What is client seed and server seed?

The server seed is a random string the casino generates before your round — you only see its SHA-256 hash until the round ends. The client seed is a string you (or your browser) provide before betting. The casino combines both with a nonce (round counter) through HMAC-SHA256 to compute the outcome. Pairing them means neither side can rig the result alone.

What is a server seed?

A server seed is a random 32-64 byte string generated by the casino's server before you bet. The casino commits to it by publishing its SHA-256 hash (a 64-character fingerprint) before the round starts. After your round — or after you rotate seeds — the raw seed is revealed so you can hash it yourself and confirm it matches the pre-game hash. If it matches, the casino couldn't have swapped seeds mid-round.

What does server seeding mean?

Server seeding is the process where a provably fair casino generates a fresh server seed, publishes its hash before any round, and reveals the raw seed on demand. It's half of the commit-reveal protocol — the other half is your client seed. Together they guarantee that the outcome was fixed before your bet and can be independently checked after.

How do I find my server seed?

Open the game, click the shield, lock, or 'Fairness' icon (usually top-right of the game panel). You'll see the active server seed hash, current client seed, current nonce, and a 'Rotate seed' button. The raw server seed only appears after you rotate — at that point the old seed is revealed and a new hashed seed takes over. On Stake the panel is under Settings → Fairness; on BC.Game it's under the game's three-dot menu.

Can the casino change the server seed mid-game?

No — that's the whole point of the commit-reveal protocol. The casino publishes the SHA-256 hash of the server seed before your first bet. If they change the seed afterwards, your locally-computed hash of the revealed seed won't match the pre-committed hash. If a casino ever publishes a revealed seed whose hash doesn't match what you saw before betting, it's cryptographic proof of rigging.

Does changing my client seed change my odds?

No — every combination of server_seed + client_seed + nonce produces a statistically random outcome. Changing your client seed doesn't give you better odds, it just produces different results. The only strategic reason to change it is to defeat the biased-seed attack, where a dishonest casino pre-computes outcomes for common client seeds. Rotating every 50-100 bets makes pre-computation useless.

What happens if I never rotate seeds?

Nothing in the cryptography breaks — your bets are still verifiable with the same server seed across thousands of rounds, because the nonce increments every bet. But you lose the main defense against biased-seed attacks. If the casino happened to choose a server seed that produces unfavorable outcomes against your specific client seed, you'll absorb that bias for the entire session. Rotate every 50-100 bets to reset this risk.

Can I use the same client seed across casinos?

You can, but there's no benefit and one small risk. Seeds are scoped to each casino — your Stake client seed has no meaning on BC.Game. Using a predictable, reused client seed slightly helps a dishonest casino pre-compute outcomes for you. Best practice: let each casino auto-generate a new random client seed, then rotate it every 50-100 bets.

Why is the server seed hashed before the round?

Because a raw server seed would let you reverse-engineer the outcome before betting, and the casino could swap seeds after seeing your bet. The SHA-256 hash solves both: it proves the seed existed before you bet (commitment), without revealing the seed itself. After the round, the casino publishes the raw seed, you hash it, and confirm it matches. This is a standard cryptographic commit-reveal.

Are all client seeds public?

Your client seed is visible only in your own fairness panel — the casino sees it when you submit it, but other players don't. Server seed hashes are usually visible per-user (not public), and the raw server seed is released to you after seed rotation. Nothing about provably fair requires the seeds to be broadcast publicly, just that they're committed before the round and revealed afterwards to you.

What if a casino won't reveal the server seed?

That casino isn't actually provably fair, regardless of marketing claims. Legitimate PF implementations include a 'Rotate seed' button in every game's fairness panel — clicking it instantly reveals the old server seed and commits a new hashed one. If the button doesn't work, the seed never appears, or the casino delays reveal for hours, treat the PF badge as fake and file a chargeback if you have disputed rounds.

Can I see past rounds' server seeds?

Yes, but only for seeds that have already been rotated or that you explicitly retired. Active server seeds stay hidden (you only see the hash) until you rotate them. Most casinos keep a 'seed history' in the fairness panel showing every retired server seed paired with its bets, client seed, and final nonce — enough data to re-verify every bet from that seed period.

