End-to-End Encryption Architecture
ECDH key exchange establishes a shared secret. All data is AES-256-GCM encrypted. The platform coordinates routing and billing but never holds decryption keys.
Why Zero-Knowledge Matters
In traditional API marketplaces, the platform sees every request and every response. Your API keys, user data, financial records, and proprietary algorithms all flow through someone else's infrastructure in plaintext. You're trusting the marketplace operator with your most sensitive data.
Sertone eliminates this trust requirement. Using Elliptic Curve Diffie-Hellman (ECDH) key exchange, consumer and API owner establish a shared secret that the platform never knows. Every API call — parameters, headers, response body — is encrypted with AES-256-GCM before it leaves the sender. The platform routes encrypted ciphertext and records billing events, but is cryptographically unable to read the data.
This is not just encryption in transit (TLS). This is end-to-end encryption where the application-layer data is encrypted by the consumer's Sertone and only decryptable by the owner's Sertone. Even if the platform were compromised, no API data would be exposed.
Live Demo — Encrypted vs. Decrypted
Make an Encrypted API Call
Per-session IV, authenticated encryption
Code Samples
# API call — encryption is handled automatically by the consumer wrapper
# The wrapper encrypts your payload before sending
$ curl -X POST https://localhost:3000/internal/call \
-H "Content-Type: application/json" \
-H "Authorization: Bearer YOUR_CONSUMER_SECRET" \
-d '{
"api_id_public": "bb-webhook-receiver",
"method": "GET",
"path": "/status"
}'
# What the platform sees: encrypted ciphertext
# What you receive: plaintext JSON response
# The wrapper handles encrypt/decrypt transparently// JavaScript — encryption is transparent to the caller
// The consumer wrapper handles ECDH + AES-256-GCM automatically
const response = await fetch('https://localhost:3000/internal/call', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'Authorization': 'Bearer YOUR_CONSUMER_SECRET'
},
body: JSON.stringify({
api_id_public: 'bb-webhook-receiver',
method: 'GET',
path: '/status'
})
});
// Response is already decrypted by the wrapper
const { data } = await response.json();
console.log('Decrypted response:', data.result);
// Under the hood:
// 1. ECDH shared secret derived from subscription keys
// 2. Request body → AES-256-GCM encrypt → ciphertext sent to owner
// 3. Owner decrypts → processes → encrypts response
// 4. Consumer decrypts response → returns plaintext to you# Python — encryption is transparent
# The consumer wrapper handles all cryptography
import requests
response = requests.post(
'https://localhost:3000/internal/call',
headers={
'Content-Type': 'application/json',
'Authorization': 'Bearer YOUR_CONSUMER_SECRET',
},
json={
'api_id_public': 'bb-webhook-receiver',
'method': 'GET',
'path': '/status',
},
)
# Response is already decrypted
data = response.json().get('data', {}).get('result', {})
print(f"Decrypted: {data}")
# Encryption details:
# Key exchange: ECDH P-256 (secp256r1)
# Cipher: AES-256-GCM
# IV: Random 12 bytes per message
# Auth tag: 16 bytes (128-bit)Self-Host with Zero-Knowledge Security
Run the Docker Container
Pull and run the free Sertone wrapper on your own infrastructure. ECDH key pairs are generated on first startup — keys never leave your hardware.
docker run -d --name sertone \
-p 3000-3003:3000-3003 -p 3005-3006:3005-3006 \
-v sertone-data:/app/data \
sertone/wrapper:latestOpen the Web Console
Navigate to https://localhost:3002/panel to access your Sertone control center. Create your account and connect your wallet on first launch.
Browse the Catalog
Click Catalog & SDKs in the sidebar. Search for APIs, try them in demo mode (free), then switch to production when ready.
Make Your First Call
Copy your consumer secret from Settings > Security, then use the code samples above to call any API from your own code.