Frequently asked
questions

Oxide APIs is a small family of utility HTTP APIs — cryptographic hashing, data validation and barcode/QR generation — implemented in Rust, compiled to WebAssembly and deployed to Cloudflare Workers. Every request is served from the nearest of 300+ global points of presence with sub-5 ms cold starts.

All APIs are distributed through RapidAPI. Create a free account, subscribe to any plan on an Oxide API listing, and your X-RapidAPI-Key is generated instantly. The same key works across every Oxide API you subscribe to.

Yes. Every API ships with a Basic tier that includes 500–1,000 requests per month, no credit card, and access to every endpoint of that API.

No. Every Oxide API is a plain HTTPS endpoint that accepts JSON and returns JSON, so any HTTP client works — curl, fetch, requests, reqwest, you name it.

MD5, SHA-256, SHA-512, BLAKE3, bcrypt and Argon2id. SHA-256 and BLAKE3 are recommended for integrity checks; bcrypt and Argon2id are the only choices we offer for password hashing.

bcrypt uses cost factor 12 by default; Argon2 uses Argon2id, the OWASP-recommended variant. Both produce encoded strings safe to store in a database.

Yes. /v1/verify uses constant-time comparison so the response time does not leak information about how close the supplied input was to the stored hash.

Yes — /v1/token returns cryptographically-secure random values as UUID, hex or base64. Lengths up to 64 bytes are supported.

Yes. /v1/validate/email accepts an optional check_disposable flag; when true, we check the domain against a curated list of disposable-email providers.

E.164 — the international standard (e.g. +15551234567). Pass the country hint when the input is not already prefixed.

We run a Luhn checksum and detect the card brand (Visa, Mastercard, AmEx, Discover, JCB, etc.). We do not store, transmit upstream, or log the number — it never leaves the Worker.

All ISO 13616 countries. Validation is full mod-97 checksum, not just regex.

QR (error correction L, M, Q, H), EAN-13, UPC-A, Code 128 and Code 39.

Clean SVG. No raster images, no embedded fonts. You can inline the SVG, save it, or convert it server-side if you need PNG.

Size yes (via the size or bar_width / height fields). Custom colors and embedded logos are not currently exposed — keeping the surface area small lets us guarantee scan quality.

Free for the lowest tier. Paid plans start at $5/month for 50,000 requests. The most expensive single API plan is $80/month for 2.5M validation requests. See /pricing for the full matrix.

Edge-native Rust/WASM eliminates the cost drivers of traditional API hosting: no idle servers, no JIT warm-up, no GC pauses. Cloudflare charges us a fraction of a cent per million Worker invocations, and we pass the savings through.

Yes, at a transparent per-1,000-request rate (between $0.02 and $0.20 depending on plan and API). The rate is lower on higher plans, so it pays off to upgrade if you regularly exceed your tier.

You get a 429 response. Rate limits range from 5 req/s (free) to 500 req/s (top tier).

Paid plans from Ultra upward include a 99.9% uptime SLA. The free tier and Pro are best-effort but in practice run on the same infrastructure.

The nearest of Cloudflare's 300+ points of presence. There is no concept of a "region" you have to choose.

RapidAPI provides a real-time analytics dashboard for every subscription. Every Oxide API also exposes GET /v1/health (no auth required) so your own monitoring can probe liveness.

Status updates and any incident reports are posted on the RapidAPI listing. For high-volume customers, we publish webhook + email notifications.