Developer reference
API Documentation
Integrate HQH-539-512 encryption directly into your systems. Authenticate with an API key, send plaintext, receive a cryptographically-bound ciphertext bundle.
01Quickstart
Create an account
Sign up at 539labs.org and purchase a credit package from the Pricing page.
Generate an API key
Navigate to your Account page and click Generate new key. Copy the plaintext key — it is shown exactly once.
Make your first request
Send a POST request to /api/v1/encrypt with your Bearer token and JSON body. Each successful call deducts 1 credit.
Your first encrypt call — curl
curl -X POST https://539labs.org/api/v1/encrypt \
-H "Authorization: Bearer hqh_<your-key>" \
-H "Content-Type: application/json" \
-d '{
"plaintext": "Hello, world.",
"passphrase": "correct-horse-battery-staple",
"label": "test-run"
}'Or with fetch (JavaScript)
const res = await fetch('https://539labs.org/api/v1/encrypt', {
method: 'POST',
headers: {
'Authorization': 'Bearer hqh_<your-key>',
'Content-Type': 'application/json',
},
body: JSON.stringify({
plaintext: 'Hello, world.',
passphrase: 'correct-horse-battery-staple',
}),
});
const data = await res.json();
console.log(data.digestHex);02Authentication
All API requests must include an Authorization header with a Bearer token. Keys are prefixed hqh_ and are generated from your account dashboard.
Authorization: Bearer hqh_a3f2c1b8e4d7f9...
Keys are hashed with SHA-256 before storage. The plaintext is never persisted — if you lose it, revoke and generate a new one.
Generate a key via the API (requires active session cookie)
curl -X POST https://539labs.org/api/keys \
-H "Cookie: <session-cookie>" \
-H "Content-Type: application/json" \
-d '{ "label": "Production server" }'Or generate keys from your Account page — no API call needed.
03Endpoints
/api/v1/encrypt1 credit per callEncrypt plaintext using HQH-539-512
Runs the full HQH-539-512 pipeline server-side: Keccak-512 seed → 539 T3 iterations → HKDF-SHA-512 key derivation → AES-256-GCM encryption. Returns a self-contained bundle you can store or transmit.
/api/keysFreeGenerate a new API key
Creates a new API key for the authenticated account. Returns the plaintext key once — it cannot be retrieved again. Maximum 10 active keys per account.
/api/keysFreeList API keys
Returns metadata for all keys on the account — prefix, label, usage count, last used timestamp, and revocation status. Never returns the plaintext key or its hash.
/api/keys/:idFreeRevoke an API key
Permanently revokes a key. Revoked keys are rejected immediately on all subsequent requests. The record is retained for audit purposes.
04Encrypt — request body
plaintextreqstringThe message to encrypt. Max 1 MB (1,048,576 characters).
passphrasereqstringEncryption passphrase. Combined with a random 32-byte salt via HKDF to derive the AES key.
labelstringOptional tag stored with the response for your own record-keeping. Max 100 characters.
05Encrypt — response body
{
"digestHex": "a3f2c1...",
"ciphertext": "base64==",
"saltHex": "8e4d...",
"nonceHex": "f1a2...",
"iterations": 539,
"encryptedAt": "2026-07-13T23:00:00.000Z",
"creditsRemaining": 249
}digestHexstringHex-encoded HQH-539-512 digest of the passphrase+salt input after 539 T3 iterations.
ciphertextstringBase64-encoded AES-256-GCM ciphertext with 16-byte authentication tag appended.
saltHexstringHex-encoded 32-byte random salt used in key derivation. Required for decryption.
nonceHexstringHex-encoded 12-byte AES-GCM nonce. Required for decryption.
iterationsnumberAlways 539. Confirms the canonical T3 iteration count used.
encryptedAtstringISO 8601 timestamp of when the encryption was performed.
creditsRemainingnumberCredit balance after this call. Use this to monitor usage and top up before hitting zero.
06Error codes
Bad Request
Missing or invalid plaintext or passphrase field.
Unauthorized
Missing, malformed, or revoked API key.
Payment Required
Insufficient credits. Purchase more at /pricing.
Unprocessable Entity
Key cap exceeded (POST /api/keys only). Revoke an existing key first.
Too Many Requests
Rate limit exceeded. See per-endpoint limits above.
Internal Server Error
Unexpected server error. Retry with exponential backoff.
07Security notes
Store your API key in an environment variable — never commit it to source control.
All encryption runs server-side. Plaintext is never logged or persisted beyond the request lifetime.
The ciphertext bundle is self-contained. Store saltHex and nonceHex alongside ciphertext for later decryption.
Revoke compromised keys immediately from your account dashboard. Revocation is instantaneous.
No SDK required
The API is plain HTTPS + JSON. Any HTTP client works — curl, fetch, axios, requests, Guzzle, or your language's standard library. The only dependency is your API key.
Get started
Ready to integrate?
Create an account, purchase credits, and generate your first API key in under two minutes.