Is HMAC-SHA256 really unbreakable?

In 2026 yes, for the purposes of provably fair gambling. SHA-256 has no practical preimage or collision attacks, and HMAC-SHA256 adds a second layer of authentication that makes length-extension attacks irrelevant. Breaking it would require ~2^256 operations, which isn't feasible with current or near-future classical computers. The realistic threats aren't cryptographic — they're weak seed generation, missing seed rotation, or fake verifiers.

Do all games use the same seed format?

No. Dice games on Stake use HMAC-SHA256 with outputs mapped to 0-99.99. Crash games map the same HMAC output to a multiplier using a different formula. Provably fair blackjack often uses HMAC-SHA512 and generates one random number per card. Always check the specific casino's fairness docs to get the exact mapping — a generic verifier will get the hash match right but may display a different outcome number than the game screen.

Should I copy seeds from another player?

Copying a seed that's already been burned on another account produces no advantage — the nonce and client seed are unique to that account's history. Worse, if someone posts a 'lucky seed' on a forum, they likely posted it after it already produced the wins. Generate your own random client seed and trust the math: over long enough play, no seed is luckier than any other.

Client Seed vs Server Seed: Full Technical Guide (2026)

Picture this: you just lost eight dice rolls in a row on a provably fair casino. You open the fairness panel, half-hoping to find proof the site is rigged. You see two fields — Server Seed Hash: a3f79b21... and Client Seed: bG7yxQ2pR — plus a counter labeled Nonce that keeps ticking up. Most players glance at the numbers and close the panel, because nothing in the game explained what any of them actually do.

Here's the thing: those two seeds are the entire reason you can trust the round. One of them is the casino's secret, committed before you bet. The other is yours, controllable at any time. Together they make it mathematically impossible for the casino to rig the outcome after seeing your wager. Miss how they pair, and you're trusting the site blindly. Understand the pair, and you can verify every single bet in under a minute.

This guide breaks down client seed vs server seed the way a player actually uses them in 2026: what each one does, who controls it, when it's revealed, what happens when you change it, and the one attack the whole system can't stop unless you rotate regularly. We'll walk the math step-by-step with a real dice example, compare how Stake, BC.Game, and Roobet display the panel, and end with a live verifier so you can drop in your own seeds and see the outcome reproduced.

TL;DR — The 60-Second Answer

Every provably fair round needs three inputs. The casino controls one, you control another, and the third is a simple counter. None of them alone determines the outcome — all three must combine.

Input	Who controls it	When revealed	Changeable mid-session?
Server seed	Casino	After seed rotation	No, but you can rotate
Client seed	You	Always visible to you	Yes, anytime
Nonce	Protocol	Always visible	No (auto-increments)

The math works like this:

$\text{outcome} = \text{HMAC-SHA256}(\text{server\_seed},\; \text{client\_seed} : \text{nonce})$

In plain English: the casino takes its secret seed, keyed against your public seed plus the round number, runs them through a one-way cryptographic function, and maps the result to a dice roll, crash multiplier, or card. You can't predict it (you don't know the server seed), and the casino can't fake it (they committed to the server seed's hash before you bet).

Who Controls Each Seed

Casino controls the server seed — it's generated on their server and hidden until you rotate it
You control the client seed — usually auto-generated by your browser, but editable in the fairness panel
Both are required — the casino can't compute your outcome without both seeds

What to Actually Change

Rotate your server seed every 50-100 bets — forces the casino to commit to a new seed they can't have pre-optimized
Change your client seed occasionally — once every session is plenty, it doesn't improve odds
Never change the nonce manually — it's a simple counter, tampering breaks verification

If you take nothing else away from this page: the client seed is your leverage. The server seed is the casino's commitment. Rotating the server seed periodically is what stops a dishonest operator from gaming the math. For a broader primer, our what is provably fair gambling explainer covers the full system; this guide zooms in on the seeds themselves.

