Build with the Decryption Blast Radius API

The same API that powers npx pqcheck, the browser extension, and the GitHub Action. Free, no signup, no API key. Default 600 requests/hour per IP; 2000/hour for our own first-party UAs (pqcheck-cli, cipherwake-mcp, pqcheck-action, cipherwake-extension) so AI-coder workflows on shared-IP hosts don't hit the wall.

# Quick scan
curl -s "https://www.cipherwake.io/api/scan?domain=stripe.com" | jq '.grade, .score'

# Or use the CLI wrapper (also free, also no signup)
npx pqcheck stripe.com

Endpoint reference

All endpoints live under https://www.cipherwake.io. Responses are JSON unless noted. CORS-enabled (Access-Control-Allow-Origin: *) so you can call directly from browser code.

Anatomy of /api/scan

The main endpoint. Pass a domain, get a complete report.

Request

GET /api/scan?domain=stripe.com&source=my-tool

Optional query params:
  domain      required — public HTTPS domain (apex; we strip leading "www.")
  source      optional — for analytics attribution. Examples: ext, my-tool
  force       optional — pass "1" to bypass our 5-min server-side cache (debug)

Response (abbreviated)

{
  "domain": "stripe.com",
  "score": 5.5,
  "grade": "C",
  "scoreLabel": "MEDIUM",
  "reachable": true,
  "impact": {
    "headline": "If quantum decryption arrives in 2030-2040, harvested traffic...",
    "topContributors": [...]
  },
  "findings": [
    { "title": "RSA fallback enabled", "severity": "high", "detail": "..." },
    { "title": "HSTS preload increases key persistence", "severity": "medium", "detail": "..." }
  ],
  "components": {
    "keyExchange":   { "raw": 7, "weight": 0.35, "contribution": 2.45, "rationale": "..." },
    "certLifetime":  { "raw": 5, "weight": 0.25, "contribution": 1.25, "rationale": "..." },
    "keyPersistence":{ "raw": 7, "weight": 0.15, "contribution": 1.05, "rationale": "..." },
    "subdomainScale":{ "raw": 3, "weight": 0.25, "contribution": 0.75, "rationale": "..." }
  },
  "publicSurface": {
    "tlsVersion": "TLSv1.3",
    "hybridPQC": false,
    "daysUntilCertExpiry": 54,
    "wildcardCert": false,
    /* ... full TLS + cert + headers + email-security details ... */
  }
}

See methodology for what each component measures and how the score is computed. The full response is documented in /methodology/decryption-blast-radius.

Code examples

Same call in your stack of choice:

# Just the grade
curl -s "https://www.cipherwake.io/api/scan?domain=stripe.com" | jq -r '.grade'

# Score + top finding titles, formatted
curl -s "https://www.cipherwake.io/api/scan?domain=stripe.com" \
  | jq '{ grade, score, top: .findings[0:3] | map(.title) }'

# Fail a CI step if score >= 7
SCORE=$(curl -s "https://www.cipherwake.io/api/scan?domain=$DOMAIN" | jq -r '.score')
awk -v s="$SCORE" 'BEGIN { exit !(s+0 >= 7) }' && exit 1

// Node 18+ (built-in fetch)
const resp = await fetch(`https://www.cipherwake.io/api/scan?domain=stripe.com`);
const report = await resp.json();
console.log(`${report.domain}: grade ${report.grade}, score ${report.score}`);
report.findings.forEach(f => console.log(`  [${f.severity}] ${f.title}`));

# Python 3.7+ (requests)
import requests
r = requests.get("https://www.cipherwake.io/api/scan", params={"domain": "stripe.com"})
report = r.json()
print(f"{report['domain']}: {report['grade']} ({report['score']}/10)")
for f in report["findings"][:5]:
    print(f"  [{f['severity']}] {f['title']}")

// Go 1.18+
resp, _ := http.Get("https://www.cipherwake.io/api/scan?domain=stripe.com")
defer resp.Body.Close()
var report struct {
    Domain string  `json:"domain"`
    Grade  string  `json:"grade"`
    Score  float64 `json:"score"`
}
json.NewDecoder(resp.Body).Decode(&report)
fmt.Printf("%s: %s (%.1f/10)\n", report.Domain, report.Grade, report.Score)

# Pre-built wrapper around the same API. Zero install.
npx pqcheck stripe.com                         # pretty terminal output
npx pqcheck stripe.com --format json           # raw JSON
npx pqcheck stripe.com --threshold 7           # exit 2 if score >= 7
npx pqcheck stripe.com --format sarif          # SARIF for GitHub Code Scanning
npx pqcheck deps stripe.com --lock             # scan all third-party dependencies
npx pqcheck history stripe.com                 # 90-day score history
npx pqcheck diff old.lock new.lock             # diff QXM lockfiles for regressions

