H33 Docs Key SDK
SDK Guide Post-Quantum 2026-03-09

Key SDK
Integration Guide

Encrypt, decrypt, and verify API keys and secrets in place. Proxy API calls through a TEE gateway so plaintext keys never touch your infrastructure. Single npm package, single API key, four language SDKs.

4
Tiers
4
Languages
TEE
Gateway
PQ
Secure

Overview

The H33-Key SDK encrypts, decrypts, and verifies API keys and secrets in place — replacing plaintext credentials with post-quantum ciphertext wherever they live. A single npm install (or pip install, go get, cargo add) gives you access to the full H33-Key pipeline: Kyber-1024 envelope encryption, AES-256-GCM symmetric encryption, HMAC-SHA3 integrity verification, and Dilithium digital signatures for cryptographic provenance.

How It Works

Encrypt in place, decrypt at point of use. Your Stripe key, database password, or SSH credential gets replaced with a ciphertext blob. When your app needs the plaintext, the SDK decrypts it on demand — or the H33-Gateway (TEE) proxies the API call so the plaintext never leaves the secure enclave.

For companies integrating Key-FHE into their platform (e.g., verifying incoming API keys without seeing them), the server-side SDK provides FHE-based key comparison — the same BFV homomorphic encryption engine that powers H33 Biometrics, applied to key verification.

STEP 1
Encrypt Key Material
Wrap your plaintext key with Kyber-1024 + AES-256-GCM. Returns a ciphertext blob and a unique key ID (hk_*). Store the ciphertext wherever the plaintext used to live.
Kyber-1024 AES-256-GCM
STEP 2
Decrypt at Point of Use
When your application needs the plaintext, call h33.decrypt({ keyId }). The key is decrypted in memory, used, then zeroed. Optional TTL auto-expires keys after N seconds.
On-Demand Auto-Zero
STEP 3
Proxy via TEE Gateway (Optional)
Instead of decrypting, route API calls through H33-Gateway running in AWS Nitro Enclaves. The plaintext key exists only inside the enclave — your infrastructure never sees it.
Nitro Enclaves Remote Attestation
STEP 4
Verify via FHE (Server-Side)
Platforms accepting API keys can verify incoming encrypted keys via BFV homomorphic comparison — without ever decrypting. Cryptographic match result with ZK proof.
BFV FHE ZK Proof

Quick Start

Install the SDK and encrypt your first key in under 60 seconds.

Terminal install 
npm install @h33/key-sdk
JavaScript encrypt-key.js 
import { H33Key } from '@h33/key-sdk';

const h33 = new H33Key({ apiKey: 'h33_key_...' });

// Encrypt a key in place
const { ciphertext, keyId } = await h33.encrypt({
  keyMaterial: process.env.STRIPE_SECRET_KEY,
  tier: 'key-0',  // or key-1, key-2, key-3
  ttl: 300        // auto-zero after 5 minutes
});

// Store ciphertext wherever the plaintext used to live
process.env.STRIPE_SECRET_KEY = ciphertext;

// Decrypt at point of use
const plaintext = await h33.decrypt({ keyId });
Tier Selection

Key-0: Kyber + AES-256-GCM (encrypt/decrypt only). Key-1: adds HMAC-SHA3 integrity verification. Key-2: adds envelope wrapping + rotation. Key-3: adds Dilithium-signed provenance chain. Choose based on your compliance requirements.

Server-Side Integration

This section is for companies integrating Key-FHE into their platform — services that accept API keys from customers and need to verify them without seeing plaintext. Think GitLab verifying deploy tokens, AWS verifying access keys, or payment processors verifying merchant credentials.

JavaScript server-fhe-verify.js 
import { H33KeyServer } from '@h33/key-sdk/server';

const server = new H33KeyServer({ apiKey: 'h33_key_...' });

// Register accepted keys (FHE enrollment)
const { enrollmentId } = await server.fhe.register({
  keyId: 'hk_abc123',
  purpose: 'api_authentication'
});

// Verify incoming encrypted key via FHE
const { match, confidence } = await server.fhe.verify({
  enrollmentId,
  encryptedKey: incomingCiphertext,
  challenge: await server.fhe.getChallenge()
});

// Handle revocation callbacks
server.onRevocation((event) => {
  console.log(`Key ${event.keyId} revoked: ${event.reason}`);
  // Invalidate sessions using this key
});
FHE Key Verification

The FHE verification path uses the same BFV engine that powers H33 Biometrics. The incoming encrypted key is compared homomorphically against the enrolled key — the server never sees either key in plaintext. Match results include a ZK proof and optional Dilithium attestation.

