{ "info": { "name": "QuantaSeal API", "description": "Pre-built collection covering the 5 core QuantaSeal operations: vault seal, vault unseal, proxy request, encrypt, and decrypt. Import this file into Postman or Bruno, set the environment variables, and you're ready to make quantum-safe API calls.\n\nRequired environment variables:\n- QUANTASEAL_API_KEY → your API key (qs_live_...)\n- QUANTASEAL_BASE_URL → https://api.quantaseal.io (or http://localhost:8000 for local dev)\n- VAULT_ENTRY_ID → auto-populated after 'Vault - Seal Credential'\n- ENCRYPT_PAYLOAD_B64 → auto-populated after 'Encrypt - Encrypt Payload'\n\nDocumentation: https://quantaseal.io/docs\nWire format spec: https://github.com/QuantaSeal/wire-format", "_postman_id": "qs-collection-v1", "schema": "https://schema.getpostman.com/json/collection/v2.1.0/collection.json" }, "variable": [ { "key": "base_url", "value": "{{QUANTASEAL_BASE_URL}}", "type": "string" }, { "key": "api_key", "value": "{{QUANTASEAL_API_KEY}}", "type": "string" } ], "auth": { "type": "bearer", "bearer": [{ "key": "token", "value": "{{api_key}}", "type": "string" }] }, "item": [ { "name": "Health", "item": [ { "name": "Health Check", "request": { "method": "GET", "header": [], "url": { "raw": "{{base_url}}/health", "host": ["{{base_url}}"], "path": ["health"] }, "description": "Check API health — returns status, PQC algorithm names, region, environment." }, "event": [ { "listen": "test", "script": { "exec": [ "pm.test('Status is healthy', () => {", " const json = pm.response.json();", " pm.expect(json.status).to.eql('healthy');", " pm.expect(json.pqc_algorithms.kem).to.eql('ML-KEM-768');", " pm.expect(json.pqc_algorithms.dsa).to.eql('ML-DSA-65');", "});" ], "type": "text/javascript" } } ] } ] }, { "name": "1. Vault — Seal Credential", "item": [ { "name": "Vault - Seal Credential", "request": { "method": "POST", "header": [ { "key": "Content-Type", "value": "application/json" }, { "key": "X-Nonce", "value": "{{$guid}}" } ], "body": { "mode": "raw", "raw": "{\n \"name\": \"my-salesforce-creds\",\n \"credential_type\": \"oauth2_client\",\n \"values\": {\n \"client_id\": \"3MVG9...\",\n \"client_secret\": \"ABC123...\",\n \"instance_url\": \"https://myorg.salesforce.com\"\n },\n \"ttl_days\": 90\n}", "options": { "raw": { "language": "json" } } }, "url": { "raw": "{{base_url}}/api/v2/vault/seal", "host": ["{{base_url}}"], "path": ["api", "v2", "vault", "seal"] }, "description": "Seal (encrypt + store) a credential in QuantaVault.\n\nThe credential JSON is encrypted with ML-KEM-768 + AES-256-GCM and signed with ML-DSA-65. The private key is wrapped by your tenant's dedicated AWS KMS CMK.\n\nReturns: credential_id — save it to unseal later.\n\nWire format: sdk/wire-format/SPEC.md" }, "event": [ { "listen": "test", "script": { "exec": [ "pm.test('Credential sealed', () => {", " const json = pm.response.json();", " pm.expect(pm.response.code).to.be.oneOf([200, 201]);", " pm.expect(json.credential_id || json.id).to.be.a('string');", " // Auto-populate VAULT_ENTRY_ID for the unseal request", " const id = json.credential_id || json.id;", " if (id) pm.environment.set('VAULT_ENTRY_ID', id);", "});" ], "type": "text/javascript" } } ] } ] }, { "name": "2. Vault — Unseal Credential", "item": [ { "name": "Vault - Unseal Credential", "request": { "method": "GET", "header": [ { "key": "X-Nonce", "value": "{{$guid}}" } ], "url": { "raw": "{{base_url}}/api/v2/vault/{{VAULT_ENTRY_ID}}", "host": ["{{base_url}}"], "path": ["api", "v2", "vault", "{{VAULT_ENTRY_ID}}"] }, "description": "Unseal (decrypt) a vault credential by ID.