What Each Seed Actually Does

Before we compare them, each seed deserves its own breakdown. They look similar in the UI — both are long random strings — but they play opposite roles in the protocol.

The Server Seed (Casino's Secret)

The server seed is a random string (usually 32 or 64 bytes, hex-encoded) generated by the casino before your round begins. Think of it as the casino's locked envelope: they write the contents down, seal it, and show you the fingerprint (the SHA-256 hash). The seal guarantees they can't change what's inside — but you don't get to peek until after your bet.

Key facts about server seeds:

Always hashed before exposure: you see SHA-256(server_seed) as a 64-character hex string
Single seed covers many rounds: the same server seed stays active for dozens or thousands of bets, with the nonce incrementing per round
Rotates on demand: clicking "Rotate" reveals the old seed and commits a new hash
Never reused across players: each account has its own active server seed

The reason the server seed is hidden is simple — if you could see it before betting, you could compute the exact outcome in advance and cheat the casino. The hash is a commitment device: it locks the casino into one specific seed without revealing it.

The Client Seed (Your Input)

The client seed is the string you contribute. On Stake, BC.Game, Roobet, and every mainstream PF casino, your browser generates a random one by default — usually a 10-20 character alphanumeric string — and lets you edit it in the fairness panel.

Key facts about client seeds:

You control it, the casino cannot see what your next one will be until you submit it
Visible to you at all times in the fairness panel
Changeable anytime, but changes don't affect bets already placed
Often auto-generated — your browser randomizes a fresh one per session

The client seed is the mechanism that stops the casino from pre-computing outcomes. Since the server seed is committed via hash before you submit your next client seed, the casino genuinely can't know what result HMAC will produce. This is why changing your client seed occasionally — or letting the browser auto-rotate — is a key defense, even though any single client seed is just as "lucky" as any other on average.

The Nonce (Round Counter)

The nonce is the simplest of the three. It's just a counter that increments with every bet — round 1, round 2, round 3, and so on. You can't set it, change it, or skip it. If you bet 50 times with the same server seed and client seed, the nonce goes from 0 to 49 and every outcome is different because the nonce changes.

Why have a nonce at all? Without one, every round with the same server seed and client seed would produce the exact same outcome — hitting the same dice number every time. The nonce is what makes each round unique while still keeping the math reproducible. If a casino ever shows a nonce that skipped a number (0, 1, 3, 4 — where's 2?), that's a sign of tampering.

How They Combine to Produce an Outcome

This is where the three inputs stop being data and start being math. Every provably fair casino runs the same core formula, even though the output mapping differs by game.

The HMAC Formula in Plain English

Here's what every PF casino actually computes:

$\text{hex\_output} = \text{HMAC-SHA256}(\text{server\_seed},\; \text{client\_seed} \; : \; \text{nonce})$

Plain-English translation:

HMAC-SHA256: a keyed cryptographic hash function — like SHA-256, but "signed" with a key
server_seed (the key): the casino's hidden value, locking the function to one specific seed
client_seed:nonce (the message): your seed joined to the round counter with a colon

The output is a 64-character hex string. Different games interpret it differently: dice games take the first few characters and map them to 0-99.99, crash games use a different slice and formula, blackjack games chain multiple HMAC calls (one per card) and usually switch to HMAC-SHA512 for 128-character outputs. The exact mapping matters, but the commit-reveal structure is identical across all of them.

Worked Example: One Dice Roll Step by Step

Let's do one full round with real (example) values so you can see exactly how the seeds combine.

Given:

server_seed = f4a9c2e1b7d8e3c5a1b9f6d2e8c4a7b3e9d1c6a2b5f8e4c7a3b6e1d9c2a5b8f4
client_seed = player-xyz-42
nonce = 7

Step 1 — Compute HMAC-SHA256:

HMAC-SHA256(server_seed, "player-xyz-42:7")
= 8b2d4a1f9c6e7b3d5a8f2c9e4b1d7a6f3e8c5b2d9a4f7e1c8b3d6a2f9e5c4b7d

Step 2 — Map hex to dice roll (Stake-style):

Take the first 5 hex chars: 8b2d4 → convert to decimal = 569,300. Mod 1,000,000 = 569,300 → divide by 10,000 = 56.93.