Gateway Configuration

The H33-Gateway is a TEE-based proxy that makes API calls on your behalf. Instead of decrypting a key and calling Stripe directly, your app sends the request to H33-Gateway — which decrypts the key inside an AWS Nitro Enclave, calls Stripe, and returns the response. Your infrastructure never sees the plaintext key.

JavaScript gateway-config.js 
// Configure a proxy target
await h33.gateway.configure({
  targetId: 'stripe-api',
  baseUrl: 'https://api.stripe.com',
  authHeader: 'Authorization',
  authTemplate: 'Bearer {{key}}',
  allowedPaths: ['/v1/charges', '/v1/customers', '/v1/payment_intents']
});

// Make a proxied API call — your infra never sees the plaintext key
const response = await h33.gateway.proxy({
  targetId: 'stripe-api',
  keyId: 'hk_abc123',
  method: 'POST',
  path: '/v1/charges',
  body: { amount: 2000, currency: 'usd' }
});

Gateway Flow

Your App
encrypted key
H33-Gateway
Nitro Enclave (TEE)
Stripe API
plaintext inside TEE only
Response
back to your app
Important

The plaintext key exists only inside the secure enclave. H33-Gateway performs remote attestation on every boot to prove the enclave is running unmodified code. The attestation document is available via GET /v1/key/gateway/attestation.

Language SDKs

H33-Key ships SDKs for four languages. All SDKs share the same API surface and connect to the same backend.

JS
Node.js
npm install @h33/key-sdk
JavaScript 
import { H33Key } from '@h33/key-sdk';

const h33 = new H33Key({ apiKey: 'h33_key_...' });
const result = await h33.encrypt({
  keyMaterial: process.env.STRIPE_SECRET_KEY,
  tier: 'key-0'
});
PY
Python
pip install h33-key-sdk
Python 
from h33_key import H33Key
import os

h33 = H33Key(api_key="h33_key_...")
result = h33.encrypt(
    key_material=os.environ["DB_PASSWORD"],
    tier="key-1"
)
GO
Go
go get github.com/h33-ai/key-sdk-go
Go 
client := h33key.New("h33_key_...")
result, _ := client.Encrypt(ctx, h33key.EncryptInput{
    KeyMaterial: os.Getenv("DB_PASSWORD"),
    Tier: "key-1",
})
RS
Rust
cargo add h33-key-sdk
Rust 
let client = H33Key::new("h33_key_...")?;
let result = client.encrypt(EncryptInput {
    key_material: std::env::var("DB_PASSWORD")?,
    tier: Tier::Key1,
    ttl: Some(300),
}).await?;

Docker Sidecar

For environments you cannot modify (legacy apps, third-party containers), deploy the H33-Key sidecar as a companion container. It intercepts environment variables, decrypts them at startup, and makes plaintext available via a Unix socket — your app code stays unchanged.

YAML docker-compose.yml 
# docker-compose.yml
services:
  h33-key-sidecar:
    image: h33ai/key-sidecar:latest
    environment:
      H33_API_KEY: h33_key_...
      H33_KEY_TIER: key-1
      H33_DECRYPT_ENV: STRIPE_KEY,DB_PASSWORD,SSH_KEY
    volumes:
      - /var/run/h33:/var/run/h33

  your-app:
    image: your-app:latest
    volumes:
      - /var/run/h33:/var/run/h33
    environment:
      # These will be auto-decrypted by the sidecar
      STRIPE_KEY: "${ENCRYPTED_STRIPE_KEY}"
      DB_PASSWORD: "${ENCRYPTED_DB_PASSWORD}"
How the Sidecar Works

The sidecar reads the H33_DECRYPT_ENV list, calls h33.decrypt() for each key, and exposes the plaintext via a Unix socket at /var/run/h33/keys.sock. Your app reads from the socket instead of environment variables. The sidecar re-encrypts and zeroes memory after the TTL expires.

CI/CD Integration

Decrypt keys at deploy time without storing plaintext in your CI/CD platform. H33 provides native integrations for GitHub Actions, GitLab CI, and Jenkins.

