00 Prerequisites
What you need before starting.
Requirements
| Requirement | Details |
|---|
| Account | Register at proxy.fipsign.dev — no credit card required for the 7-day trial |
| A domain you control | You need to be able to update the DNS A record for the domain you want to protect |
| A backend | Any HTTP or HTTPS server — cloud, on-premise, or serverless. Must be reachable from the internet. |
| API key | Available in the dashboard under Settings. Format: pqp_live_... |
Note: The trial includes 1 domain. Add wallet credit to protect additional domains at $1.68/day each.
01 Add your domain
Configure your domain and backend in the PQ-Proxy dashboard.
Dashboard → Domains → + Add Domain
| Field | Value | Notes |
|---|
| Public domain | api.yourcompany.com | The domain your clients connect to. Must have an A record pointing to PQ-Proxy. |
| Backend host | backend.yourcompany.com | Where PQ-Proxy forwards traffic after terminating TLS. Can be any hostname or IP. |
| Backend port | 443 | Use 443 for HTTPS backends, 80 for HTTP. Default: 443. |
| Backend TLS | ✓ enabled | Enable if your backend serves HTTPS. Disable for plain HTTP backends. |
Note: PQ-Proxy automatically requests a Let's Encrypt certificate for your domain after you add it. The certificate is provisioned within seconds on the first connection — you may see a slightly longer TLS handshake on the first request while the certificate is being obtained.
02 DNS setup
Point your domain's A record to PQ-Proxy's IP address.
Add or update the A record
# In your DNS provider (Cloudflare, Route53, etc.)
Type: A
Name: api # or @ for the root domain
Value: 137.66.56.190
TTL: 3600
Important: If your domain is on Cloudflare, set the proxy status to DNS only (gray cloud). The orange proxy would terminate TLS at Cloudflare before it reaches PQ-Proxy — disabling the post-quantum handshake.
Verify DNS propagation
# Check that the A record resolves correctly
dig api.yourcompany.com A +short
# Should return: 137.66.56.190
03 Verify the connection
Confirm that post-quantum TLS is active on your domain.
Test with curl
curl -sv https://api.yourcompany.com 2>&1 | grep -i "ssl\|tls\|handshake\|x25519"
Expected output
* SSL connection using TLSv1.3 / X25519MLKEM768
* Server certificate:
* subject: CN=api.yourcompany.com
* issuer: C=US, O=Let's Encrypt, CN=R11
X25519MLKEM768 in the SSL connection line confirms that post-quantum key exchange is active. Your backend is now protected.
Check the dashboard
In the dashboard, go to Health — your domain should show ● healthy once the first connection is made.
04 API authentication
All API endpoints require an API key passed in the X-Api-Key header.
Get your API key
Go to Dashboard → Settings. Your API key starts with pqp_live_.
Usage
# Pass the API key in every request
curl -s https://proxy-api.fipsign.dev/api/v1/tenant \
-H "X-Api-Key: pqp_live_YOUR_KEY_HERE"
Note: API key endpoints are read-only — they allow monitoring and data export but not domain management. To create, edit, or delete domains, use the dashboard.
05 GET /tenant
Returns account information for the authenticated tenant.
Request
curl -s https://proxy-api.fipsign.dev/api/v1/tenant \
-H "X-Api-Key: pqp_live_..."
Response
{
"success":
true,
"data": {
"email":
"[email protected]",
"company_name":
"Acme Corp",
// null if not set
"plan":
"trial",
// "trial" | "active"
"subscription_status":
"active",
// "trial" | "active" | "grace" | "suspended"
"trial_ends_at":
"2026-06-30T13:43:18Z",
// null if not on trial
"created_at":
"2026-06-23T13:43:18Z"
},
"error":
null
}
06 GET /tenant/domains
Returns all domains configured for the authenticated tenant.
Request
curl -s https://proxy-api.fipsign.dev/api/v1/tenant/domains \
-H "X-Api-Key: pqp_live_..."
Response
{
"success": true,
"data": [
{
"id": "5206aaec-1368-495e-9fe2-c6b7acf5cd11",
"tenant_id": "16560e46-44bb-4388-afd0-e38e48b79ffc",
"domain": "api.yourcompany.com",
"backend_host": "backend.yourcompany.com",
"backend_port": 443,
"backend_tls": true,
"active": true,
"created_at": "2026-06-23T17:28:58Z"
}
],
"error": null
}
07 GET /tenant/domains/:domain_id/certificate
Returns certificate information for a specific domain. Use the domain id from /tenant/domains.
