qub API reference

Qub API — OpenAPI 1.0.0

API for Qub, a timed commitment and timed publication system backed by drand timelock encryption. Seal messages now, reveal them later.

Base URL(s):

• https://qub.social

Authentication

turnstile — Cloudflare Turnstile verification token. Despite this being listed as a bearer scheme, the token is passed in the request body as turnstile_token, not in the Authorization header.

apiKey — API key with prefix qub_sk_. Pass in the Authorization header as Bearer qub_sk_....

adminSecret — Admin secret for privileged endpoints. Pass in the Authorization header as Bearer <secret>.

Endpoints

Qubs

Create, seal, and read qubs

GET /api/v1/qub/{tx_id} — Read qub status and content

Auth: API key

Returns the current status of a qub. If locked, returns metadata and countdown. If unlocked, returns the decrypted content. Rate limited to 30 requests per minute per IP. Optional API key auth for higher rate limits.

Parameters

Responses

GET /api/v1/qub/{tx_id}/meta — Lightweight qub metadata (no decrypt)

Auth: public

Returns the Arweave block timestamp and intent tag for a sealed qub. No tlock decrypt, no Arweave bytes fetch — just a GraphQL lookup with R2 cache. Used by the viewer countdown screen, the ?from={intent} viral-loop CTA, and the <qub-embed> iframe. The qub.social viewer and the embed iframe both re-poll this endpoint every 30 seconds during countdown so the watching count climbs live; polling halts in the last minute before unlock. Rate limited 10 requests per minute per IP.

Parameters

Responses

200 response body — QubMetaResponse

POST /api/v1/seal — Server-side seal (agent-only)

Auth: API key

Seals a plaintext message server-side using drand timelock encryption and uploads it to Arweave. Requires an API key. Note: the plaintext passes through the server.

Request body (application/json, required)

Responses

200 response body — SealResponse

Upload

Upload sealed content to Arweave

POST /api/v1/upload — Upload sealed CBOR to Arweave

Auth: Turnstile or API key

Uploads a sealed CBOR payload to Arweave via the worker proxy. Returns the Arweave transaction ID and a delivery URL for the viewer.

Request body (application/json, required)

Responses

200 response body — UploadResponse

POST /api/v1/upload-auth — Pre-check upload eligibility

Auth: Turnstile or API key

Validates the device's entitlement tier and rate limits before uploading. Rate limited to 20 requests per 10 minutes per IP and 10 per 10 minutes per device.

Request body (application/json, required)

Responses

200 response body — UploadAuthResponse

Engagement

Watch / view counters and notify-me subscriptions

POST /api/v1/qub/{tx_id}/notify — Subscribe an email to a qub's reveal

Auth: public

Adds an email address to the notify-me list for a sealed qub. The reveal-time cron sends a one-shot email when the qub unlocks. Always returns { ok: true } on success — re-submitting the same address is idempotent and updates the stored locale. Hard-capped at 1000 subscribers per qub. Rate limited 5 requests per minute per IP.

Parameters

Request body (application/json, required)

Responses

200 response body — OkResponse

POST /api/v1/qub/{tx_id}/react — Record a reaction on a revealed qub

Auth: public

Records a called_it or wrong reaction for a revealed prediction and returns the updated tallies. Client-side dedup via localStorage per (tx_id, device) is assumed; ~10% inflation is acceptable. Rate-limited 10/min/IP as a shallow abuse floor — over-limit requests return current tallies without mutating.

Parameters

Request body (application/json, required)

Responses

200 response body — inline

POST /api/v1/qub/{tx_id}/view — Increment the post-reveal view counter

Auth: public

Increments and returns the post-reveal view count. Same shape as the watch counter but tracked on a separate KV key. Displayed on the revealed screen as 'Seen by {N} people'. Rate limited 10 requests per minute per IP.

Parameters

Responses

200 response body — EngagementCountResponse

POST /api/v1/qub/{tx_id}/watch — Increment the pre-reveal watch counter

Auth: public

Increments and returns the 'watching' count for a sealed qub. Used by the viewer countdown screen as social proof. No per-fingerprint dedup — accepts ~10% inflation in exchange for a much simpler implementation. Rate limited 10 requests per minute per IP. On rate-limit returns { count: 0 } (200) so the client renders zero or its cached value.

