QuantumAPI Secrets

Inject post-quantum-secured secrets from QuantumVault into your Azure Pipelines as masked pipeline variables.

Why

Post-quantum-safe — secret material is wrapped with ML-KEM-768 + AES-256-GCM end-to-end.
EU-sovereign — backend hosted in France (Scaleway). GDPR-clean.
No per-seat / per-secret pricing — usage-based, like cloud storage.

Usage

- task: QuantumAPISecrets@1
  inputs:
    apiKey: $(QUANTUMAPI_KEY)
    secrets: |
      DB_PASSWORD=secret/database/password
      API_TOKEN=secret/api/token

After this step, $(DB_PASSWORD) and $(API_TOKEN) are available to subsequent steps. Their values are masked in logs.

Authentication

Inline API key — set apiKey from a secure pipeline variable.
Service connection (recommended) — provision a QuantumAPI service connection of type quantumapi and reference it via serviceConnection.

Inputs

Input	Default	Description
`apiKey`	-	API key (qapi_sk_...). Required if `serviceConnection` not set.
`serviceConnection`	-	Name of a `quantumapi` service connection.
`secrets`	-	Multi-line `KEY=path` mappings.
`endpoint`	`https://api.quantumapi.eu`	API endpoint.
`exportAsVariables`	`true`	Set fetched secrets as pipeline variables (masked).
`failOnMissing`	`true`	Fail the task if any secret returns 404 / empty.
`secureFile`	`''`	Optional absolute path; writes a `KEY=value` file with mode 0600.
`cacheKey`	`''`	Optional; reuses results within the same job execution.

Compatibility

Azure DevOps Services
Azure DevOps Server 2022+
Node 20 runner

License

Apache-2.0.