Crypto API Reference
Complete reference for H33's cryptographic API suite. Post-quantum signatures (ML-DSA, ML-KEM), fully homomorphic encryption (BFV, CKKS), zero-knowledge proofs (ZK-STARK), secure multi-party computation, storage encryption, PQ video, AI attack detection, and encrypted search.
Authentication
All API requests require your h33_live_* API key as a Bearer token in the Authorization header.
Keys are scoped per project and can be rotated without downtime.
https://h33.ai/api/v1 — All endpoints below are relative to this base. Use your h33_live_* key as Bearer token.
Include your API key as a Bearer token in every request using the Authorization header.
Best Practice: Environment Variable
export H33_API_KEY=h33_live_...
SDK Initialization
import { H33 } from '@h33/sdk'; const h33 = new H33({ apiKey: process.env.H33_API_KEY });
import os from h33 import H33Client client = H33Client(api_key=os.environ["H33_API_KEY"])
use h33::Client; let client = Client::new( std::env::var("H33_API_KEY").expect("H33_API_KEY required") );
Rate Limits
| Tier | Requests / sec | Burst |
|---|---|---|
| Free | 5 | 10 |
| Starter | 10 | 20 |
| Pro | 50 | 100 |
| Business | 200 | 400 |
| Growth | 500 | 1,000 |
| Scale | 2,000 | 4,000 |
| Enterprise | 10,000 | 20,000 |
| Enterprise+ | Unlimited | Unlimited |
Error Responses
All errors return a consistent JSON envelope with a machine-readable code,
human-readable message, and HTTP status.
Error Envelope
{
"error": {
"code": "INVALID_KEY",
"message": "The provided API key is invalid or revoked.",
"status": 401,
"request_id": "req_abc123"
}
}
Error Codes
| Code | HTTP | Description |
|---|---|---|
UNAUTHORIZED |
401 | Missing or malformed Authorization header. |
INVALID_KEY |
401 | API key is invalid, expired, or revoked. |
INVALID_SCOPE |
403 | API key does not have permission for this endpoint. |
RATE_LIMITED |
429 | Rate limit exceeded. Check Retry-After header for seconds until reset. |
INVALID_CIPHERTEXT |
400 | Ciphertext is malformed or was encrypted with a different key. |
NOISE_BUDGET_EXHAUSTED |
400 | FHE ciphertext noise budget is exhausted. Reduce computation depth or use bootstrapping. |
INVALID_PROOF |
400 | ZK proof verification failed. |
SESSION_EXPIRED |
410 | The session or ceremony has expired. Create a new one. |
INSUFFICIENT_CREDITS |
402 | Credit balance too low. Top up at /pricing. |
Dilithium (ML-DSA) NIST PQC
NIST FIPS 204 standardized post-quantum digital signatures. Lattice-based security resistant to quantum attacks. Three security levels: ML-DSA-44 (NIST Level 2), ML-DSA-65 (Level 3), ML-DSA-87 (Level 5).
Generate a new Dilithium keypair for post-quantum digital signatures.
Request
{
"security_level": "ML-DSA-65" // ML-DSA-44 | ML-DSA-65 | ML-DSA-87
}
Response
{
"public_key": "base64...",
"key_id": "key_dil_7f3a...",
"algorithm": "ML-DSA-65"
}
Sign a message using Dilithium secret key.
Request
{
"message": "base64_encoded_message",
"key_id": "key_dil_7f3a..."
}
Response
{
"signature": "base64..."
}
Verify a Dilithium signature against a message and public key.
Request
{
"message": "base64_encoded_message",
"signature": "base64_encoded_signature",
"public_key": "base64_encoded_public_key"
}
Response
{
"valid": true
}
Kyber (ML-KEM) NIST PQC
NIST FIPS 203 standardized post-quantum key encapsulation mechanism. Provides quantum-resistant key exchange. Three security levels: ML-KEM-512, ML-KEM-768, ML-KEM-1024.
Generate a new Kyber keypair for quantum-resistant key encapsulation.
Request
{
"security_level": "ML-KEM-768" // ML-KEM-512 | ML-KEM-768 | ML-KEM-1024
}
Response
{
"public_key": "base64...",
"secret_key": "base64...",
"algorithm": "ML-KEM-768"
}
Encapsulate a shared secret using the recipient's public key.
Request
{
"public_key": "base64_encoded_public_key"
}
Response
{
"ciphertext": "base64...",
"shared_secret": "base64..." // 32 bytes
}
Decapsulate the shared secret using your secret key.
Request
{
"ciphertext": "base64_encoded_ciphertext",
"secret_key": "base64_encoded_secret_key"
}
Response
{
"shared_secret": "base64..." // Same 32 bytes as sender
}
Hybrid Signature Modes PQC
H33 supports three signature modes. The mode is selected automatically based on your security level (H0โH256),
or you can override it per-request via the signatureMode parameter.
