The Key Management API lets you generate, rotate, list, and retire your PQC cryptographic keys. Qpher supports ML-KEM-768, X-Wing, and ML-KEM-1024 for encryption, and ML-DSA-65, Composite-ML-DSA, ML-DSA-87, and the hash-based SLH-DSA-SHA2 family for digital signatures. (The algorithm API wire values for ML-KEM-768 and ML-DSA-65 are Kyber768 and Dilithium3 respectively.)
πPublic keys only
The Key Management API returns public key material only. Private keys are stored exclusively inside the Qpher secure enclave and are never exposed through any API endpoint.
βΉοΈHybrid algorithms (Starter+)
The algorithm parameter now also accepts "X-Wing" (hybrid KEM) and "Composite-ML-DSA"
(hybrid signatures), in addition to "Kyber768" and "Dilithium3".
Hybrid keys follow the same lifecycle rules as PQC-only keys: explicit key_version,
active/retired/archived states, and no implicit "latest" default.
The algorithm parameter also accepts "ML-KEM-1024" (Category 5 KEM) and
"ML-DSA-87" (Category 5 signature) β the NIST highest-strength parameter sets
named in the NSA CNSA 2.0 suite. These follow the same key lifecycle as all
other algorithms. This is algorithm alignment with CNSA 2.0, not a
compliance certification; see your SDK's compliance_profile="cnsa-2.0"
selector on the SDKs overview.
POST/api/v1/kms/keys/generateGenerate a new PQC key pair for the specified algorithm.
Creates a new key pair and sets it to active status. If an active key already exists for the given algorithm, the request is rejected β use Rotate Key to replace the active key instead.
The PQC algorithm: "Kyber768", "Dilithium3", "X-Wing", "Composite-ML-DSA", "ML-KEM-1024", "ML-DSA-87", or one of the four "SLH-DSA-SHA2-*" sets (128s / 128f / 192s / 256s).
The algorithm used: "Kyber768", "Dilithium3", "X-Wing", "Composite-ML-DSA", "ML-KEM-1024", "ML-DSA-87", or one of the four "SLH-DSA-SHA2-*" sets (128s / 128f / 192s / 256s).
POST/api/v1/kms/keys/rotateRotate to a new key version, retiring the current active key.
Generates a new active key and moves the previous active key to retired status. Retired keys can still be used for decryption and signature verification but not for new encrypt or sign operations.
The PQC algorithm: "Kyber768", "Dilithium3", "X-Wing", "Composite-ML-DSA", "ML-KEM-1024", "ML-DSA-87", or one of the four "SLH-DSA-SHA2-*" sets (128s / 128f / 192s / 256s).
Filter by algorithm: "Kyber768", "Dilithium3", "X-Wing", "Composite-ML-DSA", "ML-KEM-1024", "ML-DSA-87", or one of the four "SLH-DSA-SHA2-*" sets (128s / 128f / 192s / 256s).
status
string
No
Filter by status: "active", "retired", or "archived".
"Kyber768", "Dilithium3", "X-Wing", "Composite-ML-DSA", "ML-KEM-1024", "ML-DSA-87", or one of the four "SLH-DSA-SHA2-*" sets (128s / 128f / 192s / 256s).
The algorithm: "Kyber768", "Dilithium3", "X-Wing", "Composite-ML-DSA", "ML-KEM-1024", "ML-DSA-87", or one of the four "SLH-DSA-SHA2-*" sets (128s / 128f / 192s / 256s).
The PQC algorithm: "Kyber768", "Dilithium3", "X-Wing", "Composite-ML-DSA", "ML-KEM-1024", "ML-DSA-87", or one of the four "SLH-DSA-SHA2-*" sets (128s / 128f / 192s / 256s).
POST/api/v1/kms/keys/archiveArchive a retired key and securely delete the private key material.
Moves a key from retired to archived status and securely deletes the private key file. Archived keys cannot perform any cryptographic operations.
β οΈIrreversible operation
Archiving permanently deletes the private key. You will no longer be able to decrypt or verify with this key version.
βΉοΈPortal UI only
Key archival is only available through the Qpher Portal UI at portal.qpher.ai.
API calls to this endpoint return 403 ERR_KMS_020. This restriction prevents accidental key destruction
by scripts, SDKs, or AI agents.
The PQC algorithm: "Kyber768", "Dilithium3", "X-Wing", "Composite-ML-DSA", "ML-KEM-1024", "ML-DSA-87", or one of the four "SLH-DSA-SHA2-*" sets (128s / 128f / 192s / 256s).
The algorithm: "Kyber768", "Dilithium3", "X-Wing", "Composite-ML-DSA", "ML-KEM-1024", "ML-DSA-87", or one of the four "SLH-DSA-SHA2-*" sets (128s / 128f / 192s / 256s).
Keys move through three statuses during their lifetime:
ACTIVE ββrotateβββΊ ACTIVE (new version) β β β ββ(old becomes)ββΊ RETIRED ββarchiveβββΊ ARCHIVED β βββretireβββΊ RETIRED ββarchiveβββΊ ARCHIVED
Status
Encrypt
Decrypt
Sign
Verify
active
Yes
Yes
Yes
Yes
retired
No
Yes
No
Yes
archived
No
No
No
No
π‘Key rotation best practice
Rotate keys periodically (for example, every 90 days). After rotation, update your application to use the new key_version for encrypt and sign operations. Existing ciphertext and signatures remain valid with the retired key.