Parameters

Responses

200 response body — EngagementCountResponse

Auth

Magic-link email verification and identity recovery

POST /api/v1/auth/magic-link — Issue a magic-link token

Auth: public

Issues an HMAC-signed, single-use magic-link token for { email, device_id }, stores the token hash in KV with a 15-minute TTL, and dispatches the email via SendGrid. Always returns { ok: true } — the user shouldn't be able to distinguish 'email exists' from 'delivery failed'. Rate limited 3 requests per email per hour. Returns 503 if AUTH_SECRET is not configured.

Request body (application/json, required)

Responses

200 response body — OkResponse

POST /api/v1/auth/verify — Consume a magic-link token

Auth: public

Verifies a magic-link token's HMAC signature, enforces single-use via the KV gate, links the device to the email, and returns the identity state including the per-identity sealed-history index. The HMAC payload carries the locale captured at issue time so future emails go out in the same language.

Request body (application/json, required)

Responses

200 response body — VerifyResponse

GET /api/v1/creator/qubs — Identity-scoped aggregate of a creator's sealed qubs

Auth: public

F12 / DISTRIBUTION-STRATEGY.md §12.3. Returns the oldest sealed qub, the next upcoming reveal, the sum of watch counters across every qub the creator has sealed, and the total qub count — in a single round-trip. Used by the /identity retention surface and the anniversary reminder UX. Same device-id auth shape as /api/v1/identity — the device_id is the capability; no bearer token. Aggregation capped at the 200 most recent seals; truncated: true signals the cap fired (rare in practice).

Parameters

Responses

200 response body — CreatorQubsResponse

GET /api/v1/identity — Read-only identity lookup for a device

Auth: public

Returns the linked-identity record for a device, or 404 if the device is not currently linked to any email. Used by the post-purchase success page to fetch the auto-linked identity (written server-side by the Stripe webhook) without a magic-link round-trip. Read-only and stateless — the device_id is a 128-bit local identifier, not a security token.

Parameters

Responses

200 response body — IdentityResponse

API Keys

API key checkout, retrieval, and rotation

POST /api/v1/api-keys/checkout — Create a Builder API key checkout session

Auth: Turnstile

Creates a Stripe checkout session that, on success, provisions a new Builder-tier API key. The raw key is later retrievable via /api/v1/api-keys/provisioned?session_id=... for one hour after webhook completion.

Request body (application/json, required)

Responses

200 response body — CheckoutResponse

GET /api/v1/api-keys/provisioned — One-time retrieval of a freshly provisioned API key

Auth: public

After a successful Builder checkout, the Stripe webhook stores the raw API key in KV under apikey-provisioned:{session_id} with a 1-hour TTL. This endpoint reads it once and deletes the KV entry. Returns { key: null } if the webhook hasn't completed yet or the key has already been retrieved. Rate limited 30 requests per minute per IP.

Parameters

Responses

200 response body — ApiKeyProvisionedResponse

POST /api/v1/api-keys/rotate — Rotate the current API key

Auth: API key

Issues a new API key for the authenticated client and stores a grace-period mapping so the old key continues to work until the next rotation. Quota state is preserved across the rotation. Requires the rotate scope on the current key. Concurrent rotations are blocked via a 30-second lock.

Responses

200 response body — ApiKeyRotateResponse

Payment

Stripe checkout and entitlements

POST /api/v1/checkout — Create Stripe checkout session

Auth: public

Creates a Stripe checkout session for purchasing qub entitlements.

Request body (application/json, required)

Responses

200 response body — CheckoutResponse

GET /api/v1/entitlements — Check device entitlement tier

Auth: public

Returns the current entitlement tier and remaining qub count for a device.

Parameters

Responses

200 response body — EntitlementsResponse

POST /api/v1/payment — Stripe webhook receiver

Auth: public

Receives Stripe webhook events for payment confirmation. Not intended for direct use by API consumers.