Concatenated (H2, standard auth)
// Concatenated: two independent signatures side by side const result = await h33.auth.verify({ biometric: captureData, signatureMode: "concatenated" // default for H2/H33 }); // result.signatures.ed25519 โ 64 bytes // result.signatures.dilithium โ 2,420 bytes // result.verified: true (both must pass)
Nested (H33-128, identity ops)
// Nested: Dilithium wraps (payload + Ed25519 sig) const result = await h33.auth.verify({ biometric: captureData, signatureMode: "nested" // default for H33-128 }); // result.signatures.inner โ Ed25519 over payload (64 bytes) // result.signatures.outer โ Dilithium over (payload || inner) (2,420 bytes) // result.signatureScheme: "NESTED_ED25519_DILITHIUM3" // Temporal binding: outer attests inner existed at sign time
Triple-Nested (H-256, SBT mint)
// Triple-nested: third algorithm wraps the nested pair const sbt = await h33.identity.mintSoulbound({ biometricCommitment: commitment, guardians: guardianList, signatureMode: "archival", // "triple-nested" = Ed25519 + Dilithium-5 + FALCON-512 (3-Key, ~2ms, +3 units) // "archival" = Ed25519 + Dil-5 + FALCON + SPHINCS+-128f (4-Key, ~16ms, +5 units) }); // result.signatures.layer1 โ Ed25519 (64 bytes) // result.signatures.layer2 โ Dilithium-5 over (payload || layer1) // result.signatures.layer3 โ FALCON-512 over (payload || layer1 || layer2) // result.signatures.layer4 โ SPHINCS+-128f over full composite (hash-based, no lattice) // result.wireVersion โ 0x04
Wire Format
| Mode | Layer 1 | Layer 2 | Layer 3 | Total | Latency |
|---|---|---|---|---|---|
| Concatenated | Ed25519 64B | Dilithium-3 2,420B | โ | 2,484B | ~142ยตs |
| Nested | Ed25519 64B | Dilithium-3 2,420B | โ | 2,484B | ~142ยตs |
| Triple (H-256-L) | Ed25519 64B | Dilithium-5 3,309B | FALCON-512 690B * | ~4,063B | ~2ms |
| Triple (H-256-H) | Ed25519 64B | Dilithium-5 3,309B | SPHINCS+ 7,856B * | ~11,229B | ~14ms |
| Archival (4-Key) | Ed25519 64B | Dilithium-5 3,309B + FALCON-512 690B | SPHINCS+-128f 17,088B | ~21,151B | ~16ms |
Create a hybrid multi-layer signature. Supports nested and triple-nested modes with configurable algorithm variants.
Request
{
"message": "base64_encoded_message",
"signatureMode": "nested", // "nested" | "triple-nested"
"tripleVariant": "lattice-redundant" // "lattice-redundant" | "hash-diversified" (triple-nested only)
}
Response
{
"signatures": {
"layer1": "base64...",
"layer2": "base64...",
"layer3": "base64..." // present only for triple-nested
},
"scheme": "NESTED_ED25519_DILITHIUM3",
"onChainHash": "base64..." // SHA3-256, present only for triple-nested
}
Verify a hybrid multi-layer signature. Validates each layer independently and returns per-layer results.
Request
{
"message": "base64_encoded_message",
"signatures": {
"layer1": "base64...",
"layer2": "base64...",
"layer3": "base64..."
},
"scheme": "TRIPLE_ED25519_DILITHIUM5_FALCON512"
}
Response
{
"valid": true,
"layers": {
"layer1": true,
"layer2": true,
"layer3": true
}
}
List available hybrid signature algorithms and their configurations per security level.
Response
{
"available": {
"classical": ["ed25519"],
"lattice": ["dilithium2", "dilithium3", "dilithium5", "falcon512"],
"hashBased": ["sphincsPlus128s"]
},
"configurations": {
"H0": { "layers": ["dilithium3"] },
"H33": { "layers": ["ed25519", "dilithium3"] },
"H-256-L": { "layers": ["ed25519", "dilithium5", "falcon512"] },
"H-256-H": { "layers": ["ed25519", "dilithium5", "falcon512", "sphincsPlus128f"] },
"H33-Archival": { "layers": ["ed25519", "dilithium5", "falcon512", "sphincsPlus128f"], "units": 6, "wireVersion": "0x04" }
}
}
FHE - BFV Scheme FHE
Brakerski/Fan-Vercauteren scheme for fully homomorphic encryption over integers. Ideal for exact integer arithmetic on encrypted data. Supports addition and multiplication.
Generate BFV encryption keys including public key, secret key, and relinearization key.
Request
{
"security_level": "128" // 128 | 192 | 256
}
Response
{
"public_key": "base64...",
"secret_key": "base64...",
"relin_key": "base64...",
"session_id": "uuid..."
}
Encrypt an integer vector. Supports batching for SIMD-style operations.
Request
{
"plaintext": [1, 2, 3, 4, 5], // i64 array
"public_key": "base64..."
}
Response
{
"ciphertext": "base64..."
}
Decrypt a BFV ciphertext back to plaintext integers.
Request
{
"ciphertext": "base64...",
"key_id": "key_bfv_9c2d..."
}
Response
{
"plaintext": [1, 2, 3, 4, 5]
}
Homomorphically add two ciphertexts. Result decrypts to sum of plaintexts.
Request
{
"ciphertext_a": "base64...",
"ciphertext_b": "base64..."
