API Reference
Direct interaction with the Ephos Gateway API. All requests must be authenticated using a valid Ephos Token.
The Proxy Gateway
Base URL: https://auth.phantom-projects.com
Execute Request
POST /api/vault/execute
Proxies a request to the target API. The Enclave decrypts your Phantom Key in ephemeral RAM, injects it into the outgoing request, and returns the response.
POST /api/vault/execute
X-Ephos-Token: et_live_...
X-Ephos-Derived-Key: [base64 derived key]
Content-Type: application/json
{
"service": "OpenAI [PROD]",
"targetUrl": "https://api.openai.com/v1/chat/completions",
"method": "POST",
"body": {
"model": "gpt-4",
"messages": [{"role": "user", "content": "Hello!"}]
}
}
Fetch Salt (Handshake)
GET /api/vault/salt
Retrieves the PBKDF2 salt for a token. Required before local key derivation.
GET /api/vault/salt
X-Ephos-Token: et_live_...
Headers
| Header | Required | Description |
|---|---|---|
X-Ephos-Token |
Yes | Your scoped Ephos Token (et_live_...) |
X-Ephos-Derived-Key |
Yes* | Base64-encoded key derived locally via PBKDF2. Required for master-key-based auth. |
Authorization |
Alt | Bearer et_live_... — Alternative to X-Ephos-Token header. |
Content-Type |
Yes | application/json |
Request Body Fields
| Field | Type | Description |
|---|---|---|
service |
string | Name of the Phantom Key in your vault (e.g. "OpenAI [PROD]") |
targetUrl |
string | The full target API URL to proxy the request to |
method |
string | HTTP method: GET, POST, PUT, DELETE |
body |
object? | Optional request body to forward to the target API |
tokenSecretB64 |
string? | Alternative to derived key header. Used for delegated autonomous tokens. |
Response Codes
- 200 OK: Success. Payload is returned from target API.
- 401 Unauthorized: Invalid or missing Ephos Token, or identity locked.
- 403 Forbidden: Token is valid but domain/scope is restricted, SSRF blocked, or decryption failed.
- 404 Not Found: Phantom Key not found or currently frozen.
- 429 Too Many Requests: Subscription proxy limit reached.