Build with the Decryption Blast Radius API

The same API that powers npx pqcheck, the browser extension, and the GitHub Action. Free, no signup, no API key. Rate-limited at ~60 requests/minute per IP for cost protection.

# Quick scan
curl -s "https://www.cipherwake.io/api/scan?domain=stripe.com" | jq '.grade, .score'

# Or use the CLI wrapper (also free, also no signup)
npx pqcheck stripe.com

Endpoint reference

All endpoints live under https://www.cipherwake.io. Responses are JSON unless noted. CORS-enabled (Access-Control-Allow-Origin: *) so you can call directly from browser code.

Anatomy of /api/scan

The main endpoint. Pass a domain, get a complete report.

Request

GET /api/scan?domain=stripe.com&source=my-tool

Optional query params:
  domain      required — public HTTPS domain (apex; we strip leading "www.")
  source      optional — for analytics attribution. Examples: ext, my-tool
  force       optional — pass "1" to bypass our 5-min server-side cache (debug)

Response (abbreviated)

{
  "domain": "stripe.com",
  "score": 5.5,
  "grade": "C",
  "scoreLabel": "MEDIUM",
  "reachable": true,
  "impact": {
    "headline": "If quantum decryption arrives in 2030-2040, harvested traffic...",
    "topContributors": [...]
  },
  "findings": [
    { "title": "RSA fallback enabled", "severity": "high", "detail": "..." },
    { "title": "HSTS preload increases key persistence", "severity": "medium", "detail": "..." }
  ],
  "components": {
    "keyExchange":   { "raw": 7, "weight": 0.35, "contribution": 2.45, "rationale": "..." },
    "certLifetime":  { "raw": 5, "weight": 0.25, "contribution": 1.25, "rationale": "..." },
    "keyPersistence":{ "raw": 7, "weight": 0.15, "contribution": 1.05, "rationale": "..." },
    "subdomainScale":{ "raw": 3, "weight": 0.25, "contribution": 0.75, "rationale": "..." }
  },
  "publicSurface": {
    "tlsVersion": "TLSv1.3",
    "hybridPQC": false,
    "daysUntilCertExpiry": 54,
    "wildcardCert": false,
    /* ... full TLS + cert + headers + email-security details ... */
  }
}

See methodology for what each component measures and how the score is computed. The full response is documented in /methodology/decryption-blast-radius.

Code examples

Same call in your stack of choice:

# Just the grade
curl -s "https://www.cipherwake.io/api/scan?domain=stripe.com" | jq -r '.grade'

# Score + top finding titles, formatted
curl -s "https://www.cipherwake.io/api/scan?domain=stripe.com" \
  | jq '{ grade, score, top: .findings[0:3] | map(.title) }'

# Fail a CI step if score >= 7
SCORE=$(curl -s "https://www.cipherwake.io/api/scan?domain=$DOMAIN" | jq -r '.score')
awk -v s="$SCORE" 'BEGIN { exit !(s+0 >= 7) }' && exit 1

// Node 18+ (built-in fetch)
const resp = await fetch(`https://www.cipherwake.io/api/scan?domain=stripe.com`);
const report = await resp.json();
console.log(`${report.domain}: grade ${report.grade}, score ${report.score}`);
report.findings.forEach(f => console.log(`  [${f.severity}] ${f.title}`));

# Python 3.7+ (requests)
import requests
r = requests.get("https://www.cipherwake.io/api/scan", params={"domain": "stripe.com"})
report = r.json()
print(f"{report['domain']}: {report['grade']} ({report['score']}/10)")
for f in report["findings"][:5]:
    print(f"  [{f['severity']}] {f['title']}")

// Go 1.18+
resp, _ := http.Get("https://www.cipherwake.io/api/scan?domain=stripe.com")
defer resp.Body.Close()
var report struct {
    Domain string  `json:"domain"`
    Grade  string  `json:"grade"`
    Score  float64 `json:"score"`
}
json.NewDecoder(resp.Body).Decode(&report)
fmt.Printf("%s: %s (%.1f/10)\n", report.Domain, report.Grade, report.Score)

# Pre-built wrapper around the same API. Zero install.
npx pqcheck stripe.com                         # pretty terminal output
npx pqcheck stripe.com --format json           # raw JSON
npx pqcheck stripe.com --threshold 7           # exit 2 if score >= 7
npx pqcheck stripe.com --format sarif          # SARIF for GitHub Code Scanning
npx pqcheck deps stripe.com --lock             # scan all third-party dependencies
npx pqcheck history stripe.com                 # 90-day score history
npx pqcheck diff old.lock new.lock             # diff QXM lockfiles for regressions