\n\nThe API verifies BOTH signatures (ML-DSA-65 AND HMAC-SHA-512) before decryption — neither can be skipped. Decapsulates the ML-KEM-768 ciphertext via AWS KMS, derives the AES-256-GCM key with HKDF-SHA-512, decrypts, and returns plaintext JSON.\n\nRequires: VAULT_ENTRY_ID environment variable (auto-set by the Seal test script)." }, "event": [ { "listen": "test", "script": { "exec": [ "pm.test('Credential unsealed', () => {", " pm.expect(pm.response.code).to.eql(200);", " const json = pm.response.json();", " // Plaintext values returned — never logged by QuantaSeal", " pm.expect(json).to.have.any.keys('values', 'credential', 'plaintext');", "});" ], "type": "text/javascript" } } ] } ] }, { "name": "3. Proxy — Outbound Request", "item": [ { "name": "Proxy - Outbound Request", "request": { "method": "POST", "header": [ { "key": "Content-Type", "value": "application/json" }, { "key": "X-Nonce", "value": "{{$guid}}" } ], "body": { "mode": "raw", "raw": "{\n \"integration_id\": \"{{INTEGRATION_ID}}\",\n \"operation\": \"query\",\n \"payload\": {\n \"object\": \"Account\",\n \"fields\": [\"Id\", \"Name\", \"Email\"],\n \"limit\": 5\n }\n}", "options": { "raw": { "language": "json" } } }, "url": { "raw": "{{base_url}}/api/v2/proxy/execute", "host": ["{{base_url}}"], "path": ["api", "v2", "proxy", "execute"] }, "description": "Proxy an operation through QuantaSeal to an external system.\n\nQuantaSeal:\n1. Unseals the integration credentials from QuantaVault\n2. Encrypts the payload with ML-KEM-768 + AES-256-GCM\n3. Signs with ML-DSA-65 + HMAC-SHA-512\n4. Forwards to the external system via the appropriate adapter\n5. Decrypts and returns the response\n\nRequires: INTEGRATION_ID — get this from GET /api/v2/integrations." }, "event": [ { "listen": "test", "script": { "exec": [ "pm.test('Proxy request successful', () => {", " pm.expect(pm.response.code).to.be.oneOf([200, 201]);", " const json = pm.response.json();", " pm.expect(json.success).to.be.true;", "});" ], "type": "text/javascript" } } ] } ] }, { "name": "4. Encrypt Payload", "item": [ { "name": "Encrypt - Encrypt Payload", "request": { "method": "POST", "header": [ { "key": "Content-Type", "value": "application/json" }, { "key": "X-Nonce", "value": "{{$guid}}" } ], "body": { "mode": "raw", "raw": "{\n \"plaintext\": \"{{$base64Encoding:Hello, quantum-safe world!}}\"\n}", "options": { "raw": { "language": "json" } } }, "url": { "raw": "{{base_url}}/api/v2/encryption/encrypt", "host": ["{{base_url}}"], "path": ["api", "v2", "encryption", "encrypt"] }, "description": "Encrypt an arbitrary payload with ML-KEM-768 + AES-256-GCM.\n\nThe plaintext must be base64-encoded. Returns a HybridCryptoEnvelope JSON with:\n- encrypted.ciphertext_kem: exactly 1,088 bytes (ML-KEM-768, NIST FIPS 203 §4)\n- encrypted.ciphertext_data: AES-256-GCM ciphertext\n- encrypted.nonce: 12 bytes (never logged)\n- signature.pqc_signature: ML-DSA-65 signature (~3,309 bytes)\n- signature.hmac_signature: HMAC-SHA-512 (64 bytes)\n\nUse the returned envelope in the Decrypt request." }, "event": [ { "listen": "test", "script": { "exec": [ "pm.test('Payload encrypted', () => {", " pm.expect(pm.response.code).to.eql(200);", " const