EU-Sovereign · Quantum-Safe
The sovereign alternative to Okta and 1Password. Unlimited users, post-quantum by default.
The Problem
If any of these ring a bell, you are in the right place.
API keys, passwords, and tokens spread across .env files, Slack messages, and spreadsheets — one leak away from a breach.
100 users = €2,000+/month. Enterprise IAM tools price growing teams out of the market.
Schrems II, GDPR, and NIS2 require EU data residency. US-hosted services put you at regulatory risk.
RSA and ECC will be broken by quantum computers. NIST standardised replacements in 2024 — most stacks have not caught up.
Encryption-as-a-Service
A REST API that encrypts, signs, and verifies with NIST post-quantum algorithms. Drop into any backend, any language. Quantum entropy on the hot path. SDKs in TypeScript, Python, .NET, Rust.
Learn moreKey & Secret Management
A vault for keys, secrets, certificates, and rotation policies — encrypted at rest with the same PQC primitives that power the API. Every operation audited; every secret scoped to a tenant.
Learn moreIdentity Platform
OIDC and SAML federation with PQC-signed tokens. Bring Entra ID, Okta, Google Workspace — or roll your own. Authentication that survives the cryptographic transition.
Learn moreNo PhD required. A single API call replaces hundreds of lines of cryptography code.
Create a free account
Sign up and get 500 API calls per month. No credit card or sales call required.
Generate an API key
Create a scoped API key from the portal with granular permissions per resource.
Make your first encryption call
POST your plaintext and receive ML-KEM-768 quantum-safe ciphertext in milliseconds.
curl https://api.quantumapi.eu/v1/encrypt \
-H "Authorization: Bearer YOUR_KEY" \
-H "Content-Type: application/json" \
-d '{
"algorithm": "ML-KEM-768",
"plaintext": "sensitive-data"
}'// Response
{ "ciphertext": "MIIBIjANBgkqhkiG9w...", "keyId": "k_7fG2" }Identity is layered. From the IdP at the door to the policy on a single vault entry, every action passes through four explicit boundaries — and never one more.
Connect Entra ID, Okta, Google Workspace — or any OIDC / SAML 2.0 provider. Map external attributes to QuantumID claims. JIT provisioning on first sign-in.
entra.microsoft.com → OIDC okta.com → SAML 2.0 workspace.google.com → OIDC + any RFC 6749 / RFC 7522 IdP
Define exactly who can do what, down to a single vault record or API verb. Built-in roles for the common cases; explicit policies when the manual disagrees with reality.
{
"subject": "group:devops",
"action": "secrets:read",
"resource": "tenant/acme/vault/*"
}Group users by team, department, or project. Group resources for bulk permission assignment. Nested groups for complex hierarchies. Onboard a whole team in one operation.
acme/ ├─ engineering/ │ ├─ backend 12 users │ └─ frontend 8 users └─ ops 4 users
Every user gets a free personal tenant. Join multiple organisations with different roles in each. Complete data isolation between tenants — by design, not by configuration.
victor@example.com ├─ personal owner ├─ acme admin └─ kovimatic developer
A spec sheet, not a brochure.
Every algorithm we ship is a NIST-published standard, finalised in 2024. No experimental ciphers, no proprietary constructions. If it isn't in the FIPS catalog, it isn't in our stack.
The bits that seed every key come from a physical quantum process — not a deterministic PRNG. Generated by Quantum Blockchains in Wrocław, Poland; cached locally with a CSPRNG fallback.
Every byte stored, every key generated, every request handled — inside European jurisdiction. Scaleway, a French operator, in Paris and Amsterdam. Roadmap includes Warsaw for redundancy.
A small REST surface, predictable verbs, OpenAPI spec on launch day. CLI for ops, SDKs for the languages your team already writes. Infrastructure-as-code and CI integrations on the way.
Tenants, organisations, groups, users — four nested boundaries with explicit inheritance. No accidental cross-tenant leaks. Every secret carries the policy of the org that owns it.
Every operation — encrypt, decrypt, rotate, revoke — recorded in append-only logs with cryptographic chain integrity. Mapped to GDPR, NIS2, and ISO 27001 controls.
"Encryption is solved" is the most expensive lie in modern infrastructure. TLS protects data while it moves between two endpoints — nothing more. Storage, keys, identities, randomness, jurisdiction: all of it is still up to you.
“The part that's actually solved.”
“Database rows. Backup tapes. Log files. None of it is in transit.”
“Where does the key live? Who can rotate it? What happens when someone quits?”
“API keys. OAuth tokens. Signing certificates. The credentials that move your business.”
“A weak source invalidates everything downstream. TLS trusts whatever the OS gives it.”
“TLS authenticates the connection — not the human behind it.”
“Where is the data? Whose courts can compel it? Most platforms answer with silence.”
Six gaps. One platform that closes all of them.
All algorithms follow NIST FIPS 203, 204, and 205 standards.
+ AES-256-GCM for authenticated symmetric encryption (FIPS 197)
Start free, scale as you grow. All plans include every PQC algorithm.
We are a small team based in Dublin, Ireland, building security infrastructure we wish had existed when we were building products ourselves.
Victor Zaragoza
Founder & CEO
Victor built QuantumAPI to solve problems he faced while building previous SaaS products: the cost and complexity of enterprise IAM tools, and the lack of accessible post-quantum cryptography for European companies.
What looks encrypted today will be readable in a decade.
Why TLS 1.3's post-quantum key exchange isn't enough. Why "harvest now, decrypt later" isn't hypothetical. What to do before 2030.
500 API calls a month — free, forever. No credit card. No per-seat fees. Quantum-safe from the first request.