# Source on npm: https://www.npmjs.com/package/pqcheck

Rate limits

• 300 requests per hour per IP — total scan volume cap, soft throttle for cost protection
• 20 force-refresh requests per hour per IP — ?force=1 bypasses the smart-cache so it's more expensive; lower cap here. Plenty for legitimate iterative work on your own domain
• No per-account quota — there is no account; nothing to upgrade for higher quota today
• Server-side smart cache — repeated scans of the same domain return cached results (1h SWR window, 24h CT log cache). Pass ?force=1 to bypass when testing your own changes
• If you hit the limit: we return HTTP 429 with a JSON {"error": "rate_limit_exceeded", "detail": "...", "need_more": {...}}. Back off and retry; or tell us via the feedback form if you need higher limits — we're prioritizing the API tier based on real demand signals

Versioning + stability

• We don't break API contracts. New fields are added; old fields are preserved. If we ever need a breaking change, it ships at /api/v2/scan with a deprecation timeline for v1
• The CLI, extension, Action, and Slack bot all consume v1. We dogfood our own contract
• Schema changes are noted in the CLI changelog (the closest thing we have to formal changelog right now)

Authentication + privacy

• No API key. No signup. Anonymous use is the default and only path right now
• What we log: domain scanned, IP (for rate limiting), user-agent, optional ?source= query param. We do not log query strings beyond domain and source, and we don't track individual users across scans
• Cache stores scan results keyed by domain for 5 minutes. No per-IP scan history is retained server-side beyond aggregate analytics
• Privacy policy: /privacy

API key security

API keys (CIPHERWAKE_API_KEY=qpk_<hex>) authenticate paid-tier usage and bind it to your account's monthly quota. Treat them like passwords.

• Never embed in browser-served code. Keys in client-side JS / browser-bundled JS / public single-page apps are world-readable; an attacker can drain your monthly quota in seconds. Use the key only from server-side code, CI runners, and the CLI on a developer machine.
• Never commit to a public repo. Pass via environment variable (secrets.CIPHERWAKE_API_KEY in GitHub Actions; .env.local ignored in .gitignore for local dev). GitHub scans pushes for known secret prefixes and will alert you on accidental commit, but don't rely on that.
• Rotate via /account. Sign in → API keys section → Rotate. The new key displays once; copy it immediately. The old key continues working for ~60s after rotation to let in-flight requests complete, then 401s. There is no way to recover a key after rotation — rotate again if you lose it.
• Scope. One key per account. There is no per-key scoping or per-key rate limit — every request from the key counts toward the account's monthly quota. If you suspect compromise, rotate immediately + check the use_count displayed in /account for unexpected growth.
• Detection. The last_used_at and use_count fields are visible in /account → API keys. A jump in use_count with no corresponding work from your team is the classic compromise signal.
• No browser-extension use. Cipherwake's own browser extension does not use account-bound API keys — it relies on per-IP anonymous rate limits. Don't try to embed an API key in a downstream browser extension; the model assumes server-side use.

If a key was exposed publicly (e.g., committed and pushed), rotate immediately and email security@cipherwake.io with the exposure window. We can audit usage to see whether the key was abused before you rotated.

Webhook security

Alert webhooks deliver a signed JSON POST to a URL you configure in /account. Every delivery is signed so you can verify the request actually came from Cipherwake before acting on it.

Request shape

POST <your-webhook-url> HTTP/1.1
Host: your-server.example.com
User-Agent: cipherwake-webhook/1.0
Content-Type: application/json
X-Cipherwake-Signature: sha256=<hex-hmac>
X-Cipherwake-Event-Id: <alert-uuid>
X-Cipherwake-Delivery: <attempt-number>

{
  "alertId": "...",
  "domain": "example.com",
  "severity": "high",
  ...
}

Verifying the signature

Each delivery includes an X-Cipherwake-Signature: sha256=<hex> header. The hex value is HMAC-SHA256 of the raw request body using a secret you specify when configuring the webhook. Always verify the signature before acting on the payload — without verification, anyone who guesses your URL could send fake alerts.

