API Reference
Complete API documentation for 4Quays runtime and management APIs
4Quays provides two distinct APIs:
- Runtime API — Used by applications for cryptographic operations (
/protect,/unprotect) - Management API — Used by administrators for platform configuration
Base URLs
| Environment | Base URL |
|---|---|
| Production | https://api.4quays.com |
| Staging | https://staging-api.4quays.com |
Authentication
All API requests require authentication via API key:
Authorization: Bearer sk_live_xxxxxxxxxxxxx
API Key Types
| Prefix | Type | Use Case |
|---|---|---|
sk_live_ | Production | Production runtime operations |
sk_test_ | Test | Staging/test operations |
sk_admin_ | Admin | Management API access |
Obtaining API Keys
- Navigate to API Keys in the dashboard
- Click Create API Key
- Select the key type
- Copy the key immediately — it's only shown once
Request Format
All requests use JSON:
POST /api/v1/protect HTTP/1.1
Host: api.4quays.com
Authorization: Bearer sk_live_xxxxxxxxxxxxx
Content-Type: application/json
{
"payload": { ... },
"policyNumber": "BANK-TRANSFER-001"
}
Response Format
All responses are JSON:
{
"requestId": "req_abc123",
"result": { ... },
"timestamp": "2026-02-09T10:30:00.000Z"
}
Error Responses
{
"error": {
"code": "POLICY_NOT_FOUND",
"message": "Policy 'INVALID-POLICY' does not exist"
},
"requestId": "req_abc123"
}
Rate Limits
| Tier | Requests/Second | Burst |
|---|---|---|
| Standard | 100 | 200 |
| Professional | 500 | 1000 |
| Enterprise | Custom | Custom |
Rate limit headers are included in responses:
X-RateLimit-Limit: 100 X-RateLimit-Remaining: 95 X-RateLimit-Reset: 1707473460
Runtime API Endpoints
| Endpoint | Method | Description |
|---|---|---|
/api/v1/protect | POST | Protect a payload |
/api/v1/unprotect | POST | Unprotect a payload |
/api/v1/operations | POST | Generic operation endpoint |
/api/v1/health | GET | Health check |
Management API Endpoints
| Endpoint | Method | Description |
|---|---|---|
/admin/services | GET, POST | List and create services |
/admin/services/{id} | GET, PUT, DELETE | Manage a service |
/admin/policies | GET, POST | List and create policies |
/admin/policies/{id} | GET, PUT, DELETE | Manage a policy |
/admin/keys | GET, POST | List and import keys |
/admin/keys/{id} | GET, PUT, DELETE | Manage a key |
/admin/audit | GET | Query audit logs |
SDK vs Direct API
While you can call the API directly, the SDK provides:
- Automatic retries with exponential backoff
- Request/response type safety
- Passthrough mode for development
- Connection pooling
- Error handling utilities
// SDK (recommended)
const result = await fourq.protect(payload, 'POLICY-123');
// Direct API
const response = await fetch('https://api.4quays.com/api/v1/protect', {
method: 'POST',
headers: {
'Authorization': `Bearer ${apiKey}`,
'Content-Type': 'application/json',
},
body: JSON.stringify({
payload,
policyNumber: 'POLICY-123',
}),
});
Versioning
The API uses URL versioning:
- Current version:
v1 - Format:
/api/v1/endpoint
Breaking changes result in new versions. Old versions are supported for at least 12 months after deprecation.
In This Section
- POST /protect — Protect payloads
- POST /unprotect — Unprotect payloads
- POST /operations — Generic operations
- Error Codes — Error handling