}
Homomorphically multiply two ciphertexts. Requires relinearization key to maintain ciphertext size.
Request
{
"ciphertext_a": "base64...",
"ciphertext_b": "base64...",
"relin_key": "base64..."
}
FHE - CKKS Scheme FHE
Cheon-Kim-Kim-Song scheme for fully homomorphic encryption over approximate numbers. Ideal for machine learning and floating-point computations on encrypted data. Supports bootstrapping for unlimited computation depth.
Create a new CKKS session with encryption keys and context. Returns session_id for subsequent operations.
Request
{
"security_level": "q-128", // q-dev, q-128, q-256
"scale_bits": 40, // Precision: 2^40
"poly_modulus_degree": 8192 // Ring dimension
}
Response
{
"session_id": "ckks_abc123...",
"public_key": "base64...",
"relin_key": "base64...",
"galois_keys": "base64...",
"max_slots": 4096
}
Encrypt float vectors into a CKKS ciphertext. Supports batching up to max_slots values.
Request
{
"session_id": "ckks_abc123...",
"plaintext": [1.5, 2.7, 3.14159, -0.5] // f64 array
}
Response
{
"ciphertext": "base64...",
"scale": 1099511627776 // 2^40
}
Decrypt a CKKS ciphertext to float values. Returns approximate real numbers.
Request
{
"session_id": "ckks_abc123...",
"ciphertext": "base64..."
}
Response
{
"plaintext": [1.4999998, 2.7000001, 3.1415899, -0.5000001]
}
Perform homomorphic operations on encrypted data. Supports add, sub, multiply, multiply_lazy, rescale, relinearize, and dot_product.
Request
{
"session_id": "ckks_abc123...",
"operation": "multiply", // add, sub, multiply, multiply_lazy, rescale, relinearize, dot_product
"ciphertext_a": "base64...",
"ciphertext_b": "base64..." // Optional for unary ops
}
Response
{
"result": "base64...",
"scale": 1208925819614629174706176, // After multiply: 2^80
"needs_rescale": true
}
Operations
| Op | Description | Notes |
|---|---|---|
add |
Element-wise addition | Scales must match |
sub |
Element-wise subtraction | Scales must match |
multiply |
Element-wise multiplication | Auto-relinearizes |
multiply_lazy |
Multiply without relin | Faster, defer relin |
rescale |
Reduce scale after multiply | Required after mult |
relinearize |
Reduce ciphertext size | After multiply_lazy |
dot_product |
Vector dot product | Uses rotations |
Fused dot product with automatic rescaling. Optimized for ML inference โ computes inner product of encrypted vectors in a single call.
Request
{
"session_id": "ckks_abc123...",
"ciphertext_a": "base64...", // Encrypted vector A
"ciphertext_b": "base64..." // Encrypted vector B
}
Response
{
"result": "base64...", // Encrypted scalar (dot product)
"scale": 1099511627776
}
Compute encrypted cosine similarity for ML matching. Perfect for biometric feature comparison without decryption.
Request
{
"encrypted_vector_a": "base64...",
"encrypted_vector_b": "base64...",
"relin_key": "base64..."
}
Response
{
"encrypted_similarity": "base64..." // Decrypt to get 0.0-1.0
}
ZKP - ZK-STARK ZKP
ZK-STARK is H33's production ZK proof system. STARK Lookup with SHA3-256 hash, optimized for authentication: 0.067ยตs prove, 2.09ns (cached) verify, 105-byte proofs. Post-quantum safe. No trusted setup.
Generate a ZK-STARK zero-knowledge proof. Prove statements about data without revealing it. STARK Lookup with SHA3-256 hash, optimized for authentication workloads. Post-quantum safe, no trusted setup.
Request
{
"statement": "identity", // identity | age | credential | hash-preimage
"private_inputs": {
"secret": "base64...",
"salt": "base64..."
},
"public_inputs": {
"commitment": "base64..."
}
}
Response
{
"proof": "base64...", // 105 bytes
"public_inputs": {
"commitment": "base64..."
},
"prove_time_ms": 18.2
}
Verify a ZK-STARK proof against public inputs. 2.09ns cached verification.
Request
{
"proof": "base64...",
"statement": "identity",
"public_inputs": {
"commitment": "base64..."
}
}
Response
{
"valid": true,
"verify_time_ns": 2.09
}
MPC - Secure Multi-Party Computation MPC
Secure multi-party computation allows multiple parties to jointly compute a function over their inputs while keeping those inputs private.
Initialize a new MPC session with specified participants and computation type.
Request
{
"participants": 3,
"threshold": 2, // t-of-n threshold
"computation": "sum" // sum | average | max | min | custom
}
Response
{
"session_id": "uuid...",
"participant_ids": ["p1", "p2", "p3"],
"public_params": "base64..."
}
Submit an encrypted share to the MPC session.
Request
{
"participant_id": "p1",
"encrypted_share": "base64..."
}
Trigger computation once threshold shares are collected. Returns result to all participants.
Response
{
"result": 42, // The computed result
"proof": "base64..." // Proof of correct computation
}
Bundled Services
High-performance bundled endpoints using h33_fhe and h33_stark internally โ our fastest, most secure implementations.
