No DevOps · No sales call · Production in 5 minutes

Sign anything.
Quantum-resistant.

Post-quantum signing as a service. No infrastructure to manage, no sales call, no contract. Get an API key, call /sign — your tokens are protected by ML-DSA-65 (NIST FIPS 204) in minutes.

Start for free → npm install pqauth-sdk

$ npm install pqauth-sdk

Use cases

Not just auth.
Sign anything.

The only required field is sub — any string identifying the entity you want to sign. Everything else is up to you.

👤

User sessions

Sign login tokens with quantum-resistant signatures. Verify on every request without a database round-trip.

sub: "user_123"

🧾

Orders & payments

Sign payment intents and order confirmations. Prove a transaction was authorized at a specific moment — tamper-proof.

sub: "order_456"

📄

Documents

Certify contracts, reports, and audit trails with a cryptographic signature that survives quantum computing.

sub: "doc_789"

📡

IoT & devices

Authenticate firmware updates and device telemetry. Each message signed and verifiable without shared secrets.

sub: "device_iot_001"

🔗

API access tokens

Issue scoped, expiring tokens for your own API. Revoke instantly — future verify calls reject them even if the signature is valid.

sub: "api_client_xyz"

🏛️

Compliance & audit

Prove data integrity for regulatory audits. NIST FIPS 204 compliance out of the box — no cryptography expertise required.

sub: "audit_event_001"

The problem

Classical signatures
have an expiry date

Every signature made with ECDSA or RSA today can be forged by a quantum computer running Shor's algorithm. The NIST already published the replacements in 2024.

⚠️

ECDSA & RSA are broken

JWT (RS256/ES256), OAuth tokens, TLS certificates — all rely on algorithms that Shor's algorithm can break efficiently on a sufficiently powerful quantum computer.

VULNERABLE

🎯

Harvest now, decrypt later

Nation-state actors are already recording signed traffic today to forge or decrypt it once quantum computers are available. Your signatures are at risk right now.

ACTIVE THREAT

📅

Migration takes years

Cryptographically relevant quantum computers are 10–20 years away — but migrating production systems takes years. The NIST finalized post-quantum standards in August 2024.

ACT NOW

The solution

One API. Any entity.
Quantum-resistant.

Create an account, get an API key, call /sign. That's it. ML-DSA-65 handles the cryptography.

BEFORE — Classical, quantum-vulnerable

sign.js ECDSA / RS256

// Classical JWT — vulnerable to Shor's algorithm
import jwt from 'jsonwebtoken'

const token = jwt.sign(
  { sub: user.id, role: 'admin' },
  SECRET_KEY,
  { algorithm: 'RS256' } // ← breakable by quantum
)

const payload = jwt.verify(token, PUBLIC_KEY)

AFTER — ML-DSA-65, quantum-resistant

sign.js ML-DSA-65

// PQSign — ML-DSA-65, NIST FIPS 204
import { PQAuth } from 'pqauth-sdk'

const pq = new PQAuth('pqa_your_api_key')

// Sign any entity — user, order, document, device
const { token } = await pq.sign({
  sub: order.id, amount: 299.99, currency: 'USD'
})

const { valid, payload } = await pq.verify(token)

SIGN ANYTHING — sub is the only required field

examples.js

const pq = new PQAuth('pqa_your_api_key')

// User session
const { token } = await pq.sign({ sub: 'user_123', role: 'admin', expiresInSeconds: 3600 })

// Payment intent
const { token } = await pq.sign({ sub: 'order_456', amount: 1500.00, currency: 'USD' })

// Document certification
const { token } = await pq.sign({ sub: 'doc_789', hash: 'sha256:abc...', signedBy: 'alice' })

// Verify — never throws, returns { valid, payload } or { valid: false, error }
const { valid, payload } = await pq.verify(token)

// Revoke instantly — future verify() calls reject it even if signature is valid
await pq.revoke(token, 'order cancelled')

Get started

Up and running
in 5 minutes

Create your account

Sign up with your email. Verify the OTP. No credit card, no sales call, no contract. 10,000 free tokens per month — immediately.

pqauth-dashboard.pages.dev

Install the SDK

One command for JS/TS — works in Node.js, Deno, Cloudflare Workers, and the browser. Integrating from Python, Go, or any other language? Use the REST API directly — same operations, any HTTP client.

npm install pqauth-sdk

Sign anything

Pass any object with a sub field. Get back a quantum-resistant signed token. No infrastructure to run, no keys to manage — we handle the cryptography.

pq.sign({ sub: entityId })

Why FIPSign

Simple API.
No infrastructure needed.

Other post-quantum solutions require servers, DevOps, and a sales call to get started. FIPSign works in 5 minutes.

Start free.
Pay as you grow.

Every account gets 10,000 free tokens per month. When you need more, buy token packs — they never expire and accumulate across purchases.

FREE TIER — no credit card required

$0 / month

Get started today. 10,000 tokens reset on the 1st of each month.
Each sign, verify, or revoke operation costs 1 token.

10,000 tokens / month — free, always
ML-DSA-65 signing & verification
Token revocation
Multiple projects
API keys per project
Offline verification (~1ms, no API call)
Usage dashboard & 6-month history
Webhook notifications
npm SDK — Node.js, Deno, browser
Express / Fastify middleware

Get started free →

Token packs for higher volume — coming soon

Sign anything. Quantum-resistant.

Not just auth.Sign anything.

Classical signatureshave an expiry date

One API. Any entity.Quantum-resistant.

Up and runningin 5 minutes

Simple API.No infrastructure needed.

Start free.Pay as you grow.

Post-quantum signing.No sales call required.