LayerV is a preemptive cybersecurity platform that makes infrastructure invisible to attackers. We implement the OpenNHP (Network Hiding Protocol) standard from the Cloud Security Alliance. Instead of detecting attacks after they start, we prevent them by eliminating the attack surface entirely.

How does LayerV work?

LayerV uses a 5-step authentication flow: (1) Knock - encrypted request sent, (2) Verify - identity and policy validated, (3) Grant - temporary tunnel opened, (4) Connect - resource visible only to authenticated user, (5) Audit - access logged. Protected resources have zero network presence until authentication succeeds.

No. VPNs encrypt traffic but servers remain visible and scannable. LayerV makes servers completely invisible - they have zero network presence until authentication succeeds. This is a fundamentally different approach called Network Hiding.

LayerV is generally available. Free tier includes 500 QURLs/month for developers. Enterprise plans with custom SLAs are available. Try the interactive playground at layerv.ai/qurl/playground — no signup required.

What identity providers does LayerV support?

LayerV integrates with major identity providers including Okta, Azure AD (Entra ID), Google Workspace, Auth0, and Ping Identity. Any OIDC or SAML-compatible provider can be integrated.

QURL stands for Quantum URL. It is a cryptographic, time-limited access link that hides a server's real address behind identity verification. QURLs are single-use credentials that self-destruct after access or expiration — eliminating persistent URLs that can be scraped, shared, or replayed. Try the interactive QURL Playground at layerv.ai/qurl/playground.

For Developers

Make Any Resource Invisible. One API Call.

POST a target_url. Get back a QURL. Your resource disappears from the public internet. No agents, no sidecars, no DNS changes.

The Paradigm Shift

Stop defending. Start disappearing.

Traditional: Defend What's Exposed

Deploy service to public internet
↓ Open ports 80/443
↓ Add firewall rules
↓ Configure WAF
↓ Monitor for attacks
↓ Patch vulnerabilities
↓ Hope nothing gets through

QURL: Nothing Exists Until Authenticated

Deploy service behind QURL
↓ User authenticates with IdP
↓ API mints a QURL
↓ Resource appears for that user only
↓ Session ends, resource vanishes
↓ Nothing to attack. Done.

The API

The QURL API

One required field. One endpoint. Any web resource.

curl -X POST https://api.layerv.ai/v1/qurls \
  -H "Authorization: Bearer $LAYERV_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "target_url": "https://internal.example.com/dashboard"
  }'

Response

{
  "data": {
    "resource_id": "r_k8xqp9h2sj9",
    "qurl_link": "https://qurl.link/at_abc123def456",
    "qurl_site": "https://r_k8xqp9h2sj9.qurl.site",
    "expires_at": "2026-03-06T10:30:00Z"
  },
  "meta": {
    "request_id": "req_abc123"
  }
}

target_url is the only required field. Everything else has sensible defaults. Full reference in the API docs.

Lifecycle

How a QURL works

Before

Resource has no public DNS. No open ports. Port scans return nothing. The service does not exist on the internet.

→

When Used

A cryptographic pinhole opens for exactly one user, one device, one session. Traffic flows through the QURL.

→

After Session

QURL expires. Pinhole closes. Full audit trail preserved. Resource returns to invisible.

QURLs don't log users in. They temporarily bring services into existence.

Reference

Full API options

All fields available on the POST /qurl endpoint.

POST /v1/qurl
{
  "target_url": "https://internal.example.com/dashboard",  // required
  "expires_in": "1h",              // duration: "1h", "7d", "1w" (default: 24h)
  "one_time_use": true,            // single-use access (default: false)
  "max_sessions": 5,               // concurrent session limit (default: 0 = unlimited)
  "access_policy": {
    "ip_allowlist": ["10.0.0.0/8"] // IP, geo, user-agent controls
  },
  "description": "Contractor access",
  "metadata": { "ticket": "JIRA-456" }
}

Integration

Four ways to integrate

IdP-Triggered

Fire QURL creation from your IdP post-auth webhook. Okta, Azure AD, Auth0 — any OIDC provider.

Middleware

Drop a middleware into your Express/Next.js/FastAPI stack. Auto-mint QURLs on authenticated requests.

SDK (Coming Soon)

JavaScript and Python SDKs are in development. In the meantime, the REST API works from any language with one HTTP call.

Direct API

One POST endpoint. One required field. Works from any language, any platform, any CI/CD pipeline.

Deployment

Two stages. Zero downtime.

Stage 1 — Overlay

Add QURL creation to your IdP post-auth flow. Existing access remains as fallback. No DNS changes. No firewall modifications. Test with one resource in production.

Stage 2 — Full Lockdown

Update DNS to point through QURL. Close all public ports. Resource is now invisible to the internet. Only QURL-authenticated sessions can reach it.

Architecture

Built on proven cryptography

Noise Protocol

Same key exchange as Signal and WireGuard. Forward secrecy, mutual auth.

OpenNHP

Cloud Security Alliance standard. Open-source protocol, open-source reference implementation.

Multi-Region AWS

Deployed across US-East and US-West. Sub-50ms QURL creation. 99.99% uptime target.

Auth0 JWT

Standard JWT-based authentication. OIDC compliant. Works with your existing IdP.

Fail-Open

Stage 1 overlay mode. If QURL is unreachable, existing access continues. Zero downtime risk.

Share with your CISO

Business impact, compliance benefits, and risk reduction metrics.

Security Leader Overview →

Get Started

Sign Up Free in 30 Seconds

curl -X POST https://api.layerv.ai/v1/qurls \ -H "Authorization: Bearer $LAYERV_TOKEN" \ -H "Content-Type: application/json" \ -d '{ "target_url": "https://internal.example.com/dashboard" }'

{ "data": { "resource_id": "r_k8xqp9h2sj9", "qurl_link": "https://qurl.link/at_abc123def456", "qurl_site": "https://r_k8xqp9h2sj9.qurl.site", "expires_at": "2026-03-06T10:30:00Z" }, "meta": { "request_id": "req_abc123" } }

POST /v1/qurl { "target_url": "https://internal.example.com/dashboard", // required "expires_in": "1h", // duration: "1h", "7d", "1w" (default: 24h) "one_time_use": true, // single-use access (default: false) "max_sessions": 5, // concurrent session limit (default: 0 = unlimited) "access_policy": { "ip_allowlist": ["10.0.0.0/8"] // IP, geo, user-agent controls }, "description": "Contractor access", "metadata": { "ticket": "JIRA-456" } }