Complete authentication in one call. Uses h33_fhe for encryption and h33_stark for proof generation. Returns verified identity with quantum-resistant signatures. 1.36ms latency.
Request Body
{
"user_id": "user_123",
"biometric": "base64_encoded_data",
"options": {
"include_zk_proof": true,
"include_signature": true
}
}Response
{
"auth_token": "h33_at_7f3a...",
"token_id": "tok_abc123",
"verified": true,
"confidence": 0.9987,
"expires_at": "2026-03-07T07:00:00Z",
"verify_url": "/v1/auth/verify/tok_abc123"
}Verify the validity of an authentication token. Returns token metadata and expiration status.
Response
{
"token_id": "tok_abc123",
"valid": true,
"user_id": "user_123",
"issued_at": "2026-03-07T06:00:00Z",
"expires_at": "2026-03-07T07:00:00Z"
}
Encrypt and Prove
FHE encryption with ZK proof in one call. Encrypts data using h33_fhe and generates a H33 ZKP STARK Lookup proof of correct encryption. 2.0ยตs prove, 2.09ns cached verify, 105-byte proof.
Request Body
{
"plaintext": "data_to_encrypt",
"public_key": "...",
"proof_type": "stark"
}Response
{
"ciphertext": "...",
"proof": "...",
"proof_valid": true,
"latency_us": 180
}Secure Compute
FHE computation with correctness proof. Performs operations on encrypted data and generates a H33 ZKP Stark Lookup proof that the computation was performed correctly. 250ยตs latency.
Request Body
{
"operation": "add",
"ciphertext_a": "...",
"ciphertext_b": "...",
"generate_proof": true
}Response
{
"result": "...",
"correctness_proof": "...",
"proof_verified": true,
"latency_us": 250
}Key Ceremony
Multi-party key generation ceremony. Securely generates shared keys across multiple participants using MPC protocols with quantum-resistant algorithms. 500ยตs per party.
Request Body
{
"ceremony_id": "ceremony_abc123",
"participants": 5,
"threshold": 3,
"algorithm": "dilithium"
}Response
{
"ceremony_id": "ceremony_abc123",
"status": "initialized",
"public_key": "...",
"participant_shares": ["..."],
"latency_us": 2500
}NEW Storage Encryption
Encrypt arbitrary data at rest using post-quantum Kyber+AES-256-GCM hybrid encryption. Returns Base64-encoded ciphertext and a key ID for later decryption.
Request Body
{
"plaintext_b64": "SGVsbG8gV29ybGQ=",
"aad": "optional-context-string"
}Response
{
"ciphertext_b64": "...",
"key_id": "key_a1b2c3d4",
"algorithm": "kyber1024-aes256gcm",
"latency_us": 340
}Decrypt data previously encrypted with the storage encrypt endpoint. Requires the key ID returned during encryption.
Request Body
{
"ciphertext_b64": "...",
"key_id": "key_a1b2c3d4",
"aad": "optional-context-string"
}Response
{
"plaintext_b64": "SGVsbG8gV29ybGQ=",
"latency_us": 280
}Field-level encryption with automatic sensitivity classification. Each field is individually encrypted and tagged with its sensitivity level (PII, PHI, financial, general).
Request Body
{
"fields": [
{ "name": "ssn", "value": "123-45-6789" },
{ "name": "diagnosis", "value": "Type 2 Diabetes" },
{ "name": "account_balance", "value": "45230.00" },
{ "name": "notes", "value": "Follow-up in 6 months" }
]
}Response
{
"fields": [
{ "name": "ssn", "sensitivity": "pii", "ciphertext_b64": "..." },
{ "name": "diagnosis", "sensitivity": "phi", "ciphertext_b64": "..." },
{ "name": "account_balance", "sensitivity": "financial", "ciphertext_b64": "..." },
{ "name": "notes", "sensitivity": "general", "ciphertext_b64": "..." }
],
"key_id": "key_a1b2c3d4",
"latency_us": 890
}Re-encrypt data under a new key without exposing plaintext. Zero-downtime key rotation for compliance with key lifecycle policies.
Request Body
{
"ciphertext_b64": "...",
"old_key_id": "key_a1b2c3d4",
"new_key_id": "key_e5f6g7h8"
}Response
{
"ciphertext_b64": "...",
"key_id": "key_e5f6g7h8",
"latency_us": 620
}NEW PQ Video
Create a post-quantum encrypted video session. Establishes ML-KEM (Kyber-1024) key exchange and provisions AES-256-GCM encrypted TURN relay. 5 units per minute.
Request Body
{
"participants": ["user_abc", "user_def"],
"security_level": "L3",
"record_transcript": true
}Response
{
"session_id": "vs_abc123",
"turn_url": "turns://relay.h33.ai:443",
"key_exchange": "ml-kem-1024",
"media_cipher": "aes-256-gcm",
"expires_at": "2026-03-04T13:00:00Z",
"units_per_minute": 5
}Generate and sign a transcript for a completed video session using ML-DSA (Dilithium-3). Produces a tamper-evident, court-admissible record. 10 units per minute of transcript.
