A deep technical breakdown of SHA-256 hash verification in provably fair gambling. We walk through the exact cryptography, show real hash examples, and teach you how to verify bets on Stake, Roobet, and other platforms step by step.
The Problem: You Trust, But You Cannot Verify
At a traditional online casino, the outcome of every game is determined by a Random Number Generator (RNG) running on the casino's server. You never see the RNG. You never see the seed. You never see the algorithm. A third-party auditor like eCOGRA reviews the system periodically and issues a certificate.
But this creates a fundamental problem: you are trusting a chain of organizations rather than verifying the math yourself. The auditor checks a sample of outcomes over a time window. They cannot guarantee that your specific bet, on your specific spin, at your specific moment was fair.
Provably fair eliminates this trust chain entirely. Instead of trusting anyone, you verify the cryptographic proof yourself. If you have not read our introductory guide yet, start with What Is Provably Fair Gambling? first.
The Solution: Cryptographic Proof
Provably fair systems use a commitment scheme built on cryptographic hashing. The casino commits to a game outcome before the bet happens, and the player contributes randomness that the casino cannot predict. After the bet, all inputs are revealed so anyone can independently recompute and verify the result.
There are four components to every provably fair bet:
1
Server Seed (The Casino's Commitment)
The casino generates a random string. Before you place any bet, they publish the SHA-256 hash of this seed. Because SHA-256 is a one-way function, you can see the hash but cannot determine the original seed. This locks the casino into their chosen seed -- they cannot change it later without the hash changing.
You provide your own random string, or the casino generates a default one that you can change at any time. This seed ensures you have direct influence over the outcome. Since the casino published their hash before seeing your client seed, they could not have tailored the server seed to produce a specific result against your input.
Example Client Seed
MyRandomSeed2026
3
Nonce (Bet Counter)
The nonce is a simple integer that starts at 0 and increments by 1 with each bet you place under the current seed pair. It ensures that every bet produces a unique outcome even if the server seed and client seed remain the same. Your first bet uses nonce 0, your second uses nonce 1, and so on.
Example Nonce
42 (your 43rd bet with this seed pair)
4
Combined Hash = Game Result
The game outcome is computed by combining all three inputs using HMAC-SHA256. The server seed is the key, and the message is the client seed concatenated with the nonce. The resulting 64-character hex string is then converted into a game result (a crash multiplier, a dice roll, mine positions, etc.).
Here is exactly what happens during a single provably fair bet, from start to finish:
Before the Bet
1
Casino generates a server seed — a random string known only to them. They compute its SHA-256 hash and show the hash to you. This is the commitment. They cannot change the seed without the hash changing.
2
You set your client seed — you either accept the auto-generated one or type your own. The casino does not know what you will choose until you submit it.
3
Nonce starts at 0 — each new seed pair resets the nonce counter. It increments automatically with every bet.
During the Bet
4
You place a bet — the casino's server combines the server seed, your client seed, and the current nonce using HMAC-SHA256 to produce a hash.
5
Hash converts to a game result — the hex hash is parsed to produce the game outcome. For dice, specific bytes map to a number 0-9999. For crash, the hash prefix determines the multiplier. Each game has its own conversion algorithm.
6
Nonce increments — the nonce advances by 1, ready for your next bet.
After the Bet (Verification)
7
You rotate your seed pair — when you are ready to verify, you change your client seed. This triggers the casino to reveal the previous server seed (unhashed).
8
Verify the commitment — take the revealed server seed and compute SHA-256 yourself. The result must exactly match the hash the casino showed you before the bet. If it does not match, the casino cheated.
9
Recompute the outcome — using the revealed server seed, your client seed, and the nonce, compute HMAC-SHA256 yourself. Convert the hash to a game result using the same algorithm. It must match what the casino showed you. If it matches, the bet was provably fair.
SHA-256 Explained Simply
SHA-256 (Secure Hash Algorithm 256-bit) is the same cryptographic function that secures Bitcoin transactions. It takes any input and produces a fixed 64-character hexadecimal string. Two critical properties make it perfect for provably fair gambling:
One-Way Function
Given an input, computing the hash takes milliseconds
Given a hash, finding the original input is mathematically infeasible
There is no known shortcut, backdoor, or method to reverse SHA-256
This is why the casino can show you the hash without revealing the seed
Collision Resistant
It is practically impossible to find two different inputs that produce the same hash
Even changing one character in the input produces a completely different hash
This guarantees the casino cannot find a different seed that matches the committed hash
2256 possible outputs = more combinations than atoms in the observable universe
Here is a concrete demonstration. Watch how a tiny change in input produces a completely different hash:
Every output looks completely random and unrelated, even though the inputs differ by a single character. This property is called the avalanche effect, and it is what makes the commitment scheme work.
