xtract.bot

POST /api/scrypt-derive4 quota units per call · cache hits free

Stretch a password into a key with scrypt — the memory-hard KDF from RFC 7914. Configurable N (cost), r (block size), p (parallelisation), and output length. Returns hex / base64 / base64url.

Stretches a password into a cryptographic key with scrypt — a **memory-hard** KDF specified in RFC 7914. Unlike PBKDF2, scrypt deliberately consumes large amounts of memory per derivation, which dramatically raises the cost of an attacker using ASICs or GPUs. Parameters (interactive-login defaults shown): - `N`: CPU/memory cost (power of 2, default 16384 = 2¹⁴). - `r`: block size in 128-byte chunks (default 8). - `p`: parallelisation factor (default 1). - Memory cost ≈ 128 · N · r bytes. The defaults use ~16 MB. Recommended for password storage when you control both ends of the verification. For interop with non-scrypt systems, prefer `pbkdf2-derive`.

Inputs

NameTypeDefaultDescription
password*stringPassword to stretch.
salt*stringPer-user salt (≥16 bytes recommended).
Nnumber (2…1048576)16384CPU/memory cost. Must be a power of 2.
rnumber (1…32)8Block size in 128-byte chunks.
pnumber (1…16)1Parallelisation factor.
bitsLengthnumber (8…4096)256Output key length in bits.
passwordFormatenum (text | hex | base64)"text"Input encoding of `password`.
saltFormatenum (text | hex | base64)"text"Input encoding of `salt`.
outputFormatenum (hex | base64 | base64url)"hex"Output encoding of the derived key.

Response

Modes: json. Cache: not cacheable.

Every response carries x-cache (HIT / MISS / BYPASS), x-cache-signature (stable across identical inputs), and the rate-limit headers listed below.

Quota & limits

Cost per call4 units against the 10,000-unit monthly quota. Cache hits are free — only cache misses decrement.
Burst limit200 requests per rolling minute, shared across all tools.
Max request size64 KiB (base64 inflates file payloads ~33% — the limit applies to the decoded bytes).
Max response size16 KiB
Timeout60s wall clock.
Rate-limit headersX-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Burst-Limit on every response; X-Quota-Warning once 80% of the monthly quota is spent; Retry-After on 429s.

Errors

Errors are JSON with an error string; schema failures add a details object (Zod's flattened field errors).

StatusWhenBody
400Input fails the tool's schema (wrong type, missing required field, malformed base64) or the file bytes can't be parsed as the expected format.{ "error": "invalid inputs", "details": { "fieldErrors": { … } } }
401Missing or invalid X-Api-Key / X-Account-Id headers (or no session when called from the browser).{ "error": "unauthorized" }
404Unknown tool id, or calling /api/* on the website hostname instead of api.xtract.bot.{ "error": "not found" }
413Request body over the tool's max request size, or an image header declaring more megapixels than the tool's pixel budget.{ "error": "…exceeds maxRequestBytes…" }
415Content-Type isn't application/json on the json-body transport.{ "error": "unsupported content-type; expected application/json" }
429Monthly quota or the 200/min burst limit exhausted. Check Retry-After and the X-RateLimit-* headers.{ "error": "monthly quota exceeded", "monthRemaining": 0, … }
5xxConversion engine failure. Safe to retry; if it persists, the input is hitting a bug — please report it.{ "error": "…" }

Code samples

Built from the default example.


curl -X POST https://api.xtract.bot/api/scrypt-derive \
  -H "Content-Type: application/json" \
  -H "Accept: application/json" \
  -H "X-Account-Id: $XTRACT_ACCOUNT_ID" \
  -H "X-Api-Key: $XTRACT_API_KEY" \
  -d '{
  "password": "correct horse battery staple",
  "salt": "xtract.bot-demo-salt",
  "N": 16384,
  "r": 8,
  "p": 1,
  "bitsLength": 256,
  "outputFormat": "hex"
}'