Request Body
{
"session_id": "vs_abc123",
"format": "json"
}Response
{
"transcript_id": "tx_def456",
"session_id": "vs_abc123",
"duration_seconds": 1800,
"signature_algorithm": "ml-dsa-65",
"signature": "...",
"transcript_hash": "sha3-256:...",
"units_consumed": 300
}Verify the integrity and authenticity of a video session and its transcript. Validates the Dilithium signature chain and media encryption parameters.
Response
{
"session_id": "vs_abc123",
"verified": true,
"key_exchange_valid": true,
"transcript_signature_valid": true,
"media_encryption": "aes-256-gcm",
"pq_algorithms": ["ml-kem-1024", "ml-dsa-65"]
}NEW AI Attack Detection
Detect "harvest now, decrypt later" quantum attacks. Native Rust AI agent analyzes traffic patterns for bulk ciphertext collection signatures. 0.69µs latency.
Request Body
{
"traffic_sample": {
"source_ip": "203.0.113.42",
"request_count": 15000,
"time_window_seconds": 60,
"payload_sizes": [2048, 4096, 2048, 4096],
"encryption_types": ["kyber768", "kyber1024"]
}
}Response
{
"threat_detected": true,
"threat_type": "harvest_now_decrypt_later",
"confidence": 0.94,
"indicators": [
"bulk_ciphertext_collection",
"systematic_key_probing"
],
"recommended_action": "rate_limit",
"latency_us": 0.69
}Detect timing, power, and cache side-channel attack signatures in real-time. Native Rust agent with constant-time analysis. 1.14µs latency.
Request Body
{
"timing_samples": [1023, 1024, 1022, 1089, 1024, 1025],
"operation": "decrypt",
"algorithm": "kyber1024"
}Response
{
"threat_detected": false,
"timing_variance_ns": 2.3,
"cache_pattern": "clean",
"confidence": 0.99,
"latency_us": 1.14
}Continuous assessment of cryptographic parameter health. Monitors algorithm strength, key freshness, and emerging quantum threat levels. 0.52µs latency.
Request Body
{
"algorithms_in_use": ["kyber1024", "dilithium3", "aes256gcm"],
"key_ages_days": { "kyber1024": 30, "dilithium3": 15 },
"security_level": "L3"
}Response
{
"overall_health": "strong",
"score": 97,
"algorithm_status": {
"kyber1024": { "status": "strong", "nist_level": 5 },
"dilithium3": { "status": "strong", "nist_level": 3 },
"aes256gcm": { "status": "strong", "quantum_safe": true }
},
"recommendations": [],
"latency_us": 0.52
}NEW Encrypted Search
Search over encrypted data without decryption. FHE-powered keyword matching on ciphertext. Supports boolean queries (AND, OR, NOT) on encrypted fields.
Request Body
{
"index_id": "idx_medical_records",
"query": {
"type": "boolean",
"must": ["diabetes"],
"should": ["insulin"],
"must_not": ["deceased"]
},
"max_results": 50
}Response
{
"results": [
{
"doc_id": "doc_abc123",
"score": 0.95,
"matched_fields": ["diagnosis", "medication"],
"ciphertext_snippet_b64": "..."
}
],
"total_matches": 142,
"plaintext_exposed": false,
"latency_ms": 12.4
}Build or update an encrypted search index. Data is encrypted using FHE before indexing. Supports keyword and CKKS embedding-based similarity indexes.
Request Body
{
"index_id": "idx_medical_records",
"index_type": "keyword",
"documents": [
{
"doc_id": "doc_abc123",
"fields": {
"diagnosis": "Type 2 Diabetes",
"medication": "Metformin 500mg"
}
}
]
}Response
{
"index_id": "idx_medical_records",
"documents_indexed": 1,
"total_documents": 50432,
"index_type": "keyword",
"encryption": "bfv-64",
"latency_ms": 45.2
}Run a privacy-preserving similarity query on CKKS encrypted embeddings. Returns ranked results by cosine similarity without decrypting the index.
Query Parameters
GET /v1/search/query?index_id=idx_embeddings&embedding_b64=...&top_k=10Response
{
"results": [
{ "doc_id": "doc_xyz", "similarity": 0.89 },
{ "doc_id": "doc_abc", "similarity": 0.84 }
],
"index_type": "ckks_similarity",
"plaintext_exposed": false,
"latency_ms": 8.7
}Biometrics FHE
Privacy-preserving biometric authentication using FHE-encrypted templates. Biometric data never leaves encryption.
Enroll an FHE-encrypted biometric template for a user. Template is encrypted before storage -- raw biometric data is never persisted.
Request
{
"user_id": "user_123",
"template": "base64...",
"modality": "face"
}
Response
{
"enrollment_id": "enr_abc123",
"modality": "face",
"encrypted": true,
"template_size_kb": 0.25
}
Verify a user's identity against their enrolled FHE-encrypted template. Comparison is performed entirely in the encrypted domain.
Request
{
"user_id": "user_123",
"sample": "base64..."
}
Response
{
"verified": true,
"confidence": 0.9987,
"latency_us": 36
}
Compute a raw encrypted similarity score between two biometric templates without decryption.