How to Verify Your Bets
Every provably fair casino provides a way to check your bet history and verify outcomes. Here is how to do it on the two largest platforms.
Verify on Stake.com
1Click your avatar in the top-right corner and select Fairness from the dropdown menu.
2You will see your Active Client Seed and the Hashed Server Seed for your current session.
3To verify past bets, click Change Client Seed. This reveals your previous server seed (unhashed).
4Navigate to your Bet History. Click any bet to expand it and see the server seed, client seed, and nonce.
5Click the Verify button. Stake will recompute the hash and show you the result matches. You can also paste the values into any independent SHA-256 tool to verify outside of Stake.
Verify on Roobet
1Open a provably fair game (Crash, Dice, or Towers) and click the Fairness shield icon.
2You will see your current Client Seed and the Server Seed Hash.
3Change your client seed to reveal the previous server seed. Roobet will display it in the Previous Seeds tab.
4Copy the server seed and hash it using any SHA-256 calculator. Compare the result against the hash that was shown to you before the bet.
5Use Roobet's built-in verification tool or an independent HMAC-SHA256 calculator to recompute the game result from the server seed, client seed, and nonce.
Pro Tip: Independent Verification
Never rely solely on the casino's own verification tool. Use an independent HMAC-SHA256 calculator (search for "HMAC-SHA256 online") to recompute results yourself. If the casino's tool and the independent tool both produce the same result, the bet was fair beyond any doubt.
Which Casinos Are Provably Fair?
Not all crypto casinos implement provably fair verification. Here are the platforms we have tested and confirmed implement it correctly. For a full ranked list, see our Provably Fair Casinos page.
Provably fair is powerful, but it is not a silver bullet. You should understand what it does and does not guarantee:
What Provably Fair Guarantees
Individual game outcomes were not manipulated after the bet was placed
The casino committed to the result before you placed the bet
You can independently verify every single bet
The house edge is mathematically fixed and transparent
What Provably Fair Does NOT Cover
Third-party slot games (these use proprietary RNGs from providers like Pragmatic Play)
Live dealer games (outcomes are physical, not algorithmic)
Deposit/withdrawal security or solvency
Whether the stated house edge is competitive or fair market value
The most common misconception is that a provably fair casino is fair on all games. In reality, provably fair only covers the casino's original games — the ones they built in-house. When you play a Pragmatic Play slot or an Evolution live table, those outcomes are controlled by the third-party provider and verified through traditional auditing, not cryptographic proof.
Frequently Asked Questions
No, not without detection. Because the casino commits to the server seed hash before the bet, any attempt to change the seed after seeing your bet would produce a different hash. You would immediately detect the mismatch when verifying. The only way to cheat would be to break SHA-256 itself, which is considered computationally infeasible with current technology.
SHA-256 is a hash function that takes a single input and produces a hash. HMAC-SHA256 is a keyed hash function that takes two inputs: a key and a message. In provably fair systems, the server seed is typically used as the HMAC key, and the client seed combined with the nonce is the message. HMAC provides additional security properties beyond plain SHA-256 hashing.
No. The power of provably fair is that you can verify any bet, not that you must verify every bet. Most players spot-check occasionally. Even the possibility of verification keeps the casino honest, because they know any bet could be audited at any time. It functions as a deterrent even if you never personally verify.
The casino only reveals the unhashed server seed after your seed pair is rotated. This is a security measure: if the server seed were revealed while still active, a sophisticated attacker could potentially use it to predict future outcomes in the same session. By requiring rotation first, the revealed seed is no longer in use and cannot provide any advantage.
Yes, and we recommend it. Most provably fair casinos let you set any string as your client seed. Using your own seed gives you maximum confidence that the casino did not influence the randomness. Some players use output from hardware random number generators, dice rolls, or other entropy sources as their client seed.
Yes. Provably fair guarantees that outcomes are not manipulated, but the house edge is built into the game's math, not into outcome manipulation. For example, a provably fair dice game might pay 1.98x on a 50/50 bet instead of 2x — that 1% gap is the house edge. The casino profits over time through this edge, which is fixed and transparent. Provably fair simply ensures the edge is exactly what is stated, no more.
Provably fair only guarantees game outcome integrity. It does not guarantee the casino will process withdrawals, that your funds are safe on their platform, or that their non-provably-fair games are honest. Always consider other factors like licensing, reputation, deposit volume, and community trust. See our full casino rankings for a holistic assessment.
Bottom Line
Provably fair is not a buzzword — it is real, verifiable cryptography. SHA-256 and HMAC-SHA256 create a mathematical guarantee that no party can manipulate individual game outcomes undetected. If you play at a provably fair casino, you have something no traditional gambler has ever had: the ability to prove, with mathematical certainty, that every bet was fair.