Request body (application/json, required)

Type: object

Responses

Moderation

Content reporting and denylist

GET /api/v1/denylist-check/{tx_id} — Check if a transaction is denylisted

Auth: public

Public, lightweight endpoint that checks whether an Arweave transaction ID is on the content denylist. Returns 200 if clear, 404 if denylisted. No authentication required.

Parameters

Responses

200 response body — inline

POST /api/v1/report — Report content

Auth: public

Submit a content report for moderation review.

Request body (application/json, required)

Responses

200 response body — inline

Admin

Admin-only endpoints

GET /api/v1/admin/api-keys — List all API keys with usage stats

Auth: Admin secret

Admin-only listing of every provisioned API key with quota and usage metadata. Used by the admin dashboard for key lifecycle management.

Responses

POST /api/v1/admin/api-keys/{key_hash}/{action} — Disable or enable an API key

Auth: Admin secret

Admin-only endpoint that flips the disabled flag on an API key by hash. The action component must be either disable or enable.

Parameters

Responses

200 response body — AdminKeyActionResponse

GET /api/v1/admin/kpis/activation-cohort — Admin — first-qub to second-qub activation rate

Auth: Admin secret

M8 / DISTRIBUTION-STRATEGY.md §10.3. Walks identity:<email> records in the ENTITLEMENTS KV, computes what percentage of new creators seal a second qub within the activation window. Cohort members whose first seal is too fresh to have observed the activation window are excluded so the rate doesn't deflate as the cohort matures.

Parameters

Responses

200 response body — ActivationCohortResponse

GET /api/v1/admin/kpis/kill-criterion — Admin — qubs below the watcher floor past the seeding window

Auth: Admin secret

M10 / DISTRIBUTION-STRATEGY.md §5.4. Returns qubs whose seal is old enough for the seeding horizon to have elapsed (default ≥48h) but whose watcher count is still below the floor (default <100). Triage list for the growth team. Sorted worst-first and capped at 500 entries.

Parameters

Responses

200 response body — KillCriterionResponse

GET /api/v1/admin/kpis/shares-median — Admin — shares-per-qub p50/p95

Auth: Admin secret

M2 / DISTRIBUTION-STRATEGY.md §10.1. Computes the p50 and p95 of shares:<tx_id> counters across all qubs. Scan is capped at 10k qubs; truncated flips when the cap fires.

Responses

200 response body — SharesMedianResponse

GET /api/v1/admin/metrics — Admin metrics dashboard data

Auth: Admin secret

Returns aggregated metrics for the admin dashboard.

Parameters

Responses

POST /api/v1/denylist — Block or unblock transaction IDs

Auth: Admin secret

Admin endpoint to add or remove Arweave transaction IDs from the content denylist.

Request body (application/json, required)

Responses

200 response body — inline

Webhooks

Webhook registration for qub unlock notifications

GET /api/v1/webhooks — List webhooks

Auth: API key

List all webhooks registered by the authenticated API key.

Responses

POST /api/v1/webhooks — Register a webhook

Auth: API key

Register a webhook URL to be notified when a specific qub unlocks.

Request body (application/json, required)

Responses

201 response body — WebhookCreateResponse

DELETE /api/v1/webhooks/{id} — Remove a webhook

Auth: API key

Delete a previously registered webhook.

Parameters

Responses

Viewer

Public viewer page (browsers + bots)

GET /api/v1/og/{tx_id}.png — Dynamic Open Graph image

Auth: public

Dynamic OG image for a qub. Sealed state renders intent + reveal date + watching count; revealed state renders intent + called-it percentage as a results card. R2 cache-aside by state + watching/reaction bucket so unfurls hit cache for the typical viewer flow.

Parameters

Responses

GET /c/{tx_id} — Public viewer page (browsers + bots)

Auth: public

Content-negotiated viewer entry point. For browsers: serves the SPA index.html. For bots (Twitterbot, facebookexternalhit, Slackbot, Discordbot, etc.): returns edge-computed HTML with OG meta tags built from the sealed qub's unlock time and live watch count. For requests with Accept: application/json: 307 redirects to /api/v1/qub/{tx_id}.

