Documentation
Everything you need to seal files, verify them, and integrate XSeal.
Getting started
- Open the home page and choose a file under “Seal a file.”
- XSeal computes the file’s SHA-256 hash in your browser and creates a signed seal.
- Save the returned Seal ID — you’ll need it (with the file) to verify later.
- Create a free account to keep every seal in your dashboard.
How sealing works
A seal binds three things together: the file’s SHA-256 digest, a UTC timestamp, and XSeal’s signature over them. Because SHA-256 is collision-resistant, any change to the file produces a different digest, so a later verification can tell authentic from altered.
Verifying a file
Go to Verify a file, upload the file and enter its Seal ID. XSeal recomputes the hash and checks the signature, then reports authentic (the file matches the seal) or altered (it does not).
Sharing a public certificate
Every seal has a public certificate page at /certificate/<Seal ID> — the link appears right after you seal a file, and as a “View public certificate” button on each seal in your dashboard. The page shows the file name, SHA-256 hash, size, sealed timestamp and signature, and XSeal re-verifies the signature when the page loads. Anyone with the link can review the certificate and upload their own copy of the file to confirm it is unchanged — no account required. The page reveals the hash and metadata, never the file itself.
Verifying independently with the public key
XSeal signs every certificate with an Ed25519 key. Fetch the service's public key at /verify/public-key and check a signature yourself, so you never have to trust this site at verification time. The signature is computed over the canonical JSON array [issuer, sealId, sha256, filename, sizeBytes, sealedAt]; verify the base64 signature from a downloaded certificate against that message with the public key — for example, in Node:
import { verify } from "node:crypto";
// cert = the "certificate" object from your downloaded xseal-<id>.json
const message = JSON.stringify([
cert.issuer, cert.sealId, cert.sha256, cert.filename, cert.sizeBytes, cert.sealedAt,
]);
const ok = verify(null, Buffer.from(message), publicKeyPem, Buffer.from(signatureB64, "base64"));Sealing API (Business plan)
Business accounts can create seals programmatically. Send the file’s SHA-256 hash and metadata to the sealing endpoint with your API key; XSeal returns the Seal ID, timestamp and signature as JSON. Webhooks notify your systems when a seal is created.
Plans & billing
Sealing a file and verifying are free to try. Paid plans raise your monthly sealing limit and unlock the API and webhooks; verification is always free. See pricing for the current plans. Paid plans are billed by Website Holding as merchant of record, renew automatically until cancelled, and can be changed or cancelled from your dashboard.
Your account & settings
A free account stores your seal history so you never lose a Seal ID. From your dashboard you can review every seal, open a seal's detail page, download its certificate, and delete seals you no longer need. To change your email or password, or to close your account and remove your data, contact support.
Data & privacy
XSeal stores only hashes and metadata, never file contents — see the privacy policy for details. For anything not covered here, the support team is happy to help.
Frequently asked questions
Is my file uploaded to XSeal?
No. Only the SHA-256 hash of your file is computed and sent — the contents of your document never leave your browser or reach our servers.
What exactly does a seal prove?
That a specific file existed in an exact, byte-for-byte form at the sealed UTC timestamp. It does not assert authorship, ownership, or the legality or truth of the contents.
How do I verify a file later?
Open Verify, upload the file and enter its Seal ID. XSeal recomputes the hash and checks the signature, then reports authentic or altered.
What if I lose the Seal ID?
A free account keeps every seal in your dashboard, so you can always find the ID. Without the ID (or an account), a seal cannot be looked up.
Can I share a seal without sending the file?
Yes. Every seal has a public certificate page at /certificate/<Seal ID> that shows the hash, timestamp and signature and re-verifies the signature on load. Share the link and anyone can confirm the seal — and upload their own copy to check it — without an account. The page never exposes the file itself.
What files and sizes are supported?
Any document up to 25 MB. Executable file types are refused for safety. Because only the hash matters, the file format is irrelevant.
Is a seal a qualified electronic signature (eIDAS)?
No. A seal is tamper-evidence — proof of integrity and time — not a qualified electronic signature.
How is billing handled?
Paid plans are billed by Website Holding as merchant of record; your statement shows Website Holding. Sealing limits depend on your plan, and verification is always free.
Can I delete a seal or close my account?
Yes. Delete individual seals from your dashboard at any time, or contact support to close your account and remove your data.