Step 3 — Compare to your bet:

If you bet "roll under 50" — you lose (56.93 > 50). If you bet "roll under 60" — you win. The exact outcome was determined by three inputs, none of which either party could manipulate after commitment.

Step 4 — Verify:

After rotating your server seed, you get the raw value. You hash it yourself: does SHA-256 match the hash you saw before the round? Then rerun the HMAC with the same inputs: does the output match? Both match = round is cryptographically proven fair. For a full walkthrough with copy-paste values, see how to verify a provably fair round.

Why the Math Can't Be Faked

Three cryptographic properties make the protocol rigging-resistant:

Hash commitment: SHA-256 has no practical preimage attacks, so the casino can't find a different server seed that produces the same pre-committed hash after seeing your bet.
HMAC output opacity: You can't reverse the HMAC output to infer the server seed — needed because otherwise knowing one outcome would reveal the key.
Mutual ignorance at commit time: The casino doesn't know your future client seeds, so they can't pre-optimize server seed choice for specific client values.

If any of those three properties breaks, the protocol breaks. In 2026 none of them has broken for SHA-256, so the math is solid. The real attacks all live in implementation — which we cover in the rotation section below. Our provably fair vs RNG certified comparison digs deeper into how this math stacks up against traditional lab audits.

Client Seed vs Server Seed — Side-by-Side

Same protocol, opposite roles. Here's the head-to-head.

Client Seed vs Server Seed — Role Coverage

How each seed contributes to each security property. Both are needed for verification, but player-side control and bias defense live on the client-seed side.

Loading chart...

Server Seed (casino side)

Client Seed (player side)

Scores are qualitative — "Required for Hash Verify" shows both at 100 because verification fails without either seed.

Who Controls What

Property	Server Seed	Client Seed
Owner	Casino	You
Visible raw?	Only after rotation	Always
Visible hashed?	Always (pre-round)	Never hashed — shown raw
Generated by	Casino's RNG	Your browser (or you manually)
Length	Typically 64 hex chars	Typically 10-20 chars, user-set
Can other players see it?	No (scoped to your account)	No (scoped to your account)

The asymmetry is intentional. If both seeds were public, either side could manipulate. By keeping the server seed hidden (via hash) and the client seed known only to you, the protocol creates a genuine two-party commitment where neither can cheat the other.

When Each Is Revealed

The reveal timing is what separates a working PF casino from a fake one:

Server seed hash: visible before every round — check it before you bet
Client seed: visible always — you typed or generated it
Server seed (raw): visible only after seed rotation — either you click "Rotate" or end your session

A legitimate casino will never refuse to rotate. If you click "Rotate seed" and the old seed doesn't appear within seconds — or worse, if the casino says "seeds rotate automatically every 24 hours and you'll see history tomorrow" — that's a red flag. The seed reveal should be instant and cryptographically provable.

What Happens If You Change Each One

Here's the practical impact table you actually need:

Action	Mid-round effect	Next-round effect	Long-term effect
Rotate server seed	None (current round unaffected)	New server seed used from next bet	Resets biased-seed risk
Change client seed	None (can't change retroactively)	New client seed used from next bet	Forces casino to recompute all outcomes
Reset nonce	Impossible — protocol-enforced	Nonce continues from where it was	N/A

The takeaway: changing either seed is a forward-looking protection, not a way to retroactively dispute lost rounds. If you're about to start a long dice session on a new casino, rotate both seeds immediately so the casino commits to values after your client seed is set. That ordering matters more than any specific seed value.

Seed Rotation — When and Why to Change Them

If you read nothing else on this page, read this section. Rotation is the one player-side action that actually changes your cryptographic security posture.

The Biased-Seed Attack (And Why Rotation Stops It)

Here's the one theoretical weakness provably fair can't rule out without rotation: biased seed generation.

