For Developers & Engineers
How LayerV Works

Authentication before visibility

Traditional security defends what attackers can already see. LayerV inverts the model: your infrastructure doesn't exist on the network until identity is verified. There's nothing to find, nothing to probe, nothing to attack.

The Paradigm Shift

The fundamental flaw is visibility itself

Traditional Security

Discover → Connect → Authenticate → Defend. Your infrastructure sits on the internet with open ports, public DNS, visible to every scanner. Firewalls, WAFs, and VPNs try to protect what's already exposed. Attackers get unlimited free reconnaissance.

LayerV

Authenticate → Connect → Access. Infrastructure is cryptographically invisible by default. No ports, no DNS response, no TCP handshake. Only after identity is verified does a path to the resource come into existence — scoped to one user, one device, one session.

The phone book analogy: Today, every service has a public listing in DNS — anyone can look up the address and attack it. With LayerV, the protected resource has no listing. When a user authenticates, a single entry appears — visible only to that user, on that device, for that session. When the session ends, the entry is erased. Everyone else looking at the phone book sees nothing.
Process

Four steps to invisible infrastructure

01

Authenticate

User authenticates with your existing identity provider — Okta, Azure AD, Google. No new credentials, no friction. This happens before any network connection to the protected resource.

Okta SAML 2.0 / OIDC · Azure AD · Any OAuth2 IdP
02

Mint QURL

Post-auth, your backend calls LayerV's API to mint a QURL — a single-use, time-bound, device-locked credential. LayerV opens a pinhole for this specific user only.

REST API · <50ms latency · Cryptographically signed
03

Access

User follows the QURL in any browser. No agent, no plugin, no client to install. The resource materializes for this session only. To everyone else, it remains invisible.

Browser-native · No client required · E2E encrypted
04

Vanish

Session ends. QURL expires. Pinhole closes. Resource returns to invisible state. Full audit trail with cryptographically-bound identity for compliance.

SOC 2 · HIPAA · CISA · SIEM integration
Core Technology

Introducing the QURL

A QURL (Quantum URL — say “curl”) is not a login link. It’s a temporary wormhole. A single-use, time-bound access credential that brings a service into existence for one user and collapses when the session ends. Without a QURL, the target doesn’t exist on the network. You can’t attack what isn’t there.

🔒

Before QURL

Service is cryptographically unreachable. No open ports, no DNS resolution, no visible endpoints. Scanners find nothing.

QURL Active

Identity verified. Wormhole opens. Short-lived, private access session where the service temporarily exists for this user only.

👻

After Session

Access path removed. QURL consumed and destroyed. Service returns to invisible state. Audit trail preserved.

QURLs don’t log users in. They temporarily bring services into existence.

Magic Links / Pre-signed URLs

  • One-time authentication only
  • Site remains publicly reachable
  • Attack surface unchanged
  • Target exists whether or not link is used

QURLs

  • One-time access to invisible resource
  • Service unreachable before and after
  • Attack surface eliminated entirely
  • Target doesn’t exist without the wormhole
For Developers

One API call creates access

No application rewrite required. LayerV sits in front of what you already run.

# Mint a QURL after user authenticates with your IdP

curl -X POST https://api.qurl.link/v1/qurl \
  -H "Authorization: Bearer $AUTH0_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "target_url": "https://admin.yourapp.com/dashboard",
    "expires_in": "1h",
    "one_time_use": true,
    "access_policy": {
      "geo_allowlist": ["US", "CA"]
    },
    "description": "Admin dashboard session"
  }'

# Response
{
  "data": {
    "resource_id": "r_K8xQp9H2sJ9",
    "qurl_link": "https://qurl.link/at_abc123def456",
    "qurl_site": "https://r_K8xQp9H2sJ9.qurl.site",
    "expires_at": "2025-01-15T11:30:00Z"
  },
  "meta": { "request_id": "req_abc123" }
}
import { LayerV } from '@layerv/sdk';

const client = new LayerV();  // Uses AUTH0 token from env

// After Okta/Azure AD callback succeeds:
app.post('/auth/callback', async (req, res) => {
  const user = await verifyIdpToken(req.body.token);

  // Mint a QURL — resource becomes reachable
  const { data } = await client.qurl.create({
    target_url: 'https://admin.yourapp.com/dashboard',
    expires_in: '1h',
    one_time_use: true,
    access_policy: {
      geo_allowlist: ['US', 'CA']
    },
    description: `Session for ${user.email}`
  });

  // Redirect user through the access link
  res.redirect(data.qurl_link);
});
import layerv
from flask import redirect, request

client = layerv.Client()  # Uses AUTH0 token from env

# After IdP authentication callback:
@app.route("/auth/callback", methods=["POST"])
def auth_callback():
    user = verify_idp_token(request.form["token"])

    # Mint a QURL — resource materializes
    resp = client.qurl.create(
        target_url="https://admin.yourapp.com/dashboard",
        expires_in="1h",
        one_time_use=True,
        access_policy={"geo_allowlist": ["US", "CA"]},
        description=f"Session for {user.email}"
    )

    # Redirect through the access link
    return redirect(resp.data.qurl_link)

Full API Reference →   Webhooks · Batch create · Access policies · Quota management

Proof

What attackers see: before vs. after

Results from nmap scan against a protected resource.

