ANKA Secure API -- Endpoints & Use Cases
This document provides a comprehensive list of the ANKA Secure API endpoints, grouped by functionality. Each group corresponds to a specific controller within the application as described below.
Secure Streaming Endpoints
Handled by the CryptoStreamingApiController.\ These endpoints use multipart/form-data for uploading files and returning streaming responses, making them suitable for large data.
| HTTP Method | Endpoint | Description |
|---|---|---|
| POST | /api/crypto/stream/encrypt |
Encrypt data with a key (full streaming). Receives a JSON "metadata" part (EncryptStreamRequest) + a file part, returns ciphertext. |
| POST | /api/crypto/stream/decrypt |
Decrypt data with a key (full streaming). Receives a JSON "metadata" part (DecryptStreamRequest) + a file part, returns plaintext. |
| POST | /api/crypto/stream/sign |
Sign data (full streaming). Receives a JSON "metadata" part (SignStreamRequest) + a file part, returns signature bytes. |
| POST | /api/crypto/stream/verify |
Verify a signature (full streaming). Receives metadata (kid + signatureBase64) + a file part containing the data. |
| POST | /api/crypto/stream/resign |
Re-sign data (full streaming). Verifies old signature (public key), then signs again (private key), returning the new signature. |
| POST | /api/crypto/stream/reencrypt |
Re-encrypt data (full streaming). Decrypts with oldKid (private), then encrypts with newKid (public). |
| POST | /api/crypto/stream/utility/publickey-verify |
Utility: verify a signature (full streaming) with a provided public key (no need to store the key in the keystore). |
| POST | /api/crypto/stream/utility/publickey-encrypt |
Utility: encrypt data (full streaming) with a provided public key (no need to store the key). |
Authentication Endpoints
Handled by the AuthController.\ Used to obtain Access Tokens (JWT) and, optionally, Refresh Tokens.
| HTTP Method | Endpoint | Description |
|---|---|---|
| POST | /api/authenticate/refresh |
Refresh the access token (requires a valid, unexpired refresh token). |
| POST | /api/authenticate/login |
User login, returns an Access Token and a Refresh Token if valid. |
| POST | /api/authenticate/app |
Application authentication (clientId + clientSecret). Returns tokens. |
Key Management Endpoints
Handled by the KeyManagementApiController.\ These endpoints let you create, import, list, export, remove, and revoke cryptographic keys. They also provide dynamic algorithm discovery (crypto-agility).
| HTTP Method | Endpoint | Description |
|---|---|---|
| POST | /api/key-management/keys |
Generate a cryptographic key (classical, PQC, or symmetric). |
| GET | /api/key-management/keys |
List all keys (without revealing private material). |
| POST | /api/key-management/keys/import |
Import an existing cryptographic key (public or private) using JSON fields (kid, kty, alg, publicKey, privateKey...). |
| POST | /api/key-management/private-keys |
Import a private key from a PKCS#12 (.p12 or .pfx) file (via JSON Base64). |
| POST | /api/key-management/keys/{kid}/revoke |
Revoke a key by kid (changes its status to REVOKED). |
| GET | /api/key-management/keys/{kid} |
Export a key by kid (public portion if asymmetric, plus metadata). |
| DELETE | /api/key-management/keys/{kid} |
Remove a key from the keystore (irreversible). |
| GET | /api/key-management/supported-algorithms |
Retrieve the list of dynamically supported algorithms (kty + alg). |
Secure Endpoints (Non-Streaming)
Handled by the CryptoApiController.\ These endpoints operate on Base64-encoded data (plaintext, ciphertext, signatures) rather than file streams.
| HTTP Method | Endpoint | Description |
|---|---|---|
| POST | /api/crypto/encrypt |
Encrypt Base64 data with a public key (kid). |
| POST | /api/crypto/decrypt |
Decrypt Base64 data with a private key (kid). |
| POST | /api/crypto/sign |
Sign Base64 data with a private key (kid), returning a Base64 signature. |
| POST | /api/crypto/verify |
Verify a Base64 signature with a public key (kid). |
| POST | /api/crypto/reencrypt |
Re-encrypt data from oldKid (private) to newKid (public). |
| POST | /api/crypto/resign |
Re-sign data: verifies with oldKid (public) and signs again with newKid (private). |
License Management Endpoints
Handled by the LicenseUsageController.\ Provides information on license plans, usage counts, and more.
| HTTP Method | Endpoint | Description |
|---|---|---|
| GET | /api/license-management/license-info/{clientId} |
Retrieve license information for a client. |
Notes
-
Bear in mind that most endpoints require a valid JWT token. Use
/api/authenticate/login(for user credentials) or/api/authenticate/app(for application credentials) to obtain a token, then supply it via theAuthorization: Bearer <token>header. -
Streaming endpoints typically expect
multipart/form-data. This allows large files to be processed without loading them fully into memory. -
Non-streaming endpoints accept smaller payloads as JSON with Base64-encoded data fields.
-
Key Storage: When generating or importing a key, you specify a
kidwhich must be unique within the system. If akidalready exists, the server may update it (if compatible) or return a conflict.
This covers the major use cases and endpoint groupings for ANKA Secure API. For detailed request/response schemas, examples, and authentication instructions, refer to the OpenAPI documentation (Swagger UI) or the official client SDKs.