Skip to content
← Back to home

API Documentation

Download OpenAPI Spec

Authentication

API requests are authenticated using Bearer tokens. Create API keys in Settings.

Authorization: Bearer kl_your_api_key_here

Scopes: API keys can be scoped to read, write, or read,write.

Expiration: Keys can be set to expire on a specific date.

POST /api/v1/logs scope: write

Ingest a single encrypted log entry.

Request Body

{ "source": "my-app", "level": "info", "timestamp": "2026-03-29T10:00:00Z", "ciphertext": "<base64>", "iv": "<base64 12 bytes>", "ephemeral_public_key": "<base64 65 bytes>" }

Response (201)

{ "id": "uuid-of-log-entry" }
POST /api/v1/logs/batch scope: write

Ingest up to 500 encrypted log entries in a single transaction.

Request Body

{ "logs": [ { "source": "app", "level": "info", "ciphertext": "...", "iv": "...", "ephemeral_public_key": "..." }, ... ] }

Response (201)

{ "ids": ["id1", "id2", ...], "count": 2 }
GET /api/v1/keys/public scope: read

Fetch the user's active ECDH P-256 public key. SDKs use this to encrypt logs.

Response (200)

{ "id": "key-uuid", "public_key": "<base64 65 bytes>", "key_type": "ecdh-p256" }
POST /api/v1/keys/public scope: write

Store a new public key. Deactivates the previous one.

Request Body

{ "public_key": "<base64 65-byte uncompressed P-256 key>" }

Response (201)

{ "id": "new-key-uuid" }
GET /health no auth

Health check endpoint. Returns server status and version.

Response (200)

{ "status": "ok", "version": "0.1.0" }

Encryption Scheme

KryptaLogs uses hybrid ECIES encryption:

  1. SDK generates an ephemeral ECDH P-256 key pair
  2. Performs ECDH key agreement with the user's public key
  3. Derives an AES-256 key via HKDF-SHA256 (salt = ephemeral public key, info = "kryptalogs-hybrid-v1")
  4. Encrypts plaintext with AES-256-GCM (random 12-byte IV)
  5. Sends ciphertext + IV + ephemeral public key to the server

Only the holder of the private key (derived from the seed phrase) can decrypt.