Imagine a dishonest casino that generates thousands of server seeds in advance. For each one, they pre-compute outcomes against common client seed patterns (default browser formats, frequently-used words, patterns they've seen before). They then selectively deploy seeds that happen to produce more losses than wins for the expected client seeds.

Because the casino still publishes a valid server seed hash — and the revealed seed still hashes to that commitment — the verification math passes. The protocol "works." But the seed itself was cherry-picked from a biased pool, and your long-term house edge is worse than advertised.

The defense is simple: rotate often enough that pre-computation becomes useless.

Rotate after every 50-100 bets → the casino must commit new seeds they haven't pre-optimized
Change your client seed at the same time → invalidates any pattern-based pre-computation
Both together make biased-seed attacks statistically infeasible at scale

This attack is extremely rare at reputable casinos — the reputational cost of getting caught vastly outweighs the EV gained — but it's the one reason rotation matters at all. Our provably fair Bitcoin games ranking filters specifically for casinos with published rotation workflows.

Rotation Frequency on Popular Casinos

Different sites use different default intervals. Here's what each platform actually does:

Casino	Default rotation	Manual rotation	Recommended setting
Stake	Never auto-rotates	Anytime, instant	Every 50-100 bets
BC.Game	Never auto-rotates	Anytime, instant	Every 50-100 bets
Roobet	Rotates on session end	Anytime, instant	Every 50-100 bets
Rainbet	Never auto-rotates	Anytime, instant	Every 100 bets
Primedice	Never auto-rotates	Anytime, instant	Every 50-100 bets

"Never auto-rotates" is actually the honest default — it forces the player to choose. If a site aggressively auto-rotates, it may be trying to obscure individual seed histories.

Quick Rotation Checklist

Use this before any long session:

Open the game's fairness panel
Copy the current server seed hash (for later verification if you want)
Click "Rotate Server Seed" — old seed is revealed, new hash commits
Change your client seed (click refresh, or type a new random string)
Note your starting nonce (usually 0 after rotation)
Bet as usual; rotate again after ~50-100 bets

Takes 30 seconds. Protects against the only non-cryptographic attack on provably fair.

What You Can't Rotate Mid-Round

One important constraint: you can't rotate during a round. Once you've placed a bet with a given server_seed + client_seed + nonce, those values are locked for that specific round. Rotating only affects bets placed after the rotation.

This is also why "retroactively rotating to undo a loss" is impossible. The commit was fixed before you bet — the only way to change what's already happened is to verify it was honest. Since PF lets you do that in 60 seconds, that's usually enough.

Common Mistakes with Seeds

Players coming to provably fair from regular online casinos consistently make the same four mistakes. None of them are dangerous — but they all waste time.

"Changing Client Seed Changes My Luck"

It doesn't. Every HMAC output is statistically random regardless of input. Changing your client seed from abc123 to xyz789 gives you different outcomes, not better ones. The expected value is identical.

What the client seed actually does: it prevents biased-seed pre-computation by making your inputs unpredictable to the casino before each round. That's a security property, not a luck property.

"Casinos Can See My Client Seed in Advance"

Not for future seeds. The casino sees your current client seed (you submitted it), but has no way to know what you'll set next. That's the whole point — the casino commits to a server seed hash before knowing your next client seed. Once they commit, they can't change the seed behind the hash.

If someone claims "the casino reads your keyboard and knows your next seed before you hit enter" — they're describing a client-side malware attack, not a protocol weakness. Use a reputable browser and you're fine.

"Rotating Too Often Breaks the Proof"

It doesn't. Rotating just retires one server seed and commits a new one — both still verifiable independently. You can rotate every single bet if you want (slow but harmless).

The common concern is about seed history getting "messy" — but every PF casino keeps a full history of retired seeds keyed to the bet ranges they covered. Rotating 50 times creates 50 verifiable history entries, not a tangled mess.

