API v1

REST API for programmatic paste creation and management. All endpoints return JSON. Authentication via X-API-Key header.

Authentication

Register to get an API key: POST /api/v1/account/register
Include in requests: X-API-Key: np_xxxxxxxxxxxx

Endpoints

POST/api/v1/paste

Create a new paste. Content must be base64-encoded ciphertext (client-side encrypted with AES-256-GCM). The encryption key is returned once. Save it.

GET/api/v1/paste/{id}

Get paste metadata (no content or keys). Returns syntax, expiry, view count, size.

GET/api/v1/paste/{id}/raw

Download the raw encrypted paste blob. Returns application/octet-stream.

DELETE/api/v1/paste/{id}

Delete a paste. Requires X-Delete-Token header or ?delete_token= query parameter.

POST/api/v1/account/register

Create an anonymous account. Returns an API key. No email or personal data required.

GET/api/v1/account/status

Get account status: subscription tier, paste usage, API request count. Requires X-API-Key.

POST/api/v1/payment/create

Create a payment invoice for premium subscription. Returns a Monero subaddress and QR code. Requires X-API-Key.

GET/api/v1/payment/{id}

Check payment status. Returns confirmations count and completion status. Requires X-API-Key.

Rate Limits

TierLimit
Free20 pastes/hour
PremiumUnlimited

Encryption

NoirPaste uses AES-256-GCM client-side encryption. The server never sees plaintext. The decryption key is embedded in the URL fragment (#key=...). Fragments are never transmitted in HTTP requests.

For the API: the key is returned once in the creation response. Store it securely. For the CLI: noirpaste create --encrypt file.txt handles everything automatically.