Full access to all endpoints
const keypair = await qs.keys.generate({ algorithm: "ml-dsa-65", chain: "ethereum" });

Creating API Keys

  1. Sign up at qsafe.dev/signup
  2. Navigate to the Dashboard
  3. Go to Settings > API Keys
  4. Click Create Key and select the type (Publishable or Secret)
You can also create keys programmatically via the Auth API.

Key Rotation

Rotate your API keys regularly. When you create a new key, the old key remains active for 24 hours to allow for a graceful transition.
If you suspect a key has been compromised, delete it immediately via the dashboard or DELETE /v1/auth/api-keys/{id}. Deletion is instant.