Xexle HashCheck
API documentation

HashCheck API

HashCheck provides a simple public JSON API for checking file hashes without uploading file contents. The default lookup response returns only hashes that were found.

Base URL

https://hashcheck.xexle.com/api/check

Lookup requests use /api/check. Add requests use /api/add. Validator renewal requests use /api/renew-validator. Requests may use GET or POST form fields. Hash values are normalized to lowercase. Separate multiple hashes with commas, spaces, semicolons or new lines.

Response Format

{
  "status": true,
  "data": {
    "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855": 1
  },
  "message": "Optional message only when there is something to report."
}
Field Meaning
status true means the request was accepted and processed. It does not mean every hash was found.
data Object keyed by hash. Values describe lookup status: 0 not found, 1 Xexle service list, 2 trusted validator, 3 user-submitted.
message Included only for useful service messages, such as cooldown, block, empty input or partial processing notices.

Lookup

Default found-only lookup

GET /api/check?hashes=hash1,hash2

The default response contains only hashes that were found. Unknown hashes are omitted from data. This keeps responses compact and avoids treating absence as a legal or factual conclusion. 

curl "https://hashcheck.xexle.com/api/check?hashes=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
{
  "status": true,
  "data": {
    "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855": 1
  }
}

Full 1/0 lookup

GET /api/check?hashes=hash1,hash2&include_missing=1

Use include_missing=1 when your integration needs an explicit result for each valid hash. The legacy equivalent is found_only=0. 

{
  "status": true,
  "data": {
    "hash1": 1,
    "hash2": 0
  }
}

Lookup Codes

Code Meaning
0 The hash was not found in the HashCheck database. This is available only in full mode.
1 The hash is present in the Xexle service list.
2 The hash was submitted by a trusted validator.
3 The hash was submitted by a user and is not verified.

Add Hashes

Online user submissions

GET /api/add?hashes=hash1,hash2

Anonymous submissions are intended for the online Add page. They are stored separately as user-submitted records, marked as from_user, limited to 3 valid hashes per request and limited to one request every 15 minutes. They must not be treated as a verified blocklist.

Trusted validator API submissions

GET /api/add?hashes=hash1,hash2&validator=VALIDATOR_TOKEN

API additions require a validator token. Validator access is intended for authorized organizations, platforms, researchers, public bodies and other trusted submitters. To request a validator key, contact Xexle support through the site support channel or contact form. See Validators for the verification process. Validator tokens must be kept private and must not be embedded in public client-side code.

Renew validator token

GET /api/renew-validator?validator=OLD_VALIDATOR_TOKEN

This endpoint validates the existing validator token, creates a new token for the same validator record, removes the old token hash from the validators table and returns the new token once. Store the new token immediately on a trusted server-side system. 

{
  "status": true,
  "data": {
    "validator": "NEW_VALIDATOR_TOKEN",
    "key": "sha256_hash_of_new_token",
    "old_key_removed": 1
  }
}

Accepted Hashes And Limits

Item Current value
Accepted hash format Hex strings with length 32, 40, 64 or 128 characters.
Lookup limit Up to 1000 valid hashes per request.
User add limit Online user submissions: up to 3 valid hashes per request.
Validator add limit Up to 10000 valid hashes per request.
Cooldown Lookup: 30 seconds. Online user add: 15 minutes. Validator add: 5 seconds.

Safety Notes