Generic REST API

Name: QuantaSeal
Brand: QuantaSeal
Price: 69 AUD

Generic

system_type: "generic_rest"

Proxy any REST API through QuantaSeal's PQC encryption layer with bearer or API key authentication.

Overview#

The Generic REST adapter enables QuantaSeal to proxy any HTTP/HTTPS REST API endpoint. Configure the base URL, authentication headers, and allowed operations. All requests and responses are encrypted with ML-KEM-768 + AES-256-GCM.

Base URL: https://api.quantaseal.io/api/v2/proxy/outbound
Auth header: X-API-Key: qs_live_…

Prerequisites#

1A target REST API endpoint (HTTPS required in production)
2Authentication credentials (API key, Bearer token, or Basic Auth)
3A QuantaSeal API key

Configuration#

Follow these steps to connect Generic REST API to QuantaSeal. You can configure integrations via the Admin Console or directly via the API.

1
Seal your API credentials via POST /api/v2/vault/seal.
2
Create integration with system_type: generic_rest, config: {base_url: 'https://api.your-system.com', auth_header: 'Authorization'}.
3
Set allowed_operations: ['get', 'post'] to enforce default-deny policy.

Authentication Types#

Seal credentials as the appropriate type. For custom headers, use custom_kv and specify header_name in the integration config.

API KeyBearer TokenBasic Auth

All credential types are sealed in QuantaVault with ML-KEM-768 + AES-256-GCM and wrapped by your tenant AWS KMS CMK before storage. See the Vault API reference for the full list of credential types and seal/unseal endpoints.

Available Operations#

QuantaSeal enforces a default-deny operation policy. Only operations listed in your integration's allowed_operations array will be permitted. Add operations when creating or updating the integration.

Operation	Description
`get`	HTTP GET request to the configured endpoint.
`post`	HTTP POST request with JSON payload.
`put`	HTTP PUT request for resource updates.
`patch`	HTTP PATCH request for partial updates.
`delete`	HTTP DELETE request.

Code Example#

Every proxy call returns a HybridCryptoEnvelope - the response is ML-KEM-768 key-encapsulated, AES-256-GCM encrypted, and signed with ML-DSA-65 + HMAC-SHA-512. Verify both signatures before trusting the decrypted payload.

bashCopy

curl -X POST https://api.quantaseal.io/api/v2/proxy/outbound \
  -H "X-API-Key: qs_live_your_key_here" \
  -H "Content-Type: application/json" \
  -d '{"integration_id":"int_REST001","operation":"post","payload":{"endpoint":"/api/orders","body":{"customer_id":"cust-001","total":9900}}}'

Decrypt the response using the QuantaSeal SDK: client.encryption.decrypt(envelope). Both the ML-DSA-65 signature and the HMAC-SHA-512 signature must pass - QuantaSeal uses a bitwise & check, not short-circuit and.

Troubleshooting#

SSRF protection blocked request

The target URL resolved to a private IP. Only public HTTPS endpoints are permitted. Contact support if you need to proxy to a VPC endpoint via QuantaSeal Private Cloud.

Still stuck? Check the Security Events page in the Admin Console for detailed proxy error logs, or open a support ticket at quantaseal.io/support.

All Connectors API Reference