Developer reference

API Documentation

Integrate HQH-539-512 encryption directly into your systems. Authenticate with an API key, send plaintext, receive a cryptographically-bound ciphertext bundle.

HQH-539-512 · AES-256-GCM
1 credit per encrypt call
REST · JSON · HTTPS
60 req/min rate limit

01Quickstart

01

Create an account

Sign up at 539labs.org and purchase a credit package from the Pricing page.

02

Generate an API key

Navigate to your Account page and click Generate new key. Copy the plaintext key — it is shown exactly once.

03

Make your first request

Send a POST request to /api/v1/encrypt with your Bearer token and JSON body. Each successful call deducts 1 credit.

Your first encrypt call — curl

bash
curl -X POST https://539labs.org/api/v1/encrypt \
  -H "Authorization: Bearer hqh_<your-key>" \
  -H "Content-Type: application/json" \
  -d '{
    "plaintext": "Hello, world.",
    "passphrase": "correct-horse-battery-staple",
    "label": "test-run"
  }'

Or with fetch (JavaScript)

javascript
const res = await fetch('https://539labs.org/api/v1/encrypt', {
  method: 'POST',
  headers: {
    'Authorization': 'Bearer hqh_<your-key>',
    'Content-Type': 'application/json',
  },
  body: JSON.stringify({
    plaintext: 'Hello, world.',
    passphrase: 'correct-horse-battery-staple',
  }),
});
const data = await res.json();
console.log(data.digestHex);

02Authentication

All API requests must include an Authorization header with a Bearer token. Keys are prefixed hqh_ and are generated from your account dashboard.

http
Authorization: Bearer hqh_a3f2c1b8e4d7f9...

Keys are hashed with SHA-256 before storage. The plaintext is never persisted — if you lose it, revoke and generate a new one.

Generate a key via the API (requires active session cookie)

bash
curl -X POST https://539labs.org/api/keys \
  -H "Cookie: <session-cookie>" \
  -H "Content-Type: application/json" \
  -d '{ "label": "Production server" }'

Or generate keys from your Account page — no API call needed.

03Endpoints

POST/api/v1/encrypt1 credit per call

Encrypt plaintext using HQH-539-512

Runs the full HQH-539-512 pipeline server-side: Keccak-512 seed → 539 T3 iterations → HKDF-SHA-512 key derivation → AES-256-GCM encryption. Returns a self-contained bundle you can store or transmit.

Rate limit: 60 requests per minute per key
POST/api/keysFree

Generate a new API key

Creates a new API key for the authenticated account. Returns the plaintext key once — it cannot be retrieved again. Maximum 10 active keys per account.

Rate limit: 5 requests per 10 minutes
GET/api/keysFree

List API keys

Returns metadata for all keys on the account — prefix, label, usage count, last used timestamp, and revocation status. Never returns the plaintext key or its hash.

Rate limit: 30 requests per minute
DELETE/api/keys/:idFree

Revoke an API key

Permanently revokes a key. Revoked keys are rejected immediately on all subsequent requests. The record is retained for audit purposes.

Rate limit: 10 requests per 10 minutes

04Encrypt — request body

FieldTypeDescription
plaintextreq
string

The message to encrypt. Max 1 MB (1,048,576 characters).

passphrasereq
string

Encryption passphrase. Combined with a random 32-byte salt via HKDF to derive the AES key.

label
string

Optional tag stored with the response for your own record-keeping. Max 100 characters.

05Encrypt — response body

json
{
  "digestHex": "a3f2c1...",
  "ciphertext": "base64==",
  "saltHex": "8e4d...",
  "nonceHex": "f1a2...",
  "iterations": 539,
  "encryptedAt": "2026-07-13T23:00:00.000Z",
  "creditsRemaining": 249
}
FieldTypeDescription
digestHexstring

Hex-encoded HQH-539-512 digest of the passphrase+salt input after 539 T3 iterations.

ciphertextstring

Base64-encoded AES-256-GCM ciphertext with 16-byte authentication tag appended.

saltHexstring

Hex-encoded 32-byte random salt used in key derivation. Required for decryption.

nonceHexstring

Hex-encoded 12-byte AES-GCM nonce. Required for decryption.

iterationsnumber

Always 539. Confirms the canonical T3 iteration count used.

encryptedAtstring

ISO 8601 timestamp of when the encryption was performed.

creditsRemainingnumber

Credit balance after this call. Use this to monitor usage and top up before hitting zero.

06Error codes

400

Bad Request

Missing or invalid plaintext or passphrase field.

401

Unauthorized

Missing, malformed, or revoked API key.

402

Payment Required

Insufficient credits. Purchase more at /pricing.

422

Unprocessable Entity

Key cap exceeded (POST /api/keys only). Revoke an existing key first.

429

Too Many Requests

Rate limit exceeded. See per-endpoint limits above.

500

Internal Server Error

Unexpected server error. Retry with exponential backoff.

07Security notes

Store your API key in an environment variable — never commit it to source control.

All encryption runs server-side. Plaintext is never logged or persisted beyond the request lifetime.

The ciphertext bundle is self-contained. Store saltHex and nonceHex alongside ciphertext for later decryption.

Revoke compromised keys immediately from your account dashboard. Revocation is instantaneous.

No SDK required

The API is plain HTTPS + JSON. Any HTTP client works — curl, fetch, axios, requests, Guzzle, or your language's standard library. The only dependency is your API key.

Get started

Ready to integrate?

Create an account, purchase credits, and generate your first API key in under two minutes.