XSeal

API reference

Seal files and verify hashes programmatically — from CI, a webhook, or your back office. The same real cryptographic core that powers the website, exposed as a small JSON REST API.

Authentication

Every request is authenticated with an API key sent as a Bearer token:

Authorization: Bearer xseal_live_your_key_here

Programmatic API access is included with the Business plan. Create and manage keys in the API keys section of your dashboard — the full key is shown once, at creation, so store it somewhere safe (only a hash is kept on our side). Treat a key like a password; if one leaks, revoke it from the dashboard and create a new one.

Base URL

https://xseal.nl/api/v1

Seal a file — POST /api/v1/seals

Compute your file’s SHA-256 locally and send just the hash — the file itself never leaves your machine. Each call creates a real signed seal and counts toward your monthly plan quota.

curl -X POST https://xseal.nl/api/v1/seals \
  -H "Authorization: Bearer xseal_live_your_key_here" \
  -H "Content-Type: application/json" \
  -d '{"sha256":"<64-char hex sha256 of your file>","filename":"contract.pdf"}'

No hash to hand? For small payloads you can send {"content":"…"} and XSeal will hash it server-side. A successful call returns 200 with the seal:

{
  "sealId": "6f2c…",
  "sha256": "e3b0c442…",
  "filename": "contract.pdf",
  "sealedAt": "2026-07-05T12:00:00.000Z",
  "signature": "MEUCIQ…",
  "verifyUrl": "https://xseal.nl/verify/6f2c…",
  "quota": { "limit": 10000, "used": 1, "remaining": 9999 }
}

The response also carries X-Quota-Limit and X-Quota-Remaining headers. Share the verifyUrl with anyone who needs to confirm the document later — no account required.

Look up a seal — GET /api/v1/seals/{id}

Re-verify a seal’s signature and read its metadata by id:

curl https://xseal.nl/api/v1/seals/6f2c… \
  -H "Authorization: Bearer xseal_live_your_key_here"

Returns { "found": true, "valid": true, "documentTitle": "…", "sealedAt": "…", "confidenceScore": 85 }, or 404 for an unknown id.

Verify a hash — POST /api/v1/verify

Check whether a file (by its hash) matches a seal — the CI use case: recompute the hash and ask XSeal if it still matches. Verification is always free.

curl -X POST https://xseal.nl/api/v1/verify \
  -H "Authorization: Bearer xseal_live_your_key_here" \
  -H "Content-Type: application/json" \
  -d '{"sealId":"6f2c…","sha256":"<64-char hex sha256>"}'

Returns { "status": "valid", "authentic": true } when the file is unchanged, or { "status": "tampered", "authentic": false, "reason": "…" } when it has been altered (and status: "not-found" if no such seal exists).

Quotas & limits

Sealing counts toward your plan’s monthly seal quota (Business: 10,000/month — see pricing). When the cap is reached, sealing returns 429 until the next calendar month; verification is never capped.

Errors

StatusMeaning
200Success.
400Malformed JSON, or a missing/invalid sha256 / sealId.
401Missing, invalid or revoked API key.
403Your plan doesn’t include API access — upgrade to Business.
429Monthly seal quota reached.

Every error responds with a JSON body of the shape { "error": "…" }. Back to the documentation home.