Blooms — Single-use key registry

Single-use keys — for serverless apps, SPAs, extensions, software. Distribute keys once.

Register a key

Values are always hashed locally (SHA-256) before sending — they never leave your device in plain text.

Check a key

Same local hashing — enter the same value used at registration.

Keys registered: -

← Back

How it works

Blooms lets you register single-use keys and check if a value has already been consumed. Ideal for serverless apps, SPAs, browser extensions or desktop software — distribute licenses, tokens or secrets that can only be used once, with no database on the client side.

Principle

The system uses a Bloom filter: a compact in-memory structure that quickly answers "has this key already been seen?". Responses are yes/no, with a small chance of false positives but never false negatives.

Client-side hashing

All values are hashed (SHA-256) in your browser before sending — the raw value never leaves your device. This ensures privacy and avoids confusion between registration and verification.

Key validation

Only plausible keys are accepted: at least 8 characters (password, secret) or short high-entropy values (hash, token). Entries that are too short or weak return a warning.

Rate limiting

A maximum number of requests per IP address is enforced to prevent abuse. If the limit is exceeded, the API returns a temporary error. Try again in a few seconds.

Fair use

This is a public, free API. Please use it respectfully and avoid spam — rate limits apply. The license forbids military use.

What this is (and isn’t)

Blooms is not a service to check whether passwords have appeared in data breaches. It is designed to help you issue and track new keys/passwords for serverless or stateless deployments, without a database. For checking leaked passwords, use dedicated services such as jamesthomas/bloom_filters or Have I Been Pwned – Pwned Passwords.

Use cases

Serverless apps: Verify key activation without persistent state
SPA / one-page apps: Activation keys, licenses distributed once
Browser extensions: Tokens distributed with unique keys, single-use guaranteed
Windows / desktop software: Single-use license distribution
Detect duplicates in identifier streams

← Back

API

Use these HTTP endpoints to register and check keys from your app. Send the SHA-256 hash of the key (hex), never the raw value.

Register a key

POST /api/submit

Request body (JSON):

{"key": "sha256-hex-of-your-key"}

Response: ok, message, already_used. 201 on success, 409 if key already used.

Check a key

GET /api/check?key=sha256-hex

Response: key, possibly_used (boolean). 200 OK.

Stats

GET /api/stats

Response: total_keys (number). No auth required.

Hashing

Clients must hash the raw key with SHA-256 and send the hex string. The server never sees the plain value. Use the same hash for both submit and check.

Rate limit

Requests are limited per IP. On 429, retry after a few seconds.

Reliability

The API database is backed by three other instances. If one service is down, your data will never be lost.

An additional proxy server is being developed to improve availability and latency.