1. The commitment. Before you play, the bot publishes SHA256(serverSeed) — the hash of its secret seed. It cannot change the seed afterwards without the hash mismatching.

2. Your input. You choose your own client seed (!seed set). Since the bot doesn't control it, it cannot pre-craft outcomes.

3. The result. Every bet computes HMAC-SHA256(serverSeed, clientSeed:nonce). For Coinflip: byte 0 even → heads, odd → tails. The nonce increases by 1 with each bet.

4. The reveal. When you rotate your seed (!seed rotate), the old server seed is revealed. This page recomputes everything locally: the hash must match the commitment, and each result must match what you were paid.

Trustless: open this page's source code (Ctrl+U) — the math runs entirely in your browser using the Web Crypto API. Our server is not involved.