xtract.bot

POST /api/rsa-verify2 quota units per call · cache hits free

Verify an RSA signature against a SPKI PEM public key. Supports PSS and PKCS1-v1_5 schemes plus SHA-256/384/512. Returns whether the signature is valid.

Verifies that a `signature` matches `data` under the given RSA public key (SPKI PEM). Returns `{valid: true|false}` plus the echoed scheme + hash. Use `pss` for RSA-PSS signatures and `pkcs1` for the legacy RSASSA-PKCS1-v1_5 scheme (JWT RS256/384/512, SAML, …).

Inputs

NameTypeDefaultDescription
data*stringOriginal message that was signed.
dataFormatenum (text | hex | base64)"text"Encoding of `data`.
signature*stringSignature to verify.
signatureFormatenum (hex | base64 | base64url)"base64"Encoding of `signature`.
publicKeyPem*stringPublic key in SPKI PEM format.
schemeenum (pss | pkcs1)"pss"Signature scheme used at signing time.
hashenum (SHA-256 | SHA-384 | SHA-512)"SHA-256"Hash algorithm.
saltLengthnumber (0…256)32PSS salt length used at signing.

Response

Modes: json. Cache: not cacheable.

Every response carries x-cache (HIT / MISS / BYPASS), x-cache-signature (stable across identical inputs), and the rate-limit headers listed below.

Quota & limits

Cost per call2 units against the 10,000-unit monthly quota. Cache hits are free — only cache misses decrement.
Burst limit200 requests per rolling minute, shared across all tools.
Max request size4 MiB (base64 inflates file payloads ~33% — the limit applies to the decoded bytes).
Max response size8 KiB
Timeout30s wall clock.
Rate-limit headersX-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Burst-Limit on every response; X-Quota-Warning once 80% of the monthly quota is spent; Retry-After on 429s.

Errors

Errors are JSON with an error string; schema failures add a details object (Zod's flattened field errors).

StatusWhenBody
400Input fails the tool's schema (wrong type, missing required field, malformed base64) or the file bytes can't be parsed as the expected format.{ "error": "invalid inputs", "details": { "fieldErrors": { … } } }
401Missing or invalid X-Api-Key / X-Account-Id headers (or no session when called from the browser).{ "error": "unauthorized" }
404Unknown tool id, or calling /api/* on the website hostname instead of api.xtract.bot.{ "error": "not found" }
413Request body over the tool's max request size, or an image header declaring more megapixels than the tool's pixel budget.{ "error": "…exceeds maxRequestBytes…" }
415Content-Type isn't application/json on the json-body transport.{ "error": "unsupported content-type; expected application/json" }
429Monthly quota or the 200/min burst limit exhausted. Check Retry-After and the X-RateLimit-* headers.{ "error": "monthly quota exceeded", "monthRemaining": 0, … }
5xxConversion engine failure. Safe to retry; if it persists, the input is hitting a bug — please report it.{ "error": "…" }

Code samples

Built from the verify-pkcs1-good example.


curl -X POST https://api.xtract.bot/api/rsa-verify \
  -H "Content-Type: application/json" \
  -H "Accept: application/json" \
  -H "X-Account-Id: $XTRACT_ACCOUNT_ID" \
  -H "X-Api-Key: $XTRACT_API_KEY" \
  -d '{
  "data": "the eagle has landed",
  "signature": "GWa5pAHR7RbC9g9JWmxP4VaBiVkOiylReTwG4nqjo4Vkw6W5kfaRWGGeYWy8YkjYvLTHtgXmlXiMz9kD1JVCaAR90+Li/JZPEIH+bmw+2KvziZ8kD7isgPgRXtiYH4VN122V3hcvlRS8UQ01iaZg3X6Dg1+PLz6j1zOaEto0dKYZ/4YvUkVZATOxZP+Qz98Q4p2WvoMBm17uKxditXuBKGrt5bexALrVijSWgYTVHPCP4+abngegUcMSvJlPCyTgjbxowaMMyy7kVX/PcsJRXKBs2MgRu7j8rMlf8ZbM4po1emqBtZoaol/GooFZNzS2q8YKB/gfvTHz04URrC34Sg==",
  "publicKeyPem": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAjvk6JK5I8uhIG/4qyR5C\n85U5tr3myRyk4ULz/80T/os8yqhW9dooy4Qx+bk0U59Gg2gMleL8qikSUkB8JlkQ\nssAFh19WN9+CWfCvtXQwC0/QYBBKdDfHTLdsX9eJ4ClJWwnxyvr6b49fIf8q9Z9T\n6o/bKkJGcu2jygWmVsvkGfxAAtOLfk74BYAsuFrt1wyn/D4uNOyqrzBwBgrqMxZe\nmjSMGTYkGMN4e6moA/l2kK5yMuUZzlvgo8eGnvq+YwM1vBSy+v+X4sXwRcPE7Mv0\nUOmVQrHdO3iKGLTGUsXS3cbeOjAVHybIWCtkJsvvqDHDf1UBe/prine1XxLNxvPm\nQwIDAQAB\n-----END PUBLIC KEY-----",
  "scheme": "pkcs1"
}'