Request
curl -s https://proxy-api.fipsign.dev/api/v1/tenant/domains/DOMAIN_ID/certificate \
-H "X-Api-Key: pqp_live_..."
Response
{
"success": true,
"data": {
"domain": "api.yourcompany.com",
"cert_source": "acme", // "acme" | "byoc"
"expires_at": "2026-09-21T19:48:19Z"
},
"error": null
}
cert_source: acme means the certificate was issued automatically by Let's Encrypt. byoc means you uploaded your own certificate.
08 GET /tenant/billing
Returns wallet balance, daily cost, and subscription status.
Request
curl -s https://proxy-api.fipsign.dev/api/v1/tenant/billing \
-H "X-Api-Key: pqp_live_..."
Response
{
"success": true,
"data": {
"subscription_status": "active", // "trial" | "active" | "grace" | "suspended"
"balance_cents": 5000, // wallet balance in USD cents
"balance_usd": 50.0, // wallet balance in USD
"domains_active": 2, // number of active domains
"daily_cost_cents": 336, // $3.36/day for 2 domains
"daily_cost_usd": 3.36,
"total_consumed_cents": 28, // total spent since account creation
"total_consumed_usd": 0.28,
"trial_ends_at": "2026-06-30T13:43:18Z", // null if not on trial
"low_balance_warning": false // true if balance < 7 days of cost
},
"error": null
}
Tip: Poll low_balance_warning to trigger wallet top-ups before service is interrupted. The wallet is charged $0.07/hour per active domain.
09 GET /tenant/billing/transactions
Returns the transaction history for the wallet — top-ups and hourly consumption entries.
Request
curl -s https://proxy-api.fipsign.dev/api/v1/tenant/billing/transactions \
-H "X-Api-Key: pqp_live_..."
Response
{
"success": true,
"data": [
{
"id": "44f6fe83-5974-4631-9266-153341d8b9d2",
"type": "topup", // "topup" | "consumption"
"amount_cents": 5000, // positive = credit, negative = debit
"description": "Top-up: $50.00 USD",
"created_at": "2026-06-24T17:05:43Z"
},
{
"id": "a1b2c3d4-...",
"type": "consumption",
"amount_cents": -14, // -$0.14 for 2 domains × $0.07/hr
"description": "Hourly consumption: 2 domain(s)",
"created_at": "2026-06-27T12:00:00Z"
}
],
"error": null
}
10 GET /tenant/metrics
Returns connection metrics aggregated across all domains.
Request
curl -s https://proxy-api.fipsign.dev/api/v1/tenant/metrics \
-H "X-Api-Key: pqp_live_..."
Response
{
"success": true,
"data": {
"total_connections": 239,
"total_bytes_sent": 900455, // proxy → client, bytes
"total_bytes_received": 75098, // client → proxy, bytes
"connections_last_24h": 25,
"connections_last_7d": 239,
"avg_tls_handshake_ms": 494.3, // average X25519MLKEM768 handshake time
"avg_backend_connect_ms": 12.7, // average time to connect to your backend
"by_domain": [
{
"domain": "api.yourcompany.com",
"connections": 239,
"connections_last_24h": 25,
"connections_last_7d": 239,
"bytes_sent": 900455,
"bytes_received": 75098,
"avg_tls_handshake_ms": 494.3,
"avg_backend_connect_ms": 12.7
}
]
},
"error": null
}
avg_tls_handshake_ms: The X25519MLKEM768 handshake is heavier than classical TLS due to the ML-KEM-768 key encapsulation. With HTTP/2 and keep-alive, this cost is amortized across multiple requests on the same connection.
11 GET /tenant/connections
Returns paginated connection logs. Each entry represents one TLS connection to a protected domain.
Request
curl -s "https://proxy-api.fipsign.dev/api/v1/tenant/connections?page=1&per_page=20" \
-H "X-Api-Key: pqp_live_..."
