NYXST

Ephemeral Data Platform • Cryptographic Access Controls • Auto Expiration

Dual Factor Access

Every resource requires a unique path identifier combined with a separate cryptographic key. Both elements are necessary for retrieval.

Encryption at Rest

All data is AES-256 encrypted before storage. Decryption keys are generated per resource and never persisted on the server.

Time-Based Expiration

Configurable TTL ensures automatic deletion. Resources are permanently removed from the database after expiry.

One-Time Access

Resources can be configured to self-destruct immediately after the first successful retrieval.

File Agnostic

The platform handles any data type - text, scripts, binaries, or archives - with appropriate content-type detection.

Multi-Platform Delivery

Retrieval works with standard HTTP clients across any operating system without specialized software.

API Overview

The NYXST API provides authenticated staging and public retrieval of ephemeral data. All operations are encrypted, time-limited, and cryptographically gated.

Authentication Endpoints

POST /api/keys/register

Registers a device identifier and returns authentication tokens. The device ID remains active while tokens are valid. Subsequent registration attempts with the same ID are rejected until tokens expire.

{
  "deviceId": "unique-device-identifier"
}

POST /api/keys/refresh

Obtains a new access token using a valid refresh token. Access tokens are short-lived while refresh tokens have extended validity.

{
  "refreshToken": "jwt-refresh-token"
}

Payload Staging Endpoints

POST /api/nyxst

Stages data for later retrieval. Requires a valid access token. Returns a unique path and decryption key. Supports configurable TTL and one-time destruction.

{
  "payload": "staged-content",
  "ttl": 300,
  "oneTime": false
}

GET /api/nyxst/:path?k=key

Retrieves staged data. This endpoint is public but requires both the correct path and cryptographic key. The response includes appropriate content-type headers based on payload analysis.

DELETE /api/nyxst/:path

Manually removes staged data. Requires authentication and ownership verification.

Cryptographic Key Storage

POST /api/keys

Stores XOR key sets used for client side obfuscation. Returns a bluff path for later retrieval.

GET /api/keys/:path

Retrieves stored XOR key sets. Requires authentication.

Pastebin Service

POST /api/nyxpaste

Creates a formatted paste with syntax highlighting. Supports separate read and write keys, optional password protection, and one-time destruction.

{
  "content": "paste content",
  "syntax": "programming lang",
  "readKey": "custom or auto",
  "writeKey": "custom or auto",
  "readPassword": "optional",
  "writePassword": "optional",
  "oneTime": false,
  "ttl": 86400
}

GET /api/nyxpaste/:path[?k=key][&password=]

Retrieves a formatted paste with syntax highlighting. Requires the appropriate read key and optional password.

GET /api/nyxpaste/:path/raw[?k=key][&password=]

Retrieves the raw paste content without formatting.

POST /api/nyxpaste/:path/edit?k=writekey[&password=]

Updates an existing paste. Requires the write key and optional write password.

Security Architecture

Path Entropy: 16-byte random identifiers (2¹²⁸ possibilities)
Key Entropy: 32-byte cryptographic keys (2²⁵⁶ possibilities)
Combined Protection: 2³⁸⁴ total combinations - brute force infeasible
Storage Encryption: AES-256 encryption for all persisted data
Rate Limiting: 5 requests per minute per IP on sensitive endpoints
Automatic Cleanup: DB removes expired resources
Access Separation: Distinct read and write keys with optional passwords

Utility Endpoints

GET /health

Public health check returning service status and timestamp.