Reference verification (Node.js):

import { createHmac, timingSafeEqual } from "node:crypto";

function verifyCipherwakeSignature(rawBody, signatureHeader, secret) {
  if (!signatureHeader?.startsWith("sha256=")) return false;
  const provided = Buffer.from(signatureHeader.slice(7), "hex");
  const expected = createHmac("sha256", secret).update(rawBody).digest();
  if (provided.length !== expected.length) return false;
  return timingSafeEqual(provided, expected);
}

// In your webhook handler — verify on the RAW body before JSON.parse:
const sig = req.headers["x-cipherwake-signature"];
const rawBody = await readRawBody(req); // your framework's raw-body utility
if (!verifyCipherwakeSignature(rawBody, sig, process.env.CIPHERWAKE_WEBHOOK_SECRET)) {
  return res.status(401).json({ error: "invalid signature" });
}
const payload = JSON.parse(rawBody.toString("utf8"));

Replay protection + retry behavior

• Event ID is unique per alert. The X-Cipherwake-Event-Id header carries a UUID that's stable for the alert. If your handler sees the same event ID twice, it's a retry — handle idempotently (cache last-seen IDs for ~24h).
• Delivery counter. X-Cipherwake-Delivery increments on each retry attempt for the same event. First delivery is 1.
• Retries. If your endpoint returns a non-2xx response or times out (5s), we retry with exponential backoff: ~30s, ~5min, ~30min, ~6h, then drop. Failed deliveries are logged for 90 days at /account → Alerts.
• Body size. Capped at ~16 KB per delivery. Larger payloads are truncated with a notice.
• SSRF safety on our side. Webhook URLs are validated to be HTTPS, public IPs only (RFC1918, link-local, loopback all rejected). The hostname is resolved once at delivery time and we connect directly to that IP to prevent DNS-rebinding mid-request.

Choosing a secret

Generate a strong random secret (32+ bytes / 256+ bits) and configure it in /account → Alerts → Webhook URL. Never reuse a secret across multiple integrations. If your secret is exposed (e.g., copy-pasted into a chat), rotate it in /account — old signatures stop verifying immediately.

What this API does NOT do

• It does not scan internal infrastructure. Public surface only — same posture a remote attacker can observe. Internal Blast Radius is typically 12-40× the public score (methodology)
• It does not store credentials, send mail, or modify anything. Read-only by design
• It does not gate on payment for Tier 1 features. The single-domain scan endpoint is free forever per our pricing discipline

Pre-built clients

Don't want to call the API directly? We ship four clients that wrap it. All free, all open about what they do.

CLI — npx pqcheck

Zero-install command-line scanner. Same API + nicer output + lockfile / diff / SARIF / cert-analysis subcommands.

• npx pqcheck <domain> — single scan, pretty output
• npx pqcheck deps <domain> — supply-chain HNDL: scan all third-party origins on the page
• npx pqcheck lock <domain> — generate cipherwake.lock (QXM committable manifest)
• npx pqcheck diff old.lock new.lock — diff two QXM lockfiles, exit 2 on regression
• npx pqcheck history <domain> — 90-day score history with sparkline
• npx pqcheck cert <file.pem> — analyze a local PEM/CRT cert offline
• npx pqcheck --file domains.txt — bulk scan from a list
• Output formats: --format json / markdown / csv / sarif / --gh-action
• CI gates: --threshold 7 (exit 2), pqcheck deps --allowlist file (exit 3 on violation)

Source: github.com/cipherwake-io/pqcheck · npm: pqcheck · full reference: npx pqcheck --help

Browser extension

Live HNDL grade for every HTTPS site you visit + supply-chain change detection. Color-coded toolbar badge updates per tab; click for the full report.

• Toolbar badge — A/B/C/D/F letter colored by grade, refreshes automatically as you browse
• Score tab — HNDL grade + components, cert hygiene + key persistence, security headers + email auth, HNDL impact line, score-breakdown explainer
• Supply chain tab — third-party scripts loaded on the active page with NEW-since-last-visit detection (Polyfill.io-style supply-chain compromise flag), SRI integrity status per script, HNDL grade per vendor. The killer feature: Cipherwake remembers each site's third-party script list, and red-flags any script that wasn't there last time you visited.
• Recent scans strip — last 10 scanned domains as clickable chips, persists across browser restarts
• Right-click "Scan with Cipherwake" — context menu on any link, page, or selected URL

Install from Chrome Web Store → Firefox AMO + Edge Add-ons coming next.

GitHub Action

Drop into any workflow to gate PRs on quantum-decryption risk regressions.

# .github/workflows/pqcheck.yml
- uses: cipherwake-io/pqcheck/action@main
  with:
    domain: mycompany.com
    threshold: '7'          # exit 2 if score >= 7
    comment-on-pr: 'true'   # sticky PR comment with summary
    generate-sarif: 'true'  # write SARIF for upload to Code Scanning
    generate-lockfile: 'true' # write cipherwake.lock for diffing

# Optional follow-on step — surface findings in GitHub Security tab
- uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: pqcheck-results.sarif

Source: github.com/cipherwake-io/pqcheck/tree/main/action

Built with the API?

If you ship something that uses our API — internal dashboard, Grafana panel, Datadog integration, vendor-risk pipeline, anything — we'd love to know. hello@cipherwake.io.