json = pm.response.json();", " pm.expect(json.encrypted).to.exist;", " pm.expect(json.encrypted.algorithm).to.eql('ML-KEM-768');", " pm.expect(json.signature).to.exist;", " pm.expect(json.signature.algorithm).to.include('ML-DSA-65');", " // Save envelope for decrypt", " pm.environment.set('ENCRYPT_PAYLOAD_B64', btoa(JSON.stringify(json)));", "});" ], "type": "text/javascript" } } ] } ] }, { "name": "5. Decrypt Payload", "item": [ { "name": "Decrypt - Decrypt Payload", "request": { "method": "POST", "header": [ { "key": "Content-Type", "value": "application/json" }, { "key": "X-Nonce", "value": "{{$guid}}" } ], "body": { "mode": "raw", "raw": "{\n \"envelope\": {{ENCRYPT_PAYLOAD_B64}}\n}", "options": { "raw": { "language": "json" } } }, "url": { "raw": "{{base_url}}/api/v2/encryption/decrypt", "host": ["{{base_url}}"], "path": ["api", "v2", "encryption", "decrypt"] }, "description": "Decrypt an envelope produced by the Encrypt endpoint.\n\nVerification order (non-negotiable):\n1. Verify ML-DSA-65 signature\n2. Verify HMAC-SHA-512 (bitwise AND — both must pass, no short-circuit)\n3. Decapsulate ML-KEM-768 ciphertext → shared secret\n4. Derive AES-256-GCM key via HKDF-SHA-512\n5. AES-256-GCM decrypt + verify GCM tag\n\nIf EITHER signature fails, decryption is NEVER attempted.\n\nRequires: ENCRYPT_PAYLOAD_B64 (auto-set by Encrypt test script)." }, "event": [ { "listen": "test", "script": { "exec": [ "pm.test('Payload decrypted — round trip verified', () => {", " pm.expect(pm.response.code).to.eql(200);", " const json = pm.response.json();", " pm.expect(json.plaintext).to.be.a('string');", " // Decode base64 plaintext", " const decoded = atob(json.plaintext);", " pm.expect(decoded).to.include('quantum-safe');", "});" ], "type": "text/javascript" } } ] } ] }, { "name": "Bonus — Auth & Keys", "item": [ { "name": "Auth - Login", "request": { "method": "POST", "header": [{ "key": "Content-Type", "value": "application/json" }], "auth": { "type": "noauth" }, "body": { "mode": "raw", "raw": "{\n \"email\": \"{{USER_EMAIL}}\",\n \"password\": \"{{USER_PASSWORD}}\"\n}", "options": { "raw": { "language": "json" } } }, "url": { "raw": "{{base_url}}/api/v2/auth/login", "host": ["{{base_url}}"], "path": ["api", "v2", "auth", "login"] } } }, { "name": "CBOM - Get Cryptographic Inventory", "request": { "method": "GET", "header": [], "url": { "raw": "{{base_url}}/api/v2/security/cbom", "host": ["{{base_url}}"], "path": ["api", "v2", "security", "cbom"] }, "description": "Returns the Cryptographic Bill of Materials — per-integration crypto profiles, risk scores, and remediation steps." } }, { "name": "PQC Attestation (Public — no auth)", "request": { "method": "GET", "header": [], "auth": { "type": "noauth" }, "url": { "raw": "{{base_url}}/api/v2/security/pqc-attestation", "host": ["{{base_url}}"], "path": ["api", "v2", "security", "pqc-attestation"] }, "description": "Live ML-KEM-768 + ML-DSA-65 parameter verification against NIST FIPS 203/204 spec tables. No auth required." }, "event": [ { "listen": "test", "script": { "exec": [ "pm.test('All PQC checks pass', () => {", " const json = pm.response.json();", " pm.expect(json.overall_pass).to.be.true;", " json.algorithms.forEach(algo => {", " pm.expect(algo.pass, algo.algorithm + ' must pass').to.be.true;", " });", "});" ], "type": "text/javascript" } } ] } ] } ] }