Fairness/7 min read

How to Verify a CS2 Case Opening: Server Seed, Client Seed, and Nonce Walkthrough

Most players never check whether a case opening was fair — not because they don't care, but because "server seed", "client seed", and "nonce" sound like things you need a cryptography background to understand. You don't. Once you know what each input does, verifying a roll takes a couple of minutes with tools that already exist on the site. This is a hands-on walkthrough, not a theory piece. First the three inputs and why the hash commitment matters, then the exact steps on CaseRush's /provably-fair page: checking your seed status, rotating to reveal the old server seed, letting auto-verification confirm the commitment, and using the manual verifier to recompute an individual roll from its game type and round ID.

The three inputs: server seed, client seed, and nonce

The server seed is a long random value the site generates for your account. While it is active you never see it in plain text — you see its SHA-256 hash instead, displayed before you play a single round. That hash is the commitment. SHA-256 is a one-way function: the site cannot quietly swap in a different seed later, because a different seed produces a different hash, and you would catch the mismatch the moment you compared them.

The client seed is yours. You can set it to anything you like and change it at any time. Its job is to make sure the site does not control all the inputs: whatever server seed was committed, your client seed gets mixed into every case opening you play, and the site had to commit before knowing what you would choose.

The nonce is the simplest of the three — a counter that increases by one with every round you play under the current seed pair. It makes each result unique (same seeds, different nonce, different outcome) and it keeps the sequence auditable: round 57 is round 57, and nothing can be silently reordered or skipped in between.

  • Server seed: secret site value, committed up front as a SHA-256 hash, revealed in plain text when you rotate
  • Client seed: your value, editable at any time, mixed into every case roll alongside the server seed
  • Nonce: a per-round counter that increments by one, keeping every result unique and the order verifiable

How HMAC-SHA256 turns those inputs into a roll

Each case opening is derived with HMAC-SHA256, a standard keyed-hash construction. The server seed, your client seed, and the nonce are combined into one HMAC-SHA256 computation, and the resulting hash is converted into a number — the roll that decides which item the case pays out. CaseRush documents the exact recipe on the /provably-fair page itself: the first 8 hex characters of the HMAC become a number between 0 and 1, and for cases that roll maps to a ticket from 1 to 10,000, where every item in the case owns a range of tickets sized by its drop chance. The key property is determinism: the same inputs always produce the same output, which is exactly why anyone can recompute a result after the fact and check it.

CaseRush's v2 scheme adds domain separation: the game type and round ID (gameType:roundId) are part of what gets hashed. That means a hash computed for one game or one round cannot be reused or misattributed to another — a roulette result cannot double as a case result, and round 400 cannot masquerade as round 401.

Shared games like crash and roulette work a little differently, because one round produces a single result for everyone in it. Those rounds are seeded per round rather than from any one player's seed pair, and v3 of the scheme adds external entropy on top: the hash of a future EOS blockchain block, committed before that block exists. Neither the site nor any player can know that block hash at commitment time, so it acts as an input nobody gets to choose. In player-versus-player games, joining players' client seeds are mixed in as well, so every participant contributes an input the others could not have predicted.

Step by step: checking your seed status before you play

Everything lives at /provably-fair on CaseRush. The habit worth building is simple: look at the page before you play, because the server seed hash you see there is the anchor every later check hangs off.

One thing that trips people up: the current server seed is hidden by design. If you could read it while it was active, you could compute your own upcoming rolls in advance. It only gets revealed after it is retired — which is what rotation is for.

  • 1. Open /provably-fair. Your seed status shows the SHA-256 hash of your current server seed, your client seed, and the current nonce.
  • 2. Note or screenshot the server seed hash. This is the commitment you will verify against later.
  • 3. Optionally set your own client seed — type anything, or use the randomize button. The site committed its seed before knowing what you would pick.
  • 4. Play normally. Each round increments the nonce by one.

Rotating, auto-verification, and the manual verifier

When you want to audit, rotate your server seed from the same page. Rotation retires the current server seed, reveals it in plain text, and generates a fresh one for future rounds — your client seed carries forward unchanged. From that moment, every round you played under the old seed is fully checkable.

CaseRush runs the first check for you: revealed server seeds are automatically hashed and compared against the hash that was committed before you played. A match confirms the seed you just saw is the same one that was locked in from the start — it was not swapped after your results were known.

For individual rounds, use the manual verifier on the same page. Select the game type, enter the round ID, and the tool recomputes the roll from the revealed seeds. Compare the recomputed result with what you were shown in the game — they should be identical. And you are not limited to the site's own tool: the /provably-fair page prints the exact HMAC input format and the roll derivation, so any environment with a standard HMAC-SHA256 implementation can reproduce the same numbers from the same inputs.

  • 5. Rotate your server seed to retire and reveal the old one.
  • 6. Check the auto-verification: the revealed seed's SHA-256 hash must match the hash committed before play.
  • 7. Open the manual verifier, pick the game type, enter a round ID, and compare the recomputed roll with the result you got.

What verification proves — and what it doesn't

Passing verification proves one specific thing: your outcomes were determined by a seed pair that was committed before you played, and nothing was altered afterward. Tampering after the commitment is detectable, because it would break either the hash check or the recomputed rolls. That is a real, meaningful guarantee — it is the difference between a black box and an auditable system.

What it does not prove is that the odds are generous. A case with a brutal drop table can pass every seed check perfectly; provably fair means you lose fairly too. The drop rates are a separate question with a separate answer: CaseRush publishes the full item odds for every active case on that case's odds page — each case at /cases links to a complete drop-chance table alongside the case price — plus a general explainer of how to read them.

So do both halves. Verify a few rounds to confirm the mechanism holds, then read the odds table before you decide whether a case is worth opening. And keep the framing honest with yourself: every case has a margin built into its drop table, so treat openings as entertainment spend with a budget you set in advance, not as a way to come out ahead.

FAQ

What does the nonce do in a provably fair case opening?

The nonce is a counter that increases by one with every round you play under the current seed pair. It makes each result unique — the same server seed and client seed produce a different outcome at nonce 5 than at nonce 6 — and it keeps the round order auditable, so results cannot be silently reordered or skipped.

Can a site change the server seed after I've played?

Not without being caught. The SHA-256 hash of the server seed is shown before you play, and SHA-256 is a one-way function: a different seed produces a different hash. When the seed is revealed after rotation, CaseRush automatically re-hashes it and compares against the original commitment — a swapped seed fails that check immediately.

Do I need to know how to code to verify my openings?

No. CaseRush's /provably-fair page does it on-site: revealed seeds are auto-verified against their committed hashes, and the manual verifier recomputes any roll from its game type and round ID. The page also documents the exact HMAC-SHA256 input format and roll derivation, so if you ever want a fully independent check, any tool with standard SHA-256 and HMAC-SHA256 support can reproduce the math — but you don't have to.

Why can't I see my current server seed in plain text?

Because outcomes are deterministic. If you could read the active server seed, you could compute your own future rolls before playing them. That's why only the SHA-256 hash is shown while a seed is active, and the plain-text seed is revealed only after you rotate to a fresh server seed.

Does passing verification mean the odds are in my favor?

No. Verification proves integrity — that results came from the pre-committed seeds and weren't manipulated afterward — not generosity. A case with poor drop rates can pass every check. For the other half of the picture, read the public odds page each CaseRush case links to, which lists every item's drop chance against the case price.

Related