Request
{
"template_a": "base64...",
"template_b": "base64..."
}
Response
{
"similarity": 0.9847,
"threshold": 0.85,
"match": true
}
Configure the match threshold for a specific biometric modality. Adjusts the confidence cutoff for verify and match operations.
Request
{
"modality": "face",
"threshold": 0.90
}
Response
{
"modality": "face",
"threshold": 0.90,
"previous": 0.85
}
H33-Vault PQC
Document validation and blockchain attestation with FHE encryption and SHA3 proof-of-integrity.
Validate document integrity against a schema. Returns SHA3 hash and cryptographic proof of field verification.
Request
{
"document": "base64...",
"schema": "identity_v2"
}
Response
{
"valid": true,
"hash": "sha3_abc...",
"proof": "base64...",
"fields_verified": 12
}
Create a blockchain attestation for a document hash. Submits the proof-of-integrity to the specified chain.
Request
{
"hash": "sha3_abc...",
"chain": "solana"
}
Response
{
"attestation_id": "att_xyz789",
"chain": "solana",
"tx_hash": "5KpR...",
"status": "pending"
}
Check the confirmation status of a blockchain attestation.
Response
{
"attestation_id": "att_xyz789",
"status": "confirmed",
"confirmations": 32,
"block": 281473900
}
Retrieve the full audit trail for a document, including all validations and attestations within a date range.
Request
{
"document_hash": "sha3_abc...",
"from": "2026-01-01",
"to": "2026-03-07"
}
Response
{
"events": [
{
"action": "validate",
"timestamp": "2026-03-07T06:00:00Z",
"actor": "key_abc"
},
{
"action": "attest",
"timestamp": "2026-03-07T06:01:00Z",
"chain": "solana"
}
],
"total": 2
}
H33-Shield PQC
Post-quantum secret management with Kyber-1024 encryption, zero-knowledge verification, and Dilithium-signed audit trails.
Store an encrypted secret. Plaintext is encrypted client-side with Kyber-1024 KEM before transmission. Server never sees the raw secret.
Request
{
"name": "stripe_live_key",
"value": "sk_live_abc123...",
"provider": "stripe",
"environment": "production",
"vault": "Default Vault",
"rotation_policy": "90d",
"tags": ["payment", "critical"]
}
Response
{
"id": "uuid",
"name": "stripe_live_key",
"provider": "stripe",
"masked_display": "sk_live_abc•••••••••",
"key_prefix": "sk_live_",
"encryption": "kyber-1024",
"status": "active",
"created_at": "2026-03-08T..."
}
List secrets in a vault. Returns metadata only โ no decrypted values.
Query Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
vault |
string | Optional | Filter by vault name |
provider |
string | Optional | Filter by provider |
status |
string | Optional | Filter by status (default: active) |
Response
{
"secrets": [
{
"id": "uuid",
"name": "stripe_live_key",
"provider": "stripe",
"environment": "production",
"masked_display": "sk_live_abc•••••••••",
"status": "active",
"rotation_due_at": "2026-06-08T...",
"version": 1
}
],
"total": 12
}
Retrieve a decrypted secret. Decryption requires the Kyber private key. Logged in audit trail with Dilithium signature.
Response
{
"id": "uuid",
"name": "stripe_live_key",
"value": "sk_live_abc123def456...",
"provider": "stripe",
"encryption": "kyber-1024",
"retrieved_at": "2026-03-08T..."
}
Zero-knowledge key verification. The secret value is NEVER sent. Client computes HMAC-SHA3-256(secret, salt+challenge) and sends only the proof. Server verifies mathematical equivalence.
Request
{
"secret_id": "uuid",
"hmac_proof": "base64-encoded-hmac-sha3-digest",
"challenge": "server-issued-nonce"
}
Response
{
"verified": true,
"algorithm": "HMAC-SHA3-256",
"proof_valid": true,
"secret_id": "uuid",
"verified_at": "2026-03-08T..."
}
Rotate a secret with new value. Creates a new version and updates the rotation schedule.
Request
{
"secret_id": "uuid",
"new_value": "sk_live_new789...",
"rotation_policy": "90d"
}
Response
{
"id": "uuid-new-version",
"name": "stripe_live_key",
"version": 2,
"previous_version_id": "uuid-old",
"rotation_policy": "90d",
"next_rotation_due": "2026-06-08T...",
"rotated_at": "2026-03-08T..."
}
Get audit trail for secrets. Every entry is signed with Dilithium-3 (ML-DSA-65). Signatures can be independently verified for tamper detection.
Query Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
secret_id |
string | Optional | Filter by secret ID |
action |
string | Optional | Filter by action type |
limit |
integer | Optional | Number of entries (default: 50) |
offset |
integer | Optional | Pagination offset (default: 0) |
Response
{
"entries": [
{
"id": "uuid",
"action": "store",
"secret_id": "uuid",
"result": "success",
"units_consumed": 3,
"ip_address": "203.0.113.1",
"dilithium_sig": "base64...",
"created_at": "2026-03-08T..."
}
],
"total": 47
}
H33-Health PQC
Post-quantum HIPAA compliance with Kyber-encrypted PHI storage, ZK eligibility verification, FHE computation, and Dilithium-signed audit trails.