Parameters

Responses

GET /s/{code} — Short-URL redirect

Auth: public

Resolves a 7-character base62 short code allocated at upload or seal time to the canonical /c/{tx_id} viewer page via HTTP 302. Preferred over /c/{tx_id} for tweet text and QR matrices because it saves ~56 characters.

Parameters

Responses

Meta

API metadata

GET /api/v1/openapi.json — OpenAPI specification

Auth: public

Returns this OpenAPI 3.1.0 specification document.

Responses

POST /api/v1/telemetry — Client telemetry ingestion

Auth: public

Receives client-side telemetry events. Always returns 204 regardless of payload validity to avoid blocking the client. The share_clicked event accepts channel values x|qr|native|copy|threads|bluesky|pact|embed|embed-copy. The embed channel covers iframe footer-CTA clicks; embed-copy covers creator-side snippet copies on qub.social.

Request body (application/json)

Type: object

Responses

Embed

F4 embed loader + iframe shell + bundled iframe app for third-party page embedding

GET /embed.js — Embed loader script (current version)

Auth: public

Public loader script — alias for the current pinned version. Publishers <script async src="..."> this on their page; the script registers the <qub-embed> custom element. Served with text/javascript, Cache-Control: public, max-age=300, s-maxage=86400, and public CORS (Access-Control-Allow-Origin: *).

Responses

GET /embed/{tx_id} — Embed iframe HTML shell

Auth: public

HTML shell loaded inside the <qub-embed> iframe. Carries a locked-down CSP and intentionally OMITS X-Frame-Options so it can be embedded on third-party pages. Ships an inline first-paint skeleton (centred qub wordmark + pulsing lime dot, honouring prefers-reduced-motion) so the reader sees a branded placeholder while the iframe-app bundle parses; the skeleton is replaced by the first render() call from the bundle. The bundle also sets <title> dynamically once the qub's intent is known (e.g. Sealed prediction · qub.social) so direct-iframe visits get a useful tab label; terminal states (loading / denylisted / unsupported / error) keep the bare qub title so the page never claims Sealed prediction on a removed or broken qub. Accepts an optional lang query parameter (BCP 47 tag); when present it is written onto <html lang> and passed to the iframe-app, which resolves it against the locale registry via the same candidate chain used by server-side email templates. Unknown tags fall back to English. Served with text/html; charset=utf-8 and Cache-Control: public, max-age=60. Full publisher-facing contract in docs/EMBED.md.

Parameters

Responses

GET /embed/v1.js — Pinned v1 embed loader script

Auth: public

Pinned v1 loader URL — same content as /embed.js for the lifetime of v1. Publishers should use this in production for stability: it gives a versioned URL that won't break when the loader is updated. Served with text/javascript, Cache-Control: public, max-age=300, s-maxage=86400, and public CORS (Access-Control-Allow-Origin: *).

Responses

GET /embed/v1/iframe-app.js — Embed iframe app bundle

Auth: public

Bundled iframe app (~73 KB gzipped) — runs inside the iframe shell, performs in-browser tlock decrypt and renders the qub. During countdown it re-polls /api/v1/qub/{tx_id}/meta every 30 seconds so the watching count climbs live (matching the qub.social viewer); polling halts in the last minute before unlock to avoid racing the reveal transition. Served with text/javascript, Cache-Control: public, max-age=300, s-maxage=86400, and public CORS (Access-Control-Allow-Origin: *).

Responses

GET /oembed — oEmbed discovery

Auth: public

oEmbed 1.0 discovery endpoint. Returns the JSON oEmbed payload for a qub viewer URL so WordPress, Notion, Medium, and Substack can auto-embed <qub-embed> without the user pasting a manual snippet.

Parameters

Responses

Identity

GET /api/v1/identity/attestation/{fingerprint} — Look up public attestations for a pubkey fingerprint

Auth: public

Unauthenticated public lookup. Returns the attestation record for a given author-key fingerprint (IDENTITY.md §2 + §4), or 404 if the keypair is unattested (Layer 0). The viewer uses this at reveal time to render the richest identity label per §5.3. Response is cached at the edge for 5 minutes.

