Demo site · No real money · 18+

game.xyes.com is a technical demo — no deposits, no withdrawals, no real-money play. Real-money XYES play lives at xyes.com and is restricted to players aged 18+ (21+ in select jurisdictions).

Provably Fair

Provably Fair — how it works

XYES uses a commit-reveal scheme backed by SHA-256 so that every round outcome can be independently verified after the fact. No operator — including XYES — can alter the result after play begins.

XYES runs a provably fair SHA-256 commit-reveal engine across every demo game — Crash, Dice, Plinko, Baccarat, and more. Stakes are placed in USDT and BTC on xyes.com; on this lab site, every round is an audit target you can replay with crypto.subtle or CyberChef in your browser, with no KYC and no account required. The same engine powers our Hong Kong and Macau demo rollout.

Audit a round now

Authored byXYES Cryptography Lead·Lead Cryptographer, Trust & Safety

Reviewed byIndependent Cryptography Reviewer·External Security Advisor

Last updatedApril 17, 2026

Licensed real-money operator

#8048/JAZXYES Entertainment N.V.

Real-money XYES play operates on xyes.com under Curaçao eGaming master licence #8048/JAZ, held by XYES Entertainment N.V. (registered in Willemstad, Curaçao). This demo site (game.xyes.com) processes no real funds; all provably-fair audits on this page are honoured by the licensed entity on xyes.com.

Verify licence · Curaçao Gaming Control Board

Engine at a glance

32 bytes

SHA-256 digest

FIPS 180-4 output size

Network calls

during on-page verify

<1 ms

Typical compute

per hash in modern browsers

FIPS 180-4

NIST standard

federally certified primitive

Browser-only verify

Web Crypto API · no upload

No KYC · no accounts

Demo site · no wallet required

Open-source primitives

SHA-256 · HMAC (IETF / NIST)

TLS-enforced transport

HTTPS + HSTS on every route

1. Seed commit

Before each round, the server generates a random seed and publishes its SHA-256 hash. You see the hash, but never the seed itself.

2. Client seed

Your browser contributes a client seed — either a random value or a string you choose. Both seeds feed into the outcome function.

3. Deterministic outcome

The round result is a pure function of server seed + client seed + nonce. Identical inputs always produce identical outputs.

4. Reveal

After the round, the server reveals its seed. You can recompute the SHA-256 hash and confirm it matches the earlier commitment. If it does not match, the round is void.

5. Verify anywhere

Verification uses standard primitives (SHA-256, HMAC-SHA-256). You can verify with any tool — our scripts, a Python one-liner, or CyberChef.

How to audit a round

1Copy the server seed hash published before the round.
2Play, then copy the revealed server seed.
3Run SHA-256 on the revealed seed.
4Confirm the hash matches the pre-round commitment.
5Recompute the outcome using server seed + client seed + nonce.

Interactive verification

Verify a round yourself

Paste a server seed, a client seed and a nonce. Your browser runs SHA-256 and HMAC-SHA-256 via the Web Crypto API — no network call, nothing leaves the page. Load the sample round to see a known-good example.

Seeds never leave this tab

Hashes are computed via the W3C Web Crypto API (crypto.subtle). XYES never sees, logs, or stores the seeds you enter here — open your browser DevTools → Network tab and confirm zero requests fire when you click Run verification.

Server seed (revealed after round)Client seed (yours)Nonce

Audit in any language

Python — one-liner

import hashlib, hmac; print(hashlib.sha256(SERVER_SEED.encode()).hexdigest())
print(hmac.new(SERVER_SEED.encode(), f"{CLIENT_SEED}:{NONCE}".encode(), hashlib.sha256).hexdigest())

Node — native crypto

import { createHash, createHmac } from "node:crypto";
const commit = createHash("sha256").update(SERVER_SEED).digest("hex");
const hmac  = createHmac("sha256", SERVER_SEED).update(`${CLIENT_SEED}:${NONCE}`).digest("hex");

CyberChef — browser tool

Paste the revealed server seed into the CyberChef SHA-256 recipe. The output must match the committed hash byte-for-byte.

gchq.github.io / CyberChef

Cryptographic references

Inspect the primitive in a third-party toolOpen SHA-256 in CyberChef (GCHQ, open source)

Dispute resolution

If the hash doesn't match

If you recompute SHA-256 on the revealed server seed and the digest does not equal the pre-round commitment, the round is void by protocol — your stake is refunded in full, and the licensed XYES entity on xyes.com pays a 500 USDT integrity bounty to the first player who documents the mismatch. Here is how to claim it.

1Screenshot the committed hash, the revealed seed, your client seed, the nonce, and the round timestamp.
2Send the evidence to Telegram @xyes_sun. We acknowledge within 48 hours and post a public resolution within 7 days.
3If the issue remains unresolved after the 7-day window, file a complaint with the Curaçao Gaming Control Board (the regulator recognised on our Organization schema).

First-response SLA48 hours, 7 days a week

Support · Telegram @xyes_sun File a complaint · Curaçao Gaming Control Board

Ready to audit a live round?

Every XYES demo game uses the same commit-reveal engine you just read about — open any round, pull its commit hash, and replay it with the CyberChef link above.

Play Crash Play Dice All provably fair games

Read our Responsible Gaming policy