Create a validation session and acquire an optimistic lock. Sessions expire automatically after the configured TTL.
Request
{
"contract_id": "contract_abc123",
"user_id": "user_xyz789"
}
Response
{
"session_id": "sess_h33health_abc123",
"lock_token": "ltk_9f8e7d6c5b4a...",
"expires_at": "2026-03-09T12:30:00Z"
}
x-lock-token header when releasing the session. Locks auto-expire after TTL.Batch audit event ingestion for HIPAA §164.312(b) compliance. Every event is Dilithium-signed and immutably logged.
Request
{
"events": [
{
"session_id": "sess_h33health_abc123",
"field_id": "patient_ssn",
"action": "view",
"actor": "user_xyz789",
"timestamp": "2026-03-09T12:00:05Z"
}
]
}
Response
{
"accepted": 1,
"session_id": "sess_h33health_abc123",
"signature": "dilithium3_base64..."
}
Submit e-signature attestation with on-chain Solana anchoring. Creates an immutable record of validation results and reviewer signature.
Request
{
"session_id": "sess_h33health_abc123",
"validation_results": {
"fields_validated": 42,
"passed": 41,
"flagged": 1
},
"signature_name": "Dr. Jane Smith",
"reviewer_user_id": "user_reviewer_456"
}
Response
{
"transaction_hash": "5xYz...solana_tx_hash",
"status": "confirmed"
}
Check BAA (Business Associate Agreement) gate status for a user. Returns whether the user is allowed to access PHI and a link to accept the BAA if needed.
Response
{
"allowed": false,
"reason": "BAA not signed",
"baa_acceptance_url": "https://app.h33.ai/health/baa/accept?user_id=user_xyz789"
}
Release a session lock. Requires the x-lock-token header matching the token returned from session creation.
Headers
| Header | Type | Required | Description |
|---|---|---|---|
x-lock-token |
string | Required | Lock token from session creation |
Response
{
"released": true,
"session_id": "sess_h33health_abc123"
}
Health check endpoint. No authentication required. Returns service status, version, and uptime.
Response
{
"status": "ok",
"version": "1.0.0",
"uptime_secs": 86412
}
H33-Key PQC
Universal post-quantum key encryption. Encrypt any key wherever it lives — database credentials, SSH keys, API tokens, TLS certificates — with Kyber-1024 post-quantum cryptography.
Encrypt any key material with Kyber-1024 post-quantum KEM. Returns the encrypted blob, KEM ciphertext, and HMAC digest for integrity verification.
Request
{
"key_material": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5...",
"label": "prod-db-readonly",
"tier": "key-1"
}
Response
{
"id": "key_9f8e7d6c5b4a...",
"encrypted": "kyber1024_base64...",
"kem_ct": "kem_ciphertext_base64...",
"hmac_digest": "sha3_256_base64..."
}
Decrypt key material. Pass either the key ID for server-side lookup, or the raw encrypted blob and KEM ciphertext for stateless decryption.
Request
{
"id": "key_9f8e7d6c5b4a..."
}
Response
{
"plaintext": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5...",
"verified": true
}
Verify HMAC-SHA3-256 integrity of encrypted key material without decrypting. Detects tampering or corruption without exposing the plaintext.
Request
{
"id": "key_9f8e7d6c5b4a..."
}
Response
{
"valid": true,
"checked_at": "2026-03-09T14:22:00Z"
}
valid returns false.Wrap existing key material under a post-quantum envelope. Envelope rotation does not require re-encrypting the underlying key.
Request
{
"key_material": "AES-256-GCM-KEY-base64...",
"wrapping_tier": "key-2"
}
Response
{
"wrapped_key_id": "wk_3a2b1c0d...",
"envelope_version": 1
}
Rotate the post-quantum envelope wrapping a key. The underlying key material is not re-encrypted — only the outer envelope is replaced with a fresh Kyber KEM.
Request
{
"wrapped_key_id": "wk_3a2b1c0d..."
}
Response
{
"new_envelope_version": 2,
"rotated_at": "2026-03-09T14:30:00Z"
}
Retrieve the full Dilithium-signed provenance chain for a key. Every creation, rotation, wrap, and access event is cryptographically signed.
Response
{
"chain": [
{
"event": "created",
"timestamp": "2026-03-09T10:00:00Z",
"actor": "user_abc123",
"signature": "dilithium3_base64..."
},
{
"event": "envelope_rotated",
"timestamp": "2026-03-09T14:30:00Z",
"actor": "user_abc123",
"envelope_version": 2,
"signature": "dilithium3_base64..."
}
],
"dilithium_signature": "dilithium3_chain_sig_base64..."
}
dilithium_signature covers the entire chain for tamper detection.H33-Gateway PQC
TEE-backed API gateway proxy. Route third-party API calls through a Nitro Enclave so your infrastructure never touches plaintext keys. Configure targets, set rate limits, and proxy calls with full attestation.
Proxy an API call through the TEE. Your infrastructure never touches the plaintext key.
