Getting Started with QuantaSeal
Integrate NIST FIPS 203/204/205 post-quantum cryptography - ML-KEM-768, ML-DSA-65, AES-256-GCM - into your applications in minutes.
Overview#
QuantaSeal is a Universal Bidirectional Quantum-Safe Security Middleware Platform. It acts as an encryption proxy between enterprise systems, applying post-quantum cryptography to protect data in transit, at rest, and in use.
- ML-KEM-768 (NIST FIPS 203 Level 3) - key encapsulation + AES-256-GCM hybrid encryption
- ML-DSA-65 (NIST FIPS 204 Level 3) - digital signatures + HMAC-SHA-512
- 40+ adapters - Salesforce, SAP, Kafka, AWS, Okta, PostgreSQL, and more
- 9 compliance frameworks - SOC 2, ISO 27001, PCI DSS, HIPAA, GDPR, NIST CSF, FedRAMP, APRA, NIST 800-53
https://api.quantaseal.io/api/v2/Quick Start#
Get quantum-safe encryption running in 4 steps.
Postman Collection
Pre-built collection covering vault seal, unseal, proxy, encrypt, decrypt — with test scripts that assert NIST algorithm names.
1. Get Your API Key
Sign up at app.quantaseal.io and retrieve your API key from Settings → API Keys.
export QUANTASEAL_API_KEY="qs_live_your_key_here"2. Install the SDK
# Python
pip install quantaseal
# Node.js
npm install @quantaseal/sdk
# Go
go get github.com/quantaseal/sdk-go
# CLI (binary: quantaseal, alias: qs)
npm install -g @quantaseal/cli
# MCP Server (Claude Desktop / remote agents)
npm install -g @quantaseal/mcp-server3. Initialize the Client
import os
from quantaseal import QuantaSealClient
client = QuantaSealClient(api_key=os.getenv("QUANTASEAL_API_KEY"))import { QuantaSealClient } from '@quantaseal/sdk';
const client = new QuantaSealClient({
apiKey: process.env.QUANTASEAL_API_KEY,
});4. Encrypt with ML-KEM-768
result = client.encryption.encrypt(
data="sensitive_customer_data",
algorithm="ML-KEM-768", # NIST FIPS 203 Level 3
)
print(result.ciphertext_kem) # base64 ML-KEM-768 ciphertext (1088 bytes)
print(result.algorithm) # "ML-KEM-768"
# Decrypt
plaintext = client.encryption.decrypt(
ciphertext_kem=result.ciphertext_kem,
ciphertext_data=result.ciphertext_data,
nonce=result.nonce,
)Your data is now quantum-safe. You are encrypting with NIST FIPS 203 ML-KEM-768 + AES-256-GCM and signing with NIST FIPS 204 ML-DSA-65 + HMAC-SHA-512.
Authentication#
All API requests require authentication via an API key in the X-API-Key header. JWT tokens from /auth/login use Authorization: Bearer.
# API key header
X-API-Key: qs_live_your_key_here
# curl example
curl https://api.quantaseal.io/api/v2/vault/list \
-H "X-API-Key: qs_live_your_key_here"QUANTASEAL_API_KEY environment variable. Keys are stored as bcrypt hashes - QuantaSeal cannot recover a lost key.SDKs Overview#
All five official clients authenticate with QUANTASEAL_API_KEY and handle token refresh, retries, and type-safe request/response models automatically.
Python SDK
pip install quantasealNode.js SDK
npm install @quantaseal/sdkGo SDK
go get github.com/quantaseal/sdk-goCLI (qs)
npm install -g @quantaseal/cliMCP Server
npm install -g @quantaseal/mcp-serverSee full SDK documentation for feature comparison and complete examples.
Vault#
QuantaVault stores credentials with 3-layer PQC encryption: ML-KEM-768 key encapsulation → AWS KMS wrap → AES-256-GCM. Every seal and unseal is logged to the immutable audit hash chain.
# Seal (store) a credential
entry = client.vault.seal(
name="stripe-production-key",
credential_type="api_key",
values={"key": "sk_live_abc123..."},
ttl_days=90, # optional auto-expire
)
print(entry.credential_id) # UUID to retrieve later
# Unseal (retrieve and decrypt)
credential = client.vault.unseal(entry.credential_id)
print(credential["key"]) # sk_live_abc123...
# Rotate (re-encrypt with new ML-KEM-768 key pair)
client.vault.rotate(entry.credential_id)See Vault API reference for all endpoints.
Encryption#
Encrypt arbitrary data with ML-KEM-768 + AES-256-GCM hybrid encryption, and sign payloads with ML-DSA-65 + HMAC-SHA-512. Both signatures are verified with bitwise & - neither short-circuits.
# Encrypt
result = client.encryption.encrypt(
data="sensitive PII",
algorithm="ML-KEM-768",
)
# Sign (ML-DSA-65 + HMAC-SHA-512)
sig = client.encryption.sign(data="payload to sign")
print(sig.pqc_signature) # ~3309 bytes ML-DSA-65
print(sig.hmac_signature) # 64 bytes HMAC-SHA-512
# Verify - BOTH must pass
ok = client.encryption.verify(
data="payload to sign",
pqc_signature=sig.pqc_signature,
hmac_signature=sig.hmac_signature,
)
assert okCompliance#
Generate compliance reports from the immutable SHA3-256 audit hash chain. 9 frameworks, 56 controls. Every report is backed by real evidence from your audit log.
# Get compliance score
score = client.compliance.score(framework="soc2")
print(score.score) # 0–100
print(score.controls_passed) # e.g. 5/6
# Generate PDF report (signed S3 URL, 1h expiry)
report = client.compliance.report(framework="soc2")
print(report.pdf_url)
# CLI equivalent
# qs compliance report --framework soc2
# qs compliance all # all 9 frameworksFrameworks: soc2, iso27001, pci_dss, hipaa, gdpr, nist_csf, fedramp, apra, nist_800_53
CLI#
The qs CLI manages vault entries, encrypts data, and generates compliance reports from your terminal. Install with npm:
npm install -g @quantaseal/cli
# Configure
qs config set api-key qs_live_...
# Encrypt
qs encrypt --text "my secret"
# Vault
qs vault list
qs vault seal --name "stripe-key" --type api_key
qs vault unseal cred_abc123
# Compliance
qs compliance report --framework soc2See the full CLI reference for all commands and flags.
MCP Server#
18 MCP tools let Claude Desktop, Cursor, and any MCP-compatible AI agent encrypt data, manage vault entries, and generate compliance reports - all secured by your API key.
// ~/Library/Application Support/Claude/claude_desktop_config.json
{
"mcpServers": {
"quantaseal": {
"command": "node",
"args": [
"/usr/local/lib/node_modules/@quantaseal/mcp-server/dist/server.js"
],
"env": {
"QUANTASEAL_API_KEY": "qs_live_your_key_here"
}
}
}
}See the full MCP server documentation for all 18 tools, SSE transport, and the security model.