GitHub Actions

YAML .github/workflows/deploy.yml 
- name: Decrypt deploy keys
  uses: h33-ai/key-decrypt-action@v1
  with:
    api-key: ${{ secrets.H33_API_KEY }}
    keys: |
      DEPLOY_KEY=hk_abc123
      DB_PASSWORD=hk_def456

GitLab CI

YAML .gitlab-ci.yml 
decrypt_keys:
  image: h33ai/key-cli:latest
  script:
    - h33-key decrypt --key-id $DEPLOY_KEY_ID --output DEPLOY_KEY
    - h33-key decrypt --key-id $DB_PASS_ID --output DB_PASSWORD

Jenkins

Groovy Jenkinsfile 
pipeline {
  environment {
    DEPLOY_KEY = h33KeyDecrypt(keyId: 'hk_abc123')
  }
}
Security Note

Store your H33_API_KEY in your CI/CD platform's secrets manager (GitHub Secrets, GitLab CI Variables, Jenkins Credentials). Never hardcode it in pipeline files. The H33 API key itself can be encrypted with a higher-tier key for defense in depth.

Revocation & Rotation

Every encrypted key gets a unique ID (hk_*) that serves as the handle for lifecycle management. Revoke compromised keys instantly, rotate to new material with grace periods, and monitor status via webhooks.

  • Revoke: Mark a key ID as revoked — all future decrypt() and verify() calls return REVOKED.
  • Rotate: Generate a new Kyber envelope and key ID. The old ID gets a configurable grace period, then auto-revokes.
  • Status: GET /v1/key/status/:id returns active, rotated, or revoked.
  • Webhooks: Real-time notifications for revocation, rotation, and expiry events.
JavaScript lifecycle.js 
// Revoke a compromised key
await h33.revoke({
  keyId: 'hk_compromised123',
  reason: 'potential_exposure'
});

// Rotate to new key material
const { newKeyId, oldKeyId, gracePeriod } = await h33.rotate({
  keyId: 'hk_abc123',
  newKeyMaterial: generateNewApiKey(),
  gracePeriodSeconds: 3600  // 1 hour overlap
});
Revocation Is Immediate

When you call h33.revoke(), the key is immediately marked as revoked in the H33 Key Registry. Any in-flight decrypt() or gateway.proxy() calls using that key ID will fail with a KEY_REVOKED error. There is no undo — revocation is permanent. Use rotate() with a grace period if you need overlap.

Security Model

H33-Key is built on NIST-standardized post-quantum cryptography. Every layer is designed to resist both classical and quantum attacks.

Cryptographic Stack

  • Kyber-1024 (ML-KEM): NIST-standardized post-quantum key encapsulation mechanism (lattice-based). Used for envelope encryption of key material.
  • AES-256-GCM: Symmetric encryption for the key material itself. Authenticated encryption with associated data (AEAD).
  • HMAC-SHA3: Integrity verification for Key-1+ tiers. Detects tampering or bit-flip attacks on ciphertexts.
  • Dilithium (ML-DSA): Post-quantum digital signatures for cryptographic provenance (Key-3). Every operation gets a Dilithium-signed timestamp.
  • TEE Attestation: H33-Gateway runs in AWS Nitro Enclaves with remote attestation. The enclave proves it is running unmodified H33 code before any key is decrypted.
  • FHE Parameters: BFV scheme, N=4096, 56-bit modulus (H33-128 security level). Used for server-side key comparison without decryption.
  • Audit Trail: Every encrypt, decrypt, verify, revoke, and rotate operation is logged with Dilithium-signed timestamps. Immutable and tamper-evident.
  • Key Registry: Server-side revocation authority (analogous to CRL/OCSP for X.509). Instant revocation propagation across all SDK instances.

API Reference

Complete reference for all H33-Key API endpoints. All endpoints require an Authorization: Bearer h33_key_... header.

Key Operations

Method Endpoint Tier Units Description
POST /v1/key/encrypt Key-0+ 3-25 Encrypt key material
POST /v1/key/decrypt Key-0+ 3-25 Decrypt key material
POST /v1/key/verify Key-1+ 8+ Verify integrity (HMAC)
POST /v1/key/wrap Key-2+ 15+ Wrap key with envelope
POST /v1/key/rotate-envelope Key-2+ 15 Rotate envelope key
POST /v1/key/provenance Key-3 25 Get Dilithium-signed chain

Gateway

Method Endpoint Tier Units Description
POST /v1/key/gateway/proxy Gateway 35 Proxy API call via TEE
POST /v1/key/gateway/configure Gateway 0 Configure proxy target
GET /v1/key/gateway/targets Gateway 0 List proxy targets

FHE Verification

Method Endpoint Tier Units Description
POST /v1/key/fhe/register FHE 50 Register key for FHE
POST /v1/key/fhe/verify FHE 50 FHE key comparison
GET /v1/key/fhe/challenge FHE 0 Get verification nonce

Lifecycle

Method Endpoint Tier Units Description
POST /v1/key/revoke All 0 Revoke a key ID
POST /v1/key/rotate All varies Rotate to new material
GET /v1/key/status/:id All 0 Check key status