API reference
Seal files and verify hashes programmatically — from CI, a webhook, or your back office. The same real cryptographic core that powers the website, exposed as a small JSON REST API.
Authentication
Every request is authenticated with an API key sent as a Bearer token:
Authorization: Bearer xseal_live_your_key_hereProgrammatic API access is included with the Business plan. Create and manage keys in the API keys section of your dashboard — the full key is shown once, at creation, so store it somewhere safe (only a hash is kept on our side). Treat a key like a password; if one leaks, revoke it from the dashboard and create a new one.
Base URL
https://xseal.nl/api/v1Seal a file — POST /api/v1/seals
Compute your file’s SHA-256 locally and send just the hash — the file itself never leaves your machine. Each call creates a real signed seal and counts toward your monthly plan quota.
curl -X POST https://xseal.nl/api/v1/seals \
-H "Authorization: Bearer xseal_live_your_key_here" \
-H "Content-Type: application/json" \
-d '{"sha256":"<64-char hex sha256 of your file>","filename":"contract.pdf"}'No hash to hand? For small payloads you can send {"content":"…"} and XSeal will hash it server-side. A successful call returns 200 with the seal:
{
"sealId": "6f2c…",
"sha256": "e3b0c442…",
"filename": "contract.pdf",
"sealedAt": "2026-07-05T12:00:00.000Z",
"signature": "MEUCIQ…",
"verifyUrl": "https://xseal.nl/verify/6f2c…",
"quota": { "limit": 10000, "used": 1, "remaining": 9999 }
}The response also carries X-Quota-Limit and X-Quota-Remaining headers. Share the verifyUrl with anyone who needs to confirm the document later — no account required.
Look up a seal — GET /api/v1/seals/{id}
Re-verify a seal’s signature and read its metadata by id:
curl https://xseal.nl/api/v1/seals/6f2c… \
-H "Authorization: Bearer xseal_live_your_key_here"Returns { "found": true, "valid": true, "documentTitle": "…", "sealedAt": "…", "confidenceScore": 85 }, or 404 for an unknown id.
Verify a hash — POST /api/v1/verify
Check whether a file (by its hash) matches a seal — the CI use case: recompute the hash and ask XSeal if it still matches. Verification is always free.
curl -X POST https://xseal.nl/api/v1/verify \
-H "Authorization: Bearer xseal_live_your_key_here" \
-H "Content-Type: application/json" \
-d '{"sealId":"6f2c…","sha256":"<64-char hex sha256>"}'Returns { "status": "valid", "authentic": true } when the file is unchanged, or { "status": "tampered", "authentic": false, "reason": "…" } when it has been altered (and status: "not-found" if no such seal exists).
Quotas & limits
Sealing counts toward your plan’s monthly seal quota (Business: 10,000/month — see pricing). When the cap is reached, sealing returns 429 until the next calendar month; verification is never capped.
Errors
| Status | Meaning |
|---|---|
200 | Success. |
400 | Malformed JSON, or a missing/invalid sha256 / sealId. |
401 | Missing, invalid or revoked API key. |
403 | Your plan doesn’t include API access — upgrade to Business. |
429 | Monthly seal quota reached. |
Every error responds with a JSON body of the shape { "error": "…" }. Back to the documentation home.