MongoDB

Databases

system_type: "mongodb"

Proxy MongoDB Atlas or self-hosted MongoDB with PQC-sealed connection strings and field-level encryption.

Overview#

The MongoDB connector seals Atlas or self-hosted MongoDB connection strings in QuantaVault. Proxy operations support find, insertOne, updateOne, deleteOne, and aggregate. Field-level tokenization can be applied to PII document fields before insert.

Base URL: https://api.quantaseal.io/api/v2/proxy/outbound
Auth header: X-API-Key: qs_live_...

Prerequisites#

1MongoDB Atlas cluster or self-hosted MongoDB 5.0+
2A database user with the required collection roles
3MongoDB connection string (SRV or standard format)
4A QuantaSeal API key

Configuration#

Follow these steps to connect MongoDB to QuantaSeal. You can configure integrations via the Admin Console or directly via the API.

1
In Atlas, create a database user with the readWrite role on the target database.
2
Seal the connection string: POST /api/v2/vault/seal with credential_type: database_dsn.
3
Create the integration: POST /api/v2/integrations with system_type: mongodb.

Authentication Types#

Store the full MongoDB connection string as database_dsn: mongodb+srv://user:pass@cluster.mongodb.net/mydb?retryWrites=true

DB DSNBearer Token

All credential types are sealed in QuantaVault with ML-KEM-768 + AES-256-GCM and wrapped by your tenant AWS KMS CMK before storage. See the Vault API reference for the full list of credential types and seal/unseal endpoints.

Available Operations#

QuantaSeal enforces a default-deny operation policy. Only operations listed in your integration's allowed_operations array will be permitted. Add operations when creating or updating the integration.

Operation	Description
`find`	Query documents from a collection.
`insert_one`	Insert a single document.
`update_one`	Update a single document matching a filter.
`delete_one`	Delete a single document.
`aggregate`	Run an aggregation pipeline.

Code Example#

Every proxy call returns a HybridCryptoEnvelope - the response is ML-KEM-768 key-encapsulated, AES-256-GCM encrypted, and signed with ML-DSA-65 + HMAC-SHA-512. Verify both signatures before trusting the decrypted payload.

bashCopy

curl -X POST https://api.quantaseal.io/api/v2/proxy/outbound \
  -H "X-API-Key: qs_live_your_key_here" \
  -H "Content-Type: application/json" \
  -d '{
    "integration_id": "int_01HZ9X2K4MNPQRMONGO000001",
    "operation": "find",
    "payload": {
      "database": "customers",
      "collection": "profiles",
      "filter": {"status": "active"},
      "projection": {"name": 1, "email": 1},
      "limit": 10
    }
  }'

# Response - HybridCryptoEnvelope
{
  "success": true,
  "encrypted": {
    "ciphertext_kem":  "<base64 - 1088 bytes ML-KEM-768>",
    "ciphertext_data": "<base64 - AES-256-GCM encrypted MongoDB documents>",
    "nonce":           "<base64 - 12 bytes>",
    "tenant_id":       "ten_01HZ9X2K4MNPQR5STUVWXYZ00",
    "algorithm":       "ML-KEM-768"
  },
  "signature": {
    "pqc_signature":  "<base64 - ~3309 bytes ML-DSA-65>",
    "hmac_signature": "<base64 - 64 bytes HMAC-SHA-512>",
    "tenant_id":      "ten_01HZ9X2K4MNPQR5STUVWXYZ00",
    "algorithm":      "ML-DSA-65+HMAC-SHA-512"
  },
  "audit_event_id": "aud_01HZ9XABCDEF"
}

Decrypt the response using the QuantaSeal SDK: client.encryption.decrypt(envelope). Both the ML-DSA-65 signature and the HMAC-SHA-512 signature must pass - QuantaSeal uses a bitwise & check, not short-circuit and.

Troubleshooting#

Authentication failed - wrong credentials

MongoDB Atlas requires the password to be URL-encoded if it contains special characters. Re-seal the DSN with a properly encoded connection string.

Still stuck? Check the Security Events page in the Admin Console for detailed proxy error logs, or open a support ticket at quantaseal.io/support.

All Connectors API Reference