Registering a WireGuard Public Key

Generate Public/Private Key & Preshared Key

# Generate Private Key
wg genkey > privatekey

# Derive Public Key
cat privatekey | wg pubkey > publickey

# Generate a Preshared Key
wg genpsk > psk

Obtain the Authorization Endpoint IP and Port for the desired Server Endpoint

Use the Instance Discovery API to fetch a server instance. The response will contain an array of endpoints. Extract the WireGuard endpoint and use the auth_ip and auth_port to perform the HTTPs request. Also extract the cert_dn property, which you later need for the certificate validation.

Perform the HTTPs registration request

Post-quantum Safety

In order to achieve post-quantum safety, the registration of the WireGuard public key and the exchange of the PSK must take place over a TLS 1.3 channel that uses a post-quantum–safe key exchange. This typically means a hybrid TLS handshake where a classical algorithm such as X25519 is combined with a post-quantum scheme like Kyber. By deriving session keys from both components, the connection remains secure even if elliptic-curve cryptography is broken in the future, ensuring that recorded registration traffic cannot be decrypted later by a quantum adversary. It depends on your HTTP client and the TLS library it relies on how you can actually ensure this level of protection.

TLS Certificate Validation

As there is no hostname defined for the endpoint, e.g you will call https://1.2.3.4:3000/auth , you need to manually verify the TLS certificate:

• Validate the server certificate with the attached Root CA certificate:

• Validate the server certificate's common name (CN) against the cert_dn value obtained in step 2