Coverta provides an API to integrate client-side encryption and secure content sharing into your applications.
- Encrypted blob storage (up to 10MB per item)
- Lifecycle management: expiration, delayed availability, burn-after-reading
- API key authentication
- Content ownership and management
What Your Client Handles
- Encryption/decryption using AES-256-GCM
- Key derivation from passphrase (PBKDF2 with salt)
- Nonce and salt generation
- User interface
Coverta uses API keys for authentication. Generate a key once through the web interface, then use it for all API requests.
1. Use API Key
# Pass as query parameter
curl "https://api.coverta.app/v1/log?api_key=cov_x7kQ9mN2..."
# Works with any authenticated endpoint
curl -X POST "https://api.coverta.app/v1/content?api_key=cov_x7kQ9mN2..." \
-H "Content-Type: application/json" \
-d '{"encryptedPayload": "...", "nonce": "...", "salt": "..."}'Note: Each user can have one API key. Generating a new key revokes the previous one.
Create Content (Anonymous or Authenticated)
curl -X POST https://api.coverta.app/v1/content \
-H "Content-Type: application/json" \
-d '{
"encryptedPayload": "base64-encoded-encrypted-data",
"nonce": "base64-encoded-nonce",
"salt": "base64-encoded-salt",
"expiresInHours": 24,
"availableAt": "2025-01-16T18:00:00Z",
"burnAfterReading": false
}'
# Note: availableAt is optional (for delayed availability)
# Response:
{
"contentId": "abc123",
"shareUrl": "https://coverta.app/abc123",
"createdAt": "2025-01-16T12:00:00Z",
"expiresAt": "2025-01-17T12:00:00Z",
"availableAt": "2025-01-16T18:00:00Z",
"burnAfterReading": false
}Retrieve Content
curl https://api.coverta.app/v1/content/{contentId}
# Response:
{
"contentId": "abc123",
"encryptedPayload": "base64-encoded-encrypted-data",
"nonce": "base64-encoded-nonce",
"salt": "base64-encoded-salt",
"createdAt": "2025-01-16T12:00:00Z",
"expiresAt": "2025-01-17T12:00:00Z",
"availableAt": "2025-01-16T18:00:00Z",
"burnAfterReading": false
}List My Content Metadata (Authenticated)
curl https://api.coverta.app/v1/log
Delete Content (Authenticated)
curl -X DELETE https://api.coverta.app/v1/log/{contentId}The API stores encrypted data as opaque blobs. You're responsible for encryption. Here's the recommended format:
Algorithm:AES-256-GCM
Key Derivation:PBKDF2 with SHA-256, 100,000+ iterations
Salt:16+ bytes, randomly generated per content
Nonce/IV:12 bytes for AES-GCM, randomly generated
The salt and nonce are stored with your content and returned when retrieving. Use them with the passphrase to derive the decryption key.
| Endpoint | Limit |
|---|---|
| POST /api/v1/content | 25/hour, 100/day |
| POST /api/v1/auth/request-magic-link | 10/15 minutes |
| GET /api/v1/auth/verify-magic-link | 10/minute |
| All /api/v1/* endpoints | 60/minute, 1000/hour |
All errors return RFC 7807 Problem Details format:
{
"status": 400,
"title": "Bad Request",
"detail": "Specific error message"
}| Status | Meaning |
|---|---|
| 400 | Bad request (validation error, payload too large) |
| 401 | Unauthorized (missing or invalid token) |
| 404 | Not found |
| 410 | Gone (content expired or burned) |
| 429 | Rate limited |