🎴TCGHub
PacksVaultOrdersPull FeedProfile
🎴TCGHub

Pokémon & One Piece TCG mystery packs. Real graded cards, shipped from Malaysia.

Play

  • Packs
  • Vault
  • Pull Feed
  • Leaderboard

Learn

  • How It Works
  • FAQ
  • Provably Fair

Legal

  • Privacy
  • Terms
  • Responsible Gaming

Support

18+ only. Play within your means.
Need help with gambling? Call NCPG (MY) or Befrienders.

© 2026 TCGHub. All rights reserved.

Card artwork © their respective rights holders. Not affiliated with Nintendo, The Pokémon Company, or Bandai.

Transparency

How Provably Fair Works

A pull is “provably fair” when anyone can mathematically confirm that the outcome was not manipulated by the operator. Every pull on this platform is provably fair, using the same scheme trusted by licensed gaming operators worldwide.

What is provably fair?

It is a cryptographic commitment scheme. Before your pull happens, we commit to a secret value whose hash we publish. After the pull is resolved, we reveal the secret. Because the hash was fixed before the outcome was known, we can not have chosen a secret that produced a different card. You do not have to trust us — the math does the trusting for you.

The four-step process

  1. 1

    Server commits to a secret seed

    Before your pull happens, our server generates a random 256-bit server seed and publishes its SHA-256 hash. The hash is a fingerprint — it uniquely identifies the seed without revealing it.

    serverSeedHash = SHA-256(serverSeed)
  2. 2

    You provide a client seed

    Your browser generates a client seed (or you can set your own). It is sent to the server before the outcome is computed, so the server can not pick a seed that produces a specific card.

    clientSeed = random or user-supplied
  3. 3

    HMAC determines your card

    The server computes HMAC-SHA256 using the server seed as the key and "clientSeed:nonce" as the message. The first 8 hex characters are read as an integer, divided by 2³², and used to select a card from the pack's weighted pool.

    hmac = HMAC-SHA256(serverSeed, `${clientSeed}:${nonce}`)
  4. 4

    Server seed is revealed

    Once the pack sells out, the plaintext server seed becomes public. Anyone — you, us, an auditor — can recompute SHA-256 of the revealed seed and confirm it matches the hash published before your pull. If they match, the outcome was locked in from the start.

    verify: SHA-256(revealedSeed) == serverSeedHash

Why this matters

Without a commit-reveal scheme, an operator could in theory pick a seed after seeing your client seed that reduces your chance of a valuable pull. With commit-reveal, that attack is mathematically impossible — the server seed is locked in before your pull, and its hash is public. If we cheated, the revealed seed would not match the published hash, and you would have undeniable proof.

You can verify any pull, even months later. We do not delete seeds. Auditors can pull our full pull history and confirm every outcome independently.

Verify your own pulls

Every pull has a dedicated verification page. Find your Pull ID in your Vault, open the card's history, and click “Verify this pull”. The verification page runs SHA-256 and HMAC-SHA256 locally in your browser using the Web Crypto API — no server involved. A green tick means the math adds up.

Verification URLs look like /pulls/<pull-id>/verify.

Verify independently

You do not have to trust our verifier. Any SHA-256 calculator and any HMAC-SHA256 calculator will work. Copy the revealed server seed, client seed, and nonce from your pull page, and re-run the math in your tool of choice. The results must match exactly.

  • Confirm SHA-256(serverSeed) == serverSeedHash
  • Confirm HMAC-SHA256(serverSeed, "clientSeed:nonce") == hmac
  • The first 8 hex chars of the HMAC, read as a uint32 and divided by 2³², yield the float used for card selection.
Back to Pull FeedGo to My Vault