Request
{
"key_id": "hk_abc123",
"target_id": "stripe-api",
"method": "POST",
"path": "/v1/charges",
"headers": { "Content-Type": "application/json" },
"body": { "amount": 2000, "currency": "usd" }
}
Response
{
"status": 200,
"headers": { "content-type": "application/json" },
"body": { "id": "ch_1abc...", "amount": 2000, "status": "succeeded" },
"proxy_latency_ms": 12,
"tee_attestation": "nitro_enclave_v3"
}
tee_attestation field confirming the request was processed inside a Nitro Enclave. Your plaintext key never leaves the enclave boundary.Configure a third-party API target for the TEE proxy.
Request
{
"target_id": "stripe-api",
"base_url": "https://api.stripe.com",
"auth_header": "Authorization",
"auth_template": "Bearer {{key}}",
"allowed_paths": ["/v1/charges", "/v1/customers", "/v1/payment_intents"],
"rate_limit": 1000
}
Response
{
"target_id": "stripe-api",
"status": "configured",
"created_at": "2026-03-09T12:00:00Z"
}
List all configured proxy targets.
Response
{
"targets": [
{
"target_id": "stripe-api",
"base_url": "https://api.stripe.com",
"allowed_paths": ["/v1/charges", "/v1/customers"],
"status": "active",
"total_proxied": 14523
}
]
}
Key-FHE FHE
Fully homomorphic key verification. Register encrypted keys and verify them without ever decrypting — powered by BFV FHE with H33-128 security parameters.
Register an encrypted key for FHE verification. Server stores the ciphertext in FHE-compatible form.
Request
{
"key_id": "hk_abc123",
"purpose": "api_authentication",
"allowed_verifiers": ["org_stripe", "org_aws"]
}
Response
{
"enrollment_id": "fhe_enroll_xyz789",
"key_id": "hk_abc123",
"fhe_params": { "scheme": "BFV", "n": 4096, "security": "H33-128" },
"status": "enrolled"
}
Submit an encrypted key for FHE comparison against a registered key. The key is never decrypted.
Request
{
"enrollment_id": "fhe_enroll_xyz789",
"encrypted_key": "base64_kyber_ciphertext...",
"challenge": "nonce_abc123"
}
Response
{
"match": true,
"confidence": 1.0,
"fhe_compute_us": 36,
"key_status": "active",
"dilithium_signature": "sig_..."
}
Get a verification nonce for replay protection.
Response
{
"challenge": "nonce_abc123",
"expires_at": "2026-03-09T12:05:00Z",
"ttl_seconds": 300
}
Key Lifecycle PQC
Key revocation, rotation, and status management. Revoke compromised keys instantly, rotate to fresh material with grace periods, and audit key status in real time.
Revoke a key ID. All future operations for this key will be refused.
Request
{
"key_id": "hk_compromised123",
"reason": "potential_exposure",
"notify_webhook": true
}
Response
{
"key_id": "hk_compromised123",
"status": "revoked",
"revoked_at": "2026-03-09T12:00:00Z",
"affected_operations": 0
}
403 Key Revoked.Rotate key to new material with a new key ID. Old key gets a grace period.
Request
{
"key_id": "hk_abc123",
"new_key_material": "sk_live_new...",
"tier": "key-1",
"grace_period_seconds": 3600
}
Response
{
"new_key_id": "hk_def456",
"old_key_id": "hk_abc123",
"old_key_status": "rotated",
"grace_period_ends": "2026-03-09T13:00:00Z",
"new_ciphertext": "base64_kyber_ciphertext..."
}
expired and all operations are refused.Check the status of a key ID.
Response
{
"key_id": "hk_abc123",
"status": "active",
"tier": "key-1",
"created_at": "2026-03-01T00:00:00Z",
"last_used": "2026-03-09T11:55:00Z",
"total_operations": 14523,
"rotated_to": null,
"revoked_at": null
}
FHE-IQ FHE
Automatic FHE parameter selection and optimization. Get optimal security parameters for your workload without cryptographic expertise.
Auto-select optimal FHE parameters for your workload and security requirements. Returns recommended scheme, ring dimension, and modulus.
Request
{
"workload": "biometric_match",
"security_level": 128,
"max_latency_ms": 50
}
Response
{
"scheme": "bfv",
"n": 4096,
"q_bits": 56,
"t": 65537,
"security_level": 128,
"estimated_latency_ms": 36
}
Optimize existing FHE parameters for a specific target (latency or security). Returns improved parameters with tradeoff analysis.
Request
{
"current_params": {
"n": 8192,
"q_bits": 218
},
"target": "latency",
"constraint_ms": 100
}
Response
{
"optimized": {
"n": 4096,
"q_bits": 56
},
"improvement": "4.2x faster",
"tradeoff": "security_level 256->128"
}
Benchmark different FHE parameter selections. Returns latency measurements for encrypt, decrypt, and multiply operations across configurations.
Response
{
"benchmarks": [
{
"params": "N=4096,Q=56bit",
"encrypt_us": 120,
"decrypt_us": 95,
"multiply_us": 340
},
{
"params": "N=8192,Q=218bit",
"encrypt_us": 890,
"decrypt_us": 720,
"multiply_us": 2800
}
]
}