Two interfaces, one CA: a REST API for portal-style integrations and a full RFC 8555 ACME directory for automated lifecycle management. Every algorithm offered is FIPS 204 / 205 / 206 compliant.
Register at ca.quantumsecure.app and exchange your credentials for a JWT via the OAuth2 password flow.
Confirm reachability and discover supported PQC algorithms — no auth required.
curl https://ca.quantumsecure.app/api/v1/crypto/algorithms
| Algorithm | NIST level | Spec | Signature size | Use case |
|---|---|---|---|---|
| ML-DSA-44 | 2 | FIPS 204 | ~2.4 KB | Constrained / IoT |
| ML-DSA-65 (default) | 3 | FIPS 204 | ~3.3 KB | General-purpose TLS |
| ML-DSA-87 | 5 | FIPS 204 | ~4.6 KB | High-security / long-life |
| Falcon-512 | 1 | FIPS 206 (draft) | ~666 B | Bandwidth-sensitive TLS |
| Falcon-1024 | 5 | FIPS 206 (draft) | ~1.3 KB | High-security, compact |
| SLH-DSA-SHA2-128s | 1 | FIPS 205 | ~7.9 KB | Hash-based fallback / code signing |
The same list is served live at /api/v1/crypto/algorithms and is the source of truth for clients and SDKs.
/api/v1/crypto/algorithmsList supported PQC signature algorithms with NIST level, OID, and recommended-default flag.
/api/v1/auth/loginExchange email + password for a short-lived JWT bearer token.
/api/v1/ordersCreate a certificate order (basic, premium, enterprise_ev, wildcard, multi_domain, code_signing).
/api/v1/orders/{order_number}/validateTrigger HTTP-01 / DNS-01 domain control validation for an order.
/api/v1/certificates/issueIssue a certificate against a validated order. Returns the leaf, classical chain, and PQC alt-signature payload.
/api/v1/certificates/{id}/downloadDownload the PEM bundle (leaf || intermediate(s) || root).
/api/v1/certificates/{id}/renewIssue a fresh certificate with the same SAN list and a new key pair.
/api/v1/certificates/{id}/revokeRevoke a certificate; the next CRL/OCSP refresh propagates the status.
/api/v1/verifyStateless verification of a PEM certificate including hybrid PQC alt-signature checks.
/acme/directoryRFC 8555 ACME directory entry-point. Hosted on api.quantumsecure.app for clients (certbot, acme.sh, lego).
QuantumSecure speaks vanilla ACME with classical keys, plus the PQC extensions described in our IETF draft draft-quantumsecure-acme-pqc-00. certbot, acme.sh, lego, and Caddy all work out of the box for classical-only mode; PQC mode uses a JWS with kty=PQC and alg=ML-DSA-65 (or the algorithm of your choice).
GET https://api.quantumsecure.app/acme/directory
# 1. Authenticate
curl -X POST https://ca.quantumsecure.app/api/v1/auth/login \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "username=you@example.com&password=YOUR_PASSWORD"
# => { "access_token": "eyJhbGciOi...", "token_type": "bearer" }
# 2. List supported algorithms (no auth required)
curl https://ca.quantumsecure.app/api/v1/crypto/algorithms
# 3. Create an order
curl -X POST https://ca.quantumsecure.app/api/v1/orders \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"certificate_type": "basic",
"common_name": "api.example.com",
"subject_alt_names": ["api.example.com", "www.example.com"],
"algorithm": "ML-DSA-65",
"validity_days": 365
}'
# 4. Issue once domain validation has completed
curl -X POST https://ca.quantumsecure.app/api/v1/certificates/issue \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{ "order_number": "ORD-20260418-AB12" }'Looking for conceptual guidance instead of API specs? Visit the Help Center.