Point your domain at PQ-Proxy. Every connection is automatically protected with X25519MLKEM768.
Dashboard: proxy.fipsign.dev · API base: https://proxy-api.fipsign.dev/api/v1
| Requirement | Details |
|---|---|
| Account | Register at proxy.fipsign.dev — no credit card required for the 7-day trial |
| A domain you control | You need to be able to update the DNS A record for the domain you want to protect |
| A backend | Any HTTP or HTTPS server — cloud, on-premise, or serverless. Must be reachable from the internet. |
| API key | Available in the dashboard under Settings. Format: pqp_live_... |
| Field | Value | Notes |
|---|---|---|
| Public domain | api.yourcompany.com | The domain your clients connect to. Must have an A record pointing to PQ-Proxy. |
| Backend host | backend.yourcompany.com | Where PQ-Proxy forwards traffic after terminating TLS. Must be a public hostname or IP — private ranges (10.x, 192.168.x, 172.16–31.x), loopback (localhost, 127.x), and cloud metadata addresses (169.254.x) are not allowed. |
| Backend port | 443 | Use 443 for HTTPS backends, 80 for HTTP. Default: 443. |
| Backend TLS | ✓ enabled | Enable if your backend serves HTTPS. Disable for plain HTTP backends. Required for HTTP/2 and gRPC backends — when enabled, PQ-Proxy negotiates HTTP/2 via ALPN automatically. |
# In your DNS provider (Cloudflare, Route53, etc.) Type: A Name: api # or @ for the root domain Value: 137.66.56.190 TTL: 3600
# Check that the A record resolves correctly dig api.yourcompany.com A +short # Should return: 137.66.56.190
curl -sv https://api.yourcompany.com 2>&1 | grep -i "ssl\|tls\|handshake\|x25519"
In the dashboard, go to Health — your domain should show ● healthy once the first connection is made.
Go to Dashboard → Settings. Your API key starts with pqp_live_.
# Pass the API key in every request curl -s https://proxy-api.fipsign.dev/api/v1/tenant \ -H "X-Api-Key: pqp_live_YOUR_KEY_HERE"
curl -s https://proxy-api.fipsign.dev/api/v1/tenant \
-H "X-Api-Key: pqp_live_..."
curl -s https://proxy-api.fipsign.dev/api/v1/tenant/domains \
-H "X-Api-Key: pqp_live_..."
id from /tenant/domains.curl -s https://proxy-api.fipsign.dev/api/v1/tenant/domains/DOMAIN_ID/certificate \ -H "X-Api-Key: pqp_live_..."
acme means the certificate was issued automatically by Let's Encrypt. byoc means you uploaded your own certificate.curl -s https://proxy-api.fipsign.dev/api/v1/tenant/billing \
-H "X-Api-Key: pqp_live_..."
low_balance_warning to trigger wallet top-ups before service is interrupted. The wallet is charged $0.04/hour per active domain.curl -s https://proxy-api.fipsign.dev/api/v1/tenant/billing/transactions \
-H "X-Api-Key: pqp_live_..."
curl -s https://proxy-api.fipsign.dev/api/v1/tenant/metrics \
-H "X-Api-Key: pqp_live_..."
curl -s "https://proxy-api.fipsign.dev/api/v1/tenant/connections?page=1&per_page=20" \ -H "X-Api-Key: pqp_live_..."
| Parameter | Type | Default | Description |
|---|---|---|---|
| page | integer | 1 | Page number |
| per_page | integer | 20 | Results per page (max 200) |
curl -s https://proxy-api.fipsign.dev/api/v1/tenant/connections/export \
-H "X-Api-Key: pqp_live_..." \
-o connections.csv
/tenant/connections endpoint instead.curl -s https://proxy-api.fipsign.dev/api/v1/tenant/health \
-H "X-Api-Key: pqp_live_..."
consecutive_failures resets to 0.Use BYOC if you need a certificate from a specific CA, an EV (Extended Validation) certificate, or a wildcard certificate covering multiple subdomains.
Go to Dashboard → Domains, click Upload custom cert on your domain, and paste your PEM-encoded certificate and private key.
| Field | Format | Notes |
|---|---|---|
| Certificate | PEM | Full chain preferred — include intermediate certificates |
| Private key | PEM | RSA or ECDSA. The key must match the certificate. |
Yes. Both directions support HTTP/2. The client-to-proxy connection supports HTTP/1.1 and HTTP/2 over TLS 1.3 with X25519MLKEM768. The proxy-to-backend connection negotiates HTTP/2 via ALPN when the backend supports it, with automatic fallback to HTTP/1.1. gRPC backends (which require HTTP/2) are supported when Backend TLS is enabled.
PQ-Proxy detects the failure within 60 seconds (health check interval), sends an alert email, and returns a connection error to clients until the backend recovers. You also receive a recovery email when the backend comes back online.
PQ-Proxy adds three headers to every request forwarded to your backend: x-forwarded-for and x-real-ip with the original client IP, and x-forwarded-proto: https to indicate the connection arrived over TLS. Everything else passes through unmodified.
PQ-Proxy falls back to X25519 (classical Diffie-Hellman) for clients that don't support post-quantum key exchange. The connection is still TLS 1.3 — just without the post-quantum key exchange. Chrome, Firefox, and curl support X25519MLKEM768 by default.
Add each domain separately in the dashboard. Each domain gets its own Let's Encrypt certificate and its own backend configuration. Billing is $0.04/hour per active domain.
137.66.56.190
Point your domain's A record to this IP. All domains on PQ-Proxy share this IP — routing is done via TLS SNI (Server Name Indication).
Yes, but set the Cloudflare proxy status to DNS only (gray cloud) for your domain. If the Cloudflare proxy (orange cloud) is active, Cloudflare terminates TLS before it reaches PQ-Proxy — and the post-quantum handshake never happens.
No. PQ-Proxy uses TLS 1.3 with HTTP/2 for all connections. HTTP/3 (QUIC) is not supported — a deliberate choice. QUIC runs over UDP, which is frequently blocked in corporate firewalls and enterprise networks, while TCP is universally reliable. If your backend advertises HTTP/3 via Alt-Svc, PQ-Proxy removes that header automatically so clients connect via HTTP/2 without unnecessary fallback attempts.