Signature API
The Signature API provides post-quantum digital signatures using the Dilithium3 algorithm (NIST ML-DSA-65, FIPS 204). Use it to sign messages and verify signatures with quantum-resistant security.
Signing operations happen inside the Qpher secure enclave. Your private signing keys are never exposed or exported.
Signâ
Signs the provided message with the specified key version. The key must be in active status.
Request bodyâ
| Field | Type | Required | Description |
|---|---|---|---|
message | string (base64) | Yes | Base64-encoded message to sign. |
key_version | integer | Yes | The version of the Dilithium3 key to use. Must reference an active key. |
Response (200 OK)â
| Field | Type | Description |
|---|---|---|
data.signature | string (base64) | The Dilithium3 signature, base64-encoded (3293 bytes raw). |
data.key_version | integer | The key version used for signing. |
data.algorithm | string | Always "Dilithium3". |
Exampleâ
/api/v1/signature/signX-API-Key: qph_your_key_here
Content-Type: application/json{
"message": "SW52b2ljZSAjMTIzNCAtIFRvdGFsOiAkOTkuMDA=",
"key_version": 1
}{
"data": {
"signature": "c2lnbmF0dXJlX2J5dGVzX2hlcmUuLi4=",
"key_version": 1,
"algorithm": "Dilithium3"
},
"request_id": "c3d4e5f6-a7b8-9012-cdef-123456789012",
"timestamp": "2026-01-15T10:30:02.000Z"
}curl -X POST https://api.qpher.ai/api/v1/signature/sign \
-H "X-API-Key: qph_your_key_here" \
-H "Content-Type: application/json" \
-d '{
"message": "SW52b2ljZSAjMTIzNCAtIFRvdGFsOiAkOTkuMDA=",
"key_version": 1
}'Errorsâ
| HTTP Status | Error Code | Description |
|---|---|---|
| 400 | ERR_SIG_001 | Invalid sign request â missing message or invalid key_version. |
| 401 | ERR_AUTH_001 | Missing or invalid API key. |
| 404 | ERR_NOT_FOUND_001 | Key version not found or key is not in active status. |
Verifyâ
Verifies that a signature is valid for the given message and key version. Verification can use keys in active or retired status.
Request bodyâ
| Field | Type | Required | Description |
|---|---|---|---|
message | string (base64) | Yes | Base64-encoded original message that was signed. |
signature | string (base64) | Yes | Base64-encoded Dilithium3 signature to verify. |
key_version | integer | Yes | The key version that was used to create the signature. |
Response (200 OK)â
| Field | Type | Description |
|---|---|---|
data.valid | boolean | true if the signature is valid for the given message and key, false otherwise. |
data.key_version | integer | The key version used for verification. |
data.algorithm | string | Always "Dilithium3". |
Exampleâ
/api/v1/signature/verifyX-API-Key: qph_your_key_here
Content-Type: application/json{
"message": "SW52b2ljZSAjMTIzNCAtIFRvdGFsOiAkOTkuMDA=",
"signature": "c2lnbmF0dXJlX2J5dGVzX2hlcmUuLi4=",
"key_version": 1
}{
"data": {
"valid": true,
"key_version": 1,
"algorithm": "Dilithium3"
},
"request_id": "d4e5f6a7-b8c9-0123-4567-890abcdef012",
"timestamp": "2026-01-15T10:30:03.000Z"
}curl -X POST https://api.qpher.ai/api/v1/signature/verify \
-H "X-API-Key: qph_your_key_here" \
-H "Content-Type: application/json" \
-d '{
"message": "SW52b2ljZSAjMTIzNCAtIFRvdGFsOiAkOTkuMDA=",
"signature": "c2lnbmF0dXJlX2J5dGVzX2hlcmUuLi4=",
"key_version": 1
}'Errorsâ
| HTTP Status | Error Code | Description |
|---|---|---|
| 400 | ERR_SIG_002 | Invalid verify request â missing signature, message, or key_version. |
| 401 | ERR_AUTH_001 | Missing or invalid API key. |
| 404 | ERR_NOT_FOUND_001 | Key version not found or key is in archived status. |
A signature that does not match returns {"valid": false} with HTTP 200 â not an error. Errors (4xx/5xx) indicate malformed requests or missing resources, not invalid signatures.
Key Version Requirementsâ
The key_version field is mandatory on all signature operations. There is no implicit "use latest key" behavior.
| Operation | Allowed Key Statuses |
|---|---|
| Sign | active only |
| Verify | active or retired |
Use the Key Management API to list your keys and find the current active version.