Authentication

Every request to the Quantized API (except the health check) requires a Bearer token in the Authorization header.

Authorization: Bearer <token>

Quantized supports two token types: API keys and JWT tokens.

API keys

API keys are the simplest way to authenticate. They are issued by your institution and look like:

sk-quantized-AbCdEfGhIjKlMnOpQrStUvWxYz...

Each API key is linked to a license, which tracks your credit balance and usage.

Usage

curl https://api.quantized.us/v1/license \
  -H "Authorization: Bearer sk-quantized-YOUR-KEY"

Key lifecycle

• API keys can be deactivated without deleting the license or its balance
• New keys can be issued for the same license
• Keys can have an expiration date (exp), after which they stop working

JWT tokens

For programmatic or dynamic access, Quantized supports EdDSA-signed JWT tokens. This is useful when your institution needs to issue short-lived credentials without pre-registering each key.

How it works

1. Your institution generates a JWT signed with their Ed25519 private key
2. Quantized verifies the signature against the institution’s registered public key
3. On first use, Quantized automatically creates a license and ephemeral API key from the JWT claims
4. Subsequent requests with the same JWT reuse the existing license

JWT claims

JWT header

{
  "alg": "EdDSA",
  "typ": "JWT",
  "kid": "optional-key-id"
}

The kid field is optional. If provided, Quantized matches it against the institution’s registered public keys.

Error responses

{
  "error": {
    "message": "Invalid API key"
  }
}

Headers summary