Make Any Resource Invisible. One API Call.
POST a target_url. Get back a QURL. Your resource disappears from the public internet. No agents, no sidecars, no DNS changes.
Stop defending. Start disappearing.
Traditional: Defend What's Exposed
- Deploy service to public internet
- ↓ Open ports 80/443
- ↓ Add firewall rules
- ↓ Configure WAF
- ↓ Monitor for attacks
- ↓ Patch vulnerabilities
- ↓ Hope nothing gets through
QURL: Nothing Exists Until Authenticated
- Deploy service behind QURL
- ↓ User authenticates with IdP
- ↓ API mints a QURL
- ↓ Resource appears for that user only
- ↓ Session ends, resource vanishes
- ↓ Nothing to attack. Done.
The QURL API
One required field. One endpoint. Any web resource.
curl -X POST https://api.layerv.ai/v1/qurl \
-H "Authorization: Bearer $LAYERV_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"target_url": "https://internal.example.com/dashboard"
}'{
"id": "qurl_abc123def456",
"url": "https://qurl.link/abc123def456",
"target_url": "https://internal.example.com/dashboard",
"expires_at": "2025-01-15T10:30:00Z",
"status": "active",
"uses_remaining": 1
}target_url is the only required field. Everything else has sensible defaults. Your resource becomes invisible immediately.
How a QURL works
Resource has no public DNS. No open ports. Port scans return nothing. The service does not exist on the internet.
A cryptographic pinhole opens for exactly one user, one device, one session. Traffic flows through the QURL.
QURL expires. Pinhole closes. Full audit trail preserved. Resource returns to invisible.
QURLs don't log users in. They temporarily bring services into existence.
Full API options
All fields available on the POST /v1/qurl endpoint.
POST /v1/qurl
{
"target_url": "https://internal.example.com/dashboard", // required
"ttl": 3600, // seconds until expiry (default: 3600)
"max_uses": 1, // max number of uses (default: 1)
"allowed_ips": ["..."], // IP allowlist
"allowed_methods": ["GET"],// HTTP method restriction
"metadata": { ... } // arbitrary metadata for audit
}Four ways to integrate
IdP-Triggered
Fire QURL creation from your IdP post-auth webhook. Okta, Azure AD, Auth0 — any OIDC provider.
Middleware
Drop a middleware into your Express/Next.js/FastAPI stack. Auto-mint QURLs on authenticated requests.
SDK
Use the official JavaScript or Python SDK. Type-safe, zero-config, handles retries and token refresh.
Direct API
One POST endpoint. One required field. Works from any language, any platform, any CI/CD pipeline.
Two stages. Zero downtime.
Add QURL creation to your IdP post-auth flow. Existing access remains as fallback. No DNS changes. No firewall modifications. Test with one resource in production.
Update DNS to point through QURL. Close all public ports. Resource is now invisible to the internet. Only QURL-authenticated sessions can reach it.
Built on proven cryptography
Noise Protocol
Same key exchange as Signal and WireGuard. Forward secrecy, mutual auth.
OpenNHP
Cloud Security Alliance standard. Open-source protocol, open-source reference implementation.
Multi-Region AWS
Deployed across US-East and US-West. Sub-50ms QURL creation. 99.99% uptime target.
Auth0 JWT
Standard JWT-based authentication. OIDC compliant. Works with your existing IdP.
Fail-Open
Stage 1 overlay mode. If QURL is unreachable, existing access continues. Zero downtime risk.
Share with your CISO
Business impact, compliance benefits, and risk reduction metrics.