Parameters

Responses

200 response body — AttestationRecord

DELETE /api/v1/identity/attestation/email — Revoke an email attestation

Auth: public

Removes the email entry from the attestation record. Requires a proof-of-possession ML-DSA-65 signature over the QUB_IDENTITY_DELETE_V1 challenge (IDENTITY.md §6.2) — the signature is the auth, no session cookie. When the email was the only entry, the whole record is deleted per §4.2.

Request body (application/json, required)

Responses

200 response body — AttestationEmailDeleteResponse

POST /api/v1/identity/attestation/email/begin — Initiate an email attestation challenge

Auth: public

Issues a 6-digit verification code via SendGrid and stashes a pending challenge in KV with a 10-minute TTL. The submitted public key must hash (SHA3-256) to the claimed fingerprint — this blocks pubkey squatting at the entry point. Rate limited 3/email/hour and 10/IP/hour.

Request body (application/json, required)

Responses

200 response body — AttestationEmailBeginResponse

POST /api/v1/identity/attestation/email/verify — Complete an email attestation

Auth: public

Verifies the 6-digit code plus a proof-of-possession ML-DSA-65 signature over the QUB_IDENTITY_EMAIL_V1 challenge (IDENTITY.md §3.2). Writes the attestation record on success. Attempts are bumped BEFORE the code comparison so brute-force is capped at 5 even on all-fail traffic.

Request body (application/json, required)

Responses

200 response body — AttestationRecord

Qub

GET /api/v1/qub/{tx_id}/bytes — Raw sealed CBOR bytes

Auth: public

Returns the raw sealed CBOR payload for a qub with R2 cache-aside and immutable caching (Cache-Control: public, max-age=31536000, immutable). Used by the in-browser embed and SPA client to perform client-side tlock decrypt without redundant Arweave gateway hits.

Parameters

Responses

Pact

POST /api/v1/pact/cosign/{staging_id} — Co-sign a staged pact and seal to Arweave

Auth: public

Party B submits their ML-DSA-65 cosigner signature over the same sig_input as Party A. The worker merges both signatures into the envelope, seals with tlock, and uploads to Arweave. If Party B's contact in the staged pact is an email, the cosigner is gated by a short-lived 15-minute email-verification marker produced by /api/v1/auth/verify (protocol spec §9.7). When the magic-link request that produced the marker carried a cosigner_fingerprint (PC-3 binding), the submitted cosigner_pubkey must hash (SHA3-256) to the same fingerprint — otherwise the cosign is rejected.

Parameters

Request body (application/json, required)

Responses

200 response body — inline

POST /api/v1/pact/stage — Stage a signed pact envelope for co-signing

Auth: public

Party A stages a signed pact envelope (content type 0x03, ML-DSA-65 author signature). Returns a staging id and a human-readable staging URL (/p/<id>). If Party B's contact is a valid email, a review invite email is auto-dispatched and email_sent is true. Staged pacts expire after 7 days if not co-signed.

Request body (application/json, required)

Responses

201 response body — inline

DELETE /api/v1/pact/stage/{staging_id} — Retract a staged pact before co-signing

Auth: public

Party A proves possession of the author signing key and retracts a pending staged pact. Requires a fresh retract signature over SHA3-256("QUB_PACT_RETRACT_V1" || staging_id_bytes).

Parameters

Request body (application/json, required)

Responses

GET /api/v1/pact/stage/{staging_id} — Review a staged pact

Auth: public

Returns the staged pact's CBOR envelope fields, decoded PactTerms, and Party A's public key so Party B can review before co-signing. If the pact has already been co-signed, returns a sealed redirect payload with tx_id and delivery_url.

Parameters

Responses

Lifecycle

GET /api/v1/lifecycle/unsubscribe — One-click lifecycle email unsubscribe

Auth: public

One-click unsubscribe endpoint linked from creator lifecycle emails (seal confirmation, pre-reveal, post-reveal). The token query parameter is HMAC-signed and binds the request to a specific email + tx_id. On success, writes a suppression record so subsequent lifecycle sends to that address skip delivery.

Parameters

Responses

This page is generated from workers/api/openapi.json by workers/api/scripts/build-openapi-md.mjs. For the raw JSON, see /api/v1/openapi.json.