# Source on npm: https://www.npmjs.com/package/pqcheck

Rate limits

• 600 requests per hour per IP (default) (≈30/minute averaged via the burst layer) — for arbitrary web traffic. Authenticated paths (GitHub Actions OIDC, API key) bypass the per-IP cap with their own per-repo / per-account monthly quotas — no per-IP friction for CI
• 2000 requests per hour per IP (first-party UAs) (≈100/minute via the burst layer) — when the User-Agent matches pqcheck-cli, cipherwake-mcp, pqcheck-action, or cipherwake-extension. We know the workload shape of our own clients (bounded, cache-heavy) so we grant a generous tier without signup. Raised 2026-06-02 to keep the "no signup" promise honest for AI-coder workflows running on shared-IP egress (Claude.ai / Anthropic-hosted / Vercel / Codespaces all NAT through a small IP pool that collectively burns per-IP budget)
• 20 force-refresh requests per hour per IP — ?force=1 bypasses the smart-cache so it's more expensive; lower cap here. Plenty for legitimate iterative work on your own domain
• No per-account quota — there is no account; nothing to upgrade for higher quota today
• Server-side smart cache — repeated scans of the same domain return cached results (1h SWR window, 24h CT log cache). Pass ?force=1 to bypass when testing your own changes
• If you hit the limit: we return HTTP 429 with a JSON {"error": "rate_limit_exceeded", "detail": "...", "need_more": {...}}. Back off and retry; or tell us via the feedback form if you need higher limits — we're prioritizing the API tier based on real demand signals

Versioning + stability

• We don't break API contracts. New fields are added; old fields are preserved. If we ever need a breaking change, it ships at /api/v2/scan with a deprecation timeline for v1
• The CLI, browser extension, and GitHub Action all consume v1. We dogfood our own contract
• Schema changes are noted in the CLI changelog (the closest thing we have to formal changelog right now)

Authentication + privacy

• No API key. No signup. Anonymous use is the default and only path right now
• What we log: domain scanned, IP (for rate limiting), user-agent, optional ?source= query param. We do not log query strings beyond domain and source, and we don't track individual users across scans
• Cache stores scan results keyed by domain for 5 minutes. No per-IP scan history is retained server-side beyond aggregate analytics
• Privacy policy: /privacy

API key security

API keys (CIPHERWAKE_API_KEY=qpk_<hex>) authenticate paid-tier usage and bind it to your account's monthly quota. Treat them like passwords.

• Never embed in browser-served code. Keys in client-side JS / browser-bundled JS / public single-page apps are world-readable; an attacker can drain your monthly quota in seconds. Use the key only from server-side code, CI runners, and the CLI on a developer machine.
• Never commit to a public repo. Pass via environment variable (secrets.CIPHERWAKE_API_KEY in GitHub Actions; .env.local ignored in .gitignore for local dev). GitHub scans pushes for known secret prefixes and will alert you on accidental commit, but don't rely on that.
• Rotate via /account. Sign in → API keys section → Rotate. The new key displays once; copy it immediately. The old key continues working for ~60s after rotation to let in-flight requests complete, then 401s. There is no way to recover a key after rotation — rotate again if you lose it.
• Scope. One key per account. There is no per-key scoping or per-key rate limit — every request from the key counts toward the account's monthly quota. If you suspect compromise, rotate immediately + check the use_count displayed in /account for unexpected growth.
• Detection. The last_used_at and use_count fields are visible in /account → API keys. A jump in use_count with no corresponding work from your team is the classic compromise signal.
• No browser-extension use. Cipherwake's own browser extension does not use account-bound API keys — it relies on per-IP anonymous rate limits. Don't try to embed an API key in a downstream browser extension; the model assumes server-side use.

If a key was exposed publicly (e.g., committed and pushed), rotate immediately and use the feedback form with the exposure window. We can audit usage to see whether the key was abused before you rotated.

Webhook security

Alert webhooks deliver a signed JSON POST to a URL you configure in /account. Every delivery is signed so you can verify the request actually came from Cipherwake before acting on it.

Request shape

POST <your-webhook-url> HTTP/1.1
Host: your-server.example.com
User-Agent: cipherwake-webhook/1.0
Content-Type: application/json
X-Cipherwake-Signature: sha256=<hex-hmac>
X-Cipherwake-Event-Id: <alert-uuid>
X-Cipherwake-Delivery: <attempt-number>

{
  "alertId": "...",
  "domain": "example.com",
  "severity": "high",
  ...
}

Verifying the signature

Each delivery includes an X-Cipherwake-Signature: sha256=<hex> header. The hex value is HMAC-SHA256 of the raw request body using a secret you specify when configuring the webhook. Always verify the signature before acting on the payload — without verification, anyone who guesses your URL could send fake alerts.

