Developer SDK

Post-quantum protection inside your own software

The exact AWT_UNIFIED transport that powers our enterprise VPN, packaged as a developer SDK. Embed AegisWire's mandatory-hybrid post-quantum transport directly into your application, API, mobile client, or device fleet. One credential, one connection — quantum-safe end to end. Not an optional hybrid bolted onto TLS: post-quantum by design, on every packet.

Full CNSA 2.0 suite (US NSA) · UK NCSC-aligned — every customer, every packet

Stronger than a checkbox

Post-quantum by design — not a TLS add-on

Most "post-quantum" is an optional hybrid key exchange negotiated into TLS. AegisWire is post-quantum across the whole transport, on every connection, with no classical-only mode to disable.

Mandatory hybrid

Every session uses hybrid ML-KEM-1024 + X25519 key exchange. There is no classical-only mode to disable or negotiate down — protection is not optional.

Automatic breach containment

BLAKE3 STREAMHEAL re-keys continuously across each connection. If one session key is ever exposed, the damage cannot spread to past or future traffic.

Connection privacy

No server identity, client identity, or routing hint is exposed on the wire. ML-DSA-87 trust chains stay hidden from passive observers from the first packet.

What you inherit

A CNSA 2.0-aligned suite, drop-in

Your team writes no cryptography. The SDK ships the full AWT_UNIFIED suite — hybrid key exchange, post-quantum identity, authenticated record encryption, and continuous key healing — the same primitives that run in production across our platform. You inherit a proven foundation, not a prototype.

  • Replay-protected, tamper-checked records

    Every packet authenticated end to end.

  • Fail-closed by default

    A kill-switch holds traffic if the secure path is ever unavailable — it never silently falls back.

  • Signed update distribution

    Engine updates ship over a signed channel with a published supply chain.

Post-quantum cryptography

The primitives behind every session

Hybrid key exchange
Quantum-safe + classical, combined
ML-KEM-1024X25519
Identity signatures
Post-quantum signed trust chains
ML-DSA-87
Record encryption
Authenticated, per-session keys
AES-256-GCM
Keyed hashing · STREAMHEAL
Integrity and rapid rekey
BLAKE3
Implements US NSA CNSA 2.0 in full · aligned with UK NCSC post-quantum guidance

Integration in four steps

From one credential to a quantum-safe channel

The SDK hides enrolment, key exchange, healing, and recovery. Your app sees a connection; the post-quantum work happens underneath.

STEP 1

Add the SDK + a key

Drop the SDK into your app and supply one staff-provisioned credential. No cryptography for your team to implement or get wrong.

STEP 2

Enrol, automatically

The SDK provisions a device identity on first run and registers it — no manual setup, and private keys never leave the device.

STEP 3

Connect, quantum-safe

A single call opens a post-quantum session to an AegisWire gateway. Healing and recovery run on their own.

STEP 4

Send and receive

Move bytes like any socket. Every packet is quantum-safe, tamper-checked, and replay-protected end to end.

Where it runs

One transport, every platform

The same engine runs across native, mobile, and server-side environments — one uniform security posture everywhere. Native clients on macOS, iOS, Linux, Windows, and Android all build on it.

  • Native & systems apps

    Desktop and embedded software in memory-safe Rust.

  • Mobile

    iOS today, using the same transport as our native clients.

  • Backend & services

    Server-side bindings for machine-to-machine and API traffic.

Client platforms

Where AegisWire runs

One post-quantum engine, every platform — the identical signed handshake and cryptographic posture on each.

macOS
Linux
iOS
Windows
Android

Who builds on it

For software where post-quantum is becoming a requirement

If your data has to stay secret for years — or you ship software into regulated buyers — the SDK embeds the answer now, not in a retrofit later.

Government & defense suppliers

Programmes moving to post-quantum requirements need it embedded now, not retrofitted later.

Long-lived secrets

Health, finance, legal, and IP — anything recorded today that is still sensitive in ten years.

IoT & device fleets

Devices that ship today and live for 15–20 years need post-quantum protection baked in.

Machine-to-machine & AI traffic

Automated, non-browser traffic between services and agents — a natural fit for an embedded SDK.

SaaS & product teams

"Our connections are post-quantum secure" becomes a differentiator when you sell into the above.

Critical infrastructure

Operational systems where a quantum-safe control channel is a procurement-level requirement.

Licensing

Packaged the way platforms buy

SDK access is staff-provisioned and metered to fit your traffic profile — not a public download. We size the package to your stack on the briefing call.

Token-metered

Pay for what you transport. Usage-based metering suits variable or bursty machine-to-machine workloads.

Monthly-call packages

Predictable monthly call allowances for steady production traffic — budget-friendly and easy to forecast.

Staff-provisioned access

Credentials are issued and scoped by our team, enforced in software. No anonymous self-serve keys floating in the wild.

Same trust fabric

The SDK plugs into the whole platform

Embedded sessions terminate on the same gateways, federation, and trust operations as our managed VPN. Nothing about the SDK is a side track.

Enterprise-Ready Commissioned on customer scope

Production transport, packaged for your code

The SDK is built on the same post-quantum transport, gateways, and native clients that run in production — with a controls posture built to what SOC 2, ISO 27001, GDPR, and HIPAA-style reviews examine.

Managed, dedicated, self-hosted & air-gapped deployment
CNSA 2.0-aligned & NCSC-aligned, every customer, every packet
Tamper-evident audit trails & signed supply chain
MSA, DPA & sub-processor list with every engagement

Talk to engineering

Request an architecture briefing

A technical walkthrough of the transport, trust model, and deployment options — mapped to your environment and procurement requirements.

Implements US NSA CNSA 2.0 in full · aligned with UK NCSC post-quantum guidance