Quick Sanity Check

If any of these apply, your provably fair flow is wrong:

You never clicked "Rotate" in your first 200 bets → rotate now, you may be exposed to biased seeds
You can't find a "Rotate Server Seed" button → casino's PF implementation is broken
You've never verified a single round → try one with our provably fair verifier to get familiar
You share seeds with friends → no benefit, small risk — generate your own

"All Casinos Use the Same Seed Format"

They don't. Stake and Primedice use HMAC-SHA256 with dice-specific mapping. BC.Game's blackjack uses HMAC-SHA512 with card-specific logic. Spribe's Aviator uses a different nonce strategy. A generic verifier will get the hash match right across all of them, but the reproduced outcome number may differ unless you use the casino's exact mapping formula.

Always read the casino's fairness docs for the exact game you're playing. For Aviator specifically, our Aviator provably fair calculator implements Spribe's formula directly. For blackjack, the provably fair blackjack guide covers the card-by-card HMAC chain.

How to Find Your Seeds on Real Casinos

Words are easy. Showing you exactly where the buttons live is more useful. Here's the actual path on the top three PF casinos as of 2026.

On Stake / Primedice

Open any casino Original (Dice, Crash, Plinko, Mines)
Click the shield icon in the top-right of the game panel
A "Fairness" modal opens with four fields:
- Active Server Seed (Hashed) — 64-char SHA-256 hex
- Active Client Seed — editable string
- Total Bets Made With Pair — current nonce
- "Change Seeds" button at the bottom
Click "Change Seeds" — old server seed is revealed immediately, new hash commits

Stake's interface is the cleanest of the three. Everything you need is on one screen, rotation is instant, and the seed history shows every retired server seed with its associated bet range.

On BC.Game

Open any in-house Original (Crash, Dice, Ring, Limbo)
Click the three-dot menu in the top-right of the game
Select "Provably Fair" from the dropdown
Fairness modal shows: Hashed Server Seed, Client Seed (editable), Nonce, Algorithm
Click "Change" next to the server seed → rotation confirmation → old seed revealed

BC.Game uses HMAC-SHA512 for most games (not SHA-256), so the hashes are 128 characters instead of 64. The verification math is the same, just with a longer output.

On Roobet

Open any Roobet Originals game (Mines, Crash, Dice, Towers)
Click the padlock icon next to the game title
A side panel slides out with the fairness data
"Seed History" tab at the bottom shows all retired seeds
"Randomize Client Seed" and "Rotate Server Seed" buttons are both visible

Roobet uniquely auto-rotates server seeds at session-end, which is slightly aggressive — rotate manually if you want to verify rounds later, so you're not surprised by the auto-rotation closing off future verification. Their PF Originals are ranked against Stake and BC.Game in our Bitcoin casino guide.

Universal Workflow

Any legitimate PF casino will follow this pattern:

Find the shield/lock/padlock — standard icon for fairness panels
Locate the active server seed hash, client seed, and nonce — all three must be visible
Test rotation — click the rotate button; if the old server seed doesn't appear in under a second, the implementation is broken
Note the algorithm — SHA-256 (64-char) or SHA-512 (128-char); you need this for verification
Verify at least one round — use a calculator to confirm hash match + HMAC output

If any of those five steps fail, the casino's "provably fair" claim is marketing only. Cross-check against our hub with current PF implementations before depositing.

Interactive: Verify a Round with Your Own Seeds

Paste the four values from your casino's fairness panel into the verifier below. Everything runs locally in your browser via the Web Crypto API — no data is sent to our server, and the computation is the same HMAC-SHA256 (or SHA-512) your casino uses.

Two things to watch for when you verify:

Hash Match = PASS — your revealed server seed, when hashed, matches the pre-round hash. This proves the casino didn't swap seeds after you bet.
Dice/Crash output matches the screen — the HMAC output, mapped through the game's formula, reproduces the exact number the game showed. This proves the outcome wasn't altered.

If both pass, your round is cryptographically fair. If hash match fails, file a complaint — you have proof the casino swapped seeds. For broader bankroll-math context around verified play, pair this with our house edge calculator, our RTP calculator, and the bankroll calculator so you can size bets honestly alongside per-round verification. If you're running longer sessions, our bankroll management guide covers the math on how often rotation intersects with session-sizing decisions.

Client Seed vs Server Seed: Full Technical Guide (2026)