Reference verification (Node.js):

import { createHmac, timingSafeEqual } from "node:crypto";

function verifyCipherwakeSignature(rawBody, signatureHeader, secret) {
  if (!signatureHeader?.startsWith("sha256=")) return false;
  const provided = Buffer.from(signatureHeader.slice(7), "hex");
  const expected = createHmac("sha256", secret).update(rawBody).digest();
  if (provided.length !== expected.length) return false;
  return timingSafeEqual(provided, expected);
}

// In your webhook handler — verify on the RAW body before JSON.parse:
const sig = req.headers["x-cipherwake-signature"];
const rawBody = await readRawBody(req); // your framework's raw-body utility
if (!verifyCipherwakeSignature(rawBody, sig, process.env.CIPHERWAKE_WEBHOOK_SECRET)) {
  return res.status(401).json({ error: "invalid signature" });
}
const payload = JSON.parse(rawBody.toString("utf8"));

Replay protection + retry behavior

• Event ID is unique per alert. The X-Cipherwake-Event-Id header carries a UUID that's stable for the alert. If your handler sees the same event ID twice, it's a retry — handle idempotently (cache last-seen IDs for ~24h).
• Delivery counter. X-Cipherwake-Delivery increments on each retry attempt for the same event. First delivery is 1.
• Retries. If your endpoint returns a non-2xx response or times out (5s), we retry with exponential backoff: ~30s, ~5min, ~30min, ~6h, then drop. Failed deliveries are logged for 90 days at /account → Alerts.
• Body size. Capped at ~16 KB per delivery. Larger payloads are truncated with a notice.
• SSRF safety on our side. Webhook URLs are validated to be HTTPS, public IPs only (RFC1918, link-local, loopback all rejected). The hostname is resolved once at delivery time and we connect directly to that IP to prevent DNS-rebinding mid-request.

Choosing a secret

Generate a strong random secret (32+ bytes / 256+ bits) and configure it in /account → Alerts → Webhook URL. Never reuse a secret across multiple integrations. If your secret is exposed (e.g., copy-pasted into a chat), rotate it in /account — old signatures stop verifying immediately.

What this API does NOT do

• It does not scan internal infrastructure. Public surface only — same posture a remote attacker can observe. Internal Blast Radius is typically 12-40× the public score (methodology)
• It does not store credentials, send mail, or modify anything. Read-only by design
• It does not gate on payment for Tier 1 features. The single-domain scan endpoint is free forever per our pricing discipline

Pre-built clients

Don't want to call the API directly? We ship four clients that wrap it. All free, all open about what they do.

CLI — npx pqcheck

Zero-install command-line scanner. Same API + nicer output + lockfile / diff / SARIF / cert-analysis subcommands.

• npx pqcheck <domain> — single scan, pretty output
• npx pqcheck deps <domain> — supply-chain HNDL: scan all third-party origins on the page
• npx pqcheck lock <domain> — generate cipherwake.lock (QXM committable manifest)
• npx pqcheck diff old.lock new.lock — diff two QXM lockfiles, exit 2 on regression
• npx pqcheck history <domain> — 90-day score history with sparkline
• npx pqcheck cert <file.pem> — analyze a local PEM/CRT cert offline
• npx pqcheck --file domains.txt — bulk scan from a list
• Output formats: --format json / markdown / csv / sarif / --gh-action
• CI gates: --threshold 7 (exit 2), pqcheck deps --allowlist file (exit 3 on violation)
• Deploy gate: npx pqcheck deploy-check <domain> --ai / npx pqcheck guard --domain <domain> -- <deploy-cmd> — AI-mode exit contract 0 pass · 1 review · 2 block · 3 error/no-signal (a failure of the check itself is never treated as a security block). Protocol →
• npx pqcheck last [domain] — reuse a recent gate verdict (local state or your GitHub Actions run) instead of re-scanning

Source: github.com/cipherwakelabs/pqcheck · npm: pqcheck · full reference: npx pqcheck --help

Browser extension

Live HNDL grade for every HTTPS site you visit + supply-chain change detection. Color-coded toolbar badge updates per tab; click for the full report.

• Toolbar badge — A/B/C/D/F letter colored by grade, refreshes automatically as you browse
• Score tab — HNDL grade + components, cert hygiene + key persistence, security headers + email auth, HNDL impact line, score-breakdown explainer
• Supply chain tab — third-party scripts loaded on the active page with NEW-since-last-visit detection (Polyfill.io-style supply-chain compromise flag), SRI integrity status per script, HNDL grade per vendor. The killer feature: Cipherwake remembers each site's third-party script list, and red-flags any script that wasn't there last time you visited.
• Recent scans strip — last 10 scanned domains as clickable chips, persists across browser restarts
• Right-click "Scan with Cipherwake" — context menu on any link, page, or selected URL

Install from Chrome Web Store → Firefox AMO + Edge Add-ons coming next.

GitHub Action

Drop into any workflow to gate PRs on quantum-decryption risk regressions.

# .github/workflows/pqcheck.yml
- uses: cipherwakelabs/pqcheck/action@main
  with:
    domain: mycompany.com
    threshold: '7'          # exit 2 if score >= 7
    comment-on-pr: 'true'   # sticky PR comment with summary
    generate-sarif: 'true'  # write SARIF for upload to Code Scanning
    generate-lockfile: 'true' # write cipherwake.lock for diffing

# Optional follow-on step — surface findings in GitHub Security tab
- uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: pqcheck-results.sarif

Source: github.com/cipherwakelabs/pqcheck/tree/main/action

Built with the API?

If you ship something that uses our API — internal dashboard, Grafana panel, Datadog integration, vendor-risk pipeline, anything — we'd love to know. hello@cipherwake.io.