Before LayerV
$ nmap -sS target.example.com

PORT      STATE  SERVICE
22/tcp    open   ssh
443/tcp   open   https
3389/tcp  open   ms-wbt-server
5432/tcp  open   postgresql
8080/tcp  open   http-proxy

Nmap done: 1 IP address (1 host up)
scanned in 2.41s
5 open ports = 5 attack vectors
After LayerV
$ nmap -sS -Pn -p- target.example.com

All 65535 scanned ports are in
ignored states.
Not shown: 65535 filtered tcp
ports (no-response)

Nmap done: 1 IP address (1 host up)
scanned in 1312.48s
0 discoverable ports = 0 attack surface
Architecture

How LayerV integrates with your stack

Your internal architecture stays intact. The front door becomes invisible. Keycloak, Istio, service meshes, load balancers — all remain, but move behind the dark perimeter.

CURRENT — EXPOSED
User
DNS
Load Balancer
Reverse Proxy
Auth (IdP)
App
All infrastructure reachable before authentication. 5+ exposed attack surfaces.
With LayerV NHP / QURLs
LAYERV — INVISIBLE
User
Browser only
Auth
LayerV
Access Controller
LayerV VPC
QURL
Load Balancer
DARK
Reverse Proxy
DARK
Auth (IdP)
DARK
App
No public DNS. No exposed endpoints. No client agent. All infrastructure invisible until authenticated.

WHAT CHANGES

Public DNS entries → Eliminated
Static application URLs → Ephemeral QURLs
Open ports & endpoints → All dark
Auth redirect flow → Pre-auth
Client software → None (browser only)

WHAT STAYS

Identity provider (federated)
Service mesh (Istio / Envoy)
Load balancers (internal routing)
User databases & logging
Internal account provisioning

THREATS ELIMINATED

DNS enumeration — No records
Port scanning — No ports
DDoS against auth infra — Unreachable
Credential stuffing — No login endpoint
Pre-auth exploitation — Nothing connectable

Your internal architecture stays intact. The front door becomes invisible.

Comparison

Why not VPN, ZTNA, or firewalls?

Every existing solution operates after your infrastructure is already visible. LayerV adds the missing layer.

VPNZTNAFirewallLayerV
Encrypts traffic
Identity-based access
Blocks malicious traffic
Hides infrastructure from scans
Prevents reconnaissance
Zero exposed attack surface
No client/agent required

Your IdP handles who gets access. LayerV handles who can see.

Trust & Security

How LayerV secures itself

LayerV is in the trust chain. We’re built from the ground up to be there.

Minimal Public Surface

Only the coordination layer is publicly reachable — the piece that mints QURLs and brokers connections. Purpose-built to be exposed, hardened for that job, with a tiny attack surface compared to a typical web app.

UDP-Based Protocol

The NHP knock mechanism uses UDP, not TCP. No handshake to exploit, no SYN floods, no connection state to exhaust. Invalid packets are silently dropped. There’s nothing to grab onto.

Noise Protocol Cryptography

All communication secured using the Noise Protocol framework — the same foundation used by Signal and WireGuard. Mutual authentication happens cryptographically before any meaningful data is exchanged.

We Don’t Hold Your Keys

LayerV doesn’t store passwords or authenticate users directly — that’s your IdP. Even if LayerV were compromised, attackers couldn’t mint valid QURLs without authenticating through your identity system.

Attackers Can’t Find Our Customers

No public directory of LayerV customers. Attackers scanning the internet can’t identify which companies use NHP or which resources are protected. They can’t target what they can’t identify.

We Eat Our Own Cooking

LayerV’s internal infrastructure is NHP-protected. The management plane, the control systems — none of it is visible to the public internet. Built on OpenNHP, the open standard developed with the Cloud Security Alliance.

Audit & Compliance

Every connection carries cryptographic identity

LayerV captures and logs original source IPs. But more importantly, every connection carries cryptographic identity attribution that exceeds what IP logging alone provides.

Traditional IP Logging

  • IPs can be spoofed or forged
  • Shared via NAT, VPN, carrier-grade NAT
  • “Unknown actor” in forensics reports
  • No link between IP and actual identity
  • Insufficient for compliance attribution

LayerV Identity-Enriched Logs

  • Source IP captured at proxy layer
  • Plus cryptographically verified user identity
  • Plus session context, resource ID, timestamp
  • Every access event tied to a verified principal
  • Webhook events for SIEM (Splunk, Sentinel)
webhook payload · qurl.accessed 
{
  "type": "qurl.accessed",
  "owner_id": "auth0|user123",
  "timestamp": "2025-01-08T10:35:00Z",
  "data": {
    "resource_id": "r_K8xQp9H2sJ9",
    "access_token_id": "at_xyz789",
    "src_ip": "192.168.1.100",        // Original source IP captured
    "user_agent": "Mozilla/5.0...",
    "geo": "US",                       // Geo-resolved from source IP
    "identity": "[email protected]"   // Cryptographically verified
  }
}

IP + verified identity + session context = attribution that stands up in court.

Integration

Choose your deployment path

From zero-change integration to full infrastructure invisibility. Keep your existing IdP, keep your existing tools.

QURL API

Available Now

The fastest path. Generate temporary access credentials via REST API — no infrastructure changes required. Works with any web application.

POST /v1/qurls

JavaScript SDK

Available Now

Deep integration for applications with granular control over authentication flows. Node.js, TypeScript, Browser, React Native.

npm install @layerv/sdk

Sidecar Agent

Coming Soon

Zero-trust networking for cloud workloads. Drop-in protection for EKS, ECS, and EC2 without code changes.

helm install layerv-agent

Enterprise Licensed

Contact Sales

Self-hosted on your infrastructure. Full control, air-gapped environments, regulatory compliance. Complete ownership of the stack.

On-premise deployment
Ready?

Make your first app invisible

Pick the resource that keeps you up at night. Prove it works in 30 days.

Get Started Free → Talk to Our Team

Evaluating for your organization? See the Security Leader view → — business case, comparison tables, and ROI without the code.

Security Leader View →