API Reference

Radar

Post Quantum

TLS

Copy Markdown

Open in Claude

Open in ChatGPT

Open in Cursor

---

Copy Markdown

View as Markdown

Check Post-Quantum TLS support

client.radar.postQuantum.tls.support(TLSSupportParams { host } query, RequestOptionsoptions?): TLSSupportResponse { bugs, host, kex, 2 more }

GET/radar/post_quantum/tls/support

Tests whether a hostname or IP address supports Post-Quantum (PQ) TLS key exchange. Returns information about the negotiated key exchange algorithm, whether it uses PQ cryptography, and any detected TLS implementation bugs (Split ClientHello, HRR failure, etc.).

Security

API Token

The preferred authorization scheme for interacting with the Cloudflare API. Create a token.

Example:Authorization: Bearer Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY

API Email + API Key

The previous authorization scheme for interacting with the Cloudflare API, used in conjunction with a Global API key.

Example:X-Auth-Email: user@example.com

The previous authorization scheme for interacting with the Cloudflare API. When possible, use API tokens instead of Global API keys.

Example:X-Auth-Key: 144c9defac04969c7bfad8efaa8ea194

Accepted Permissions (at least one required)

User Details WriteUser Details Read

ParametersExpand Collapse

query: TLSSupportParams { host }

host: string

Hostname or IP address to test for Post-Quantum TLS support, optionally with port (defaults to 443).

minLength1

ReturnsExpand Collapse

TLSSupportResponse { bugs, host, kex, 2 more }

bugs: Bugs { hrrFailure, splitClientHello, unknownKeyshare }

hrrFailure: boolean

Server sends a HelloRetryRequest but fails to complete the handshake after the client sends the second ClientHello. Often caused by non-compliant TLS 1.3 implementations on shared hosting providers.

splitClientHello: boolean

Server rejects fragmented ClientHello caused by large PQ keyshare, but accepts classical (non-PQ) handshakes. Typically caused by middleboxes or firewalls that cannot reassemble split TLS ClientHello messages.

unknownKeyshare: boolean

Server cannot handle an unknown key exchange algorithm in the ClientHello keyshare extension. Compliant servers should respond with HelloRetryRequest for a supported algorithm.

host: string

The host that was tested

kex: number

TLS CurveID of the negotiated key exchange

kexName: string

Human-readable name of the key exchange algorithm

pq: boolean

Whether the negotiated key exchange uses Post-Quantum cryptography (specifically X25519MLKEM768)

Check Post-Quantum TLS support

TypeScript

HTTP

TypeScript

Python

Go

Terraform

import Cloudflare from 'cloudflare';

const client = new Cloudflare({
  apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted
});

const response = await client.radar.postQuantum.tls.support({ host: 'cloudflare.com' });

console.log(response.bugs);

200 example

{
  "result": {
    "bugs": {
      "hrrFailure": true,
      "splitClientHello": true,
      "unknownKeyshare": true
    },
    "host": "host",
    "kex": 0,
    "kexName": "kexName",
    "pq": true
  },
  "success": true
}

Returns Examples

200 example

{
  "result": {
    "bugs": {
      "hrrFailure": true,
      "splitClientHello": true,
      "unknownKeyshare": true
    },
    "host": "host",
    "kex": 0,
    "kexName": "kexName",
    "pq": true
  },
  "success": true
}