Query parameters
| Parameter | Type | Default | Description |
|---|
| page | integer | 1 | Page number |
| per_page | integer | 20 | Results per page (max 100) |
Response
{
"success": true,
"data": [
{
"id": "e1d4f76b-efd6-4ad8-996d-9fa30e514ade",
"domain": "api.yourcompany.com",
"peer_addr": "181.47.8.234", // real client IP (PROXY Protocol)
"bytes_sent": 4096, // proxy → client
"bytes_received": 645, // client → proxy
"connected_at": "2026-06-27T09:58:49Z",
"duration_ms": 59, // total connection duration
"tls_handshake_ms": 373, // X25519MLKEM768 handshake time
"backend_connect_ms": 3 // time to connect to your backend
}
],
"error": null
}
12 GET /tenant/connections/export
Exports all connection logs as a CSV file. Useful for audit trails, compliance, and custom analysis.
Request
curl -s https://proxy-api.fipsign.dev/api/v1/tenant/connections/export \
-H "X-Api-Key: pqp_live_..." \
-o connections.csv
CSV format
id,domain,peer_addr,bytes_sent,bytes_received,connected_at,duration_ms,tls_handshake_ms,backend_connect_ms
"e1d4f76b-...","api.yourcompany.com","181.47.8.234",4096,645,"2026-06-27T09:58:49Z",59,373,3
Note: The export includes all connection history. For large datasets, use the paginated /tenant/connections endpoint instead.
13 GET /tenant/health
Returns the current health status of all domains — whether the proxy can reach your backend.
Request
curl -s https://proxy-api.fipsign.dev/api/v1/tenant/health \
-H "X-Api-Key: pqp_live_..."
Response
{
"success": true,
"data": [
{
"domain_id": "5206aaec-...",
"domain": "api.yourcompany.com",
"backend_host": "backend.yourcompany.com",
"backend_port": 443,
"backend_tls": true,
"status": "healthy", // "healthy" | "unhealthy" | "pending"
"latency_ms": 2, // backend response time in ms
"last_checked_at": "2026-06-27T11:57:40Z",
"last_error": null, // error message if unhealthy
"consecutive_failures": 0 // resets to 0 on recovery
}
],
"error": null
}
Health checks run every 60 seconds. If your backend goes down, PQ-Proxy sends an alert email and continues retrying. When the backend recovers, you receive a recovery email and consecutive_failures resets to 0.
14 BYOC — bring your own certificate
Upload your own TLS certificate instead of using the automatic Let's Encrypt certificate.
When to use BYOC
Use BYOC if you need a certificate from a specific CA, an EV (Extended Validation) certificate, or a wildcard certificate covering multiple subdomains.
Upload via dashboard
Go to Dashboard → Domains, click Upload custom cert on your domain, and paste your PEM-encoded certificate and private key.
Requirements
| Field | Format | Notes |
|---|
| Certificate | PEM | Full chain preferred — include intermediate certificates |
| Private key | PEM | RSA or ECDSA. The key must match the certificate. |
Important: The private key is stored encrypted at rest. PQ-Proxy uses it only to terminate TLS for your domain — it is never transmitted or exposed via any API endpoint.
15 FAQ
Common questions about PQ-Proxy setup and operation.
Does PQ-Proxy support HTTP/2?
Yes. The client-to-proxy connection supports HTTP/2 over TLS 1.3 with X25519MLKEM768. The proxy-to-backend connection also supports HTTP/2 if your backend does.
What happens if my backend goes down?
PQ-Proxy detects the failure within 60 seconds (health check interval), sends an alert email, and returns a connection error to clients until the backend recovers. You also receive a recovery email when the backend comes back online.
Does PQ-Proxy modify my HTTP requests?
PQ-Proxy adds x-forwarded-for and x-real-ip headers with the original client IP. Everything else passes through unmodified.
What if the client doesn't support X25519MLKEM768?
PQ-Proxy falls back to X25519 (classical Diffie-Hellman) for clients that don't support post-quantum key exchange. The connection is still TLS 1.3 — just without the post-quantum key exchange. Chrome, Firefox, and curl support X25519MLKEM768 by default.
How do I protect multiple domains?
Add each domain separately in the dashboard. Each domain gets its own Let's Encrypt certificate and its own backend configuration. Billing is $0.07/hour per active domain.
What is the proxy IP for DNS setup?
137.66.56.190
Point your domain's A record to this IP. All domains on PQ-Proxy share this IP — routing is done via TLS SNI (Server Name Indication).
Can I use PQ-Proxy with Cloudflare?
Yes, but set the Cloudflare proxy status to DNS only (gray cloud) for your domain. If the Cloudflare proxy (orange cloud) is active, Cloudflare terminates TLS before it reaches PQ-Proxy — and the post-quantum handshake never happens.