Thousand API

Security & auth

JWT Decode

Decodes a JWT and returns the header, payload, and expiration status. Does not verify signatures. Useful for debugging token contents and expiry.

MCP tool: decode_jwt

GET /v1/jwt/decode

JWTs use Base64URL with three dot-separated parts. You can pass the token as a query parameter as-is, but URL-encode it if the token contains `+` or `=`.

Parameters:

ParameterTypeRequiredDescription
tokenstringJWT token to decode

Request example:

curl "https://api.thousand-api.com/v1/jwt/decode?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ1c2VyMTIzIiwiZXhwIjoxNzE2MDAwMDAwfQ.signature" \
  -H "x-api-key: YOUR_API_KEY"

Response example:

{
  "header": { "alg": "HS256", "typ": "JWT" },
  "payload": { "sub": "user123", "exp": 1716000000 },
  "is_expired": false,
  "expires_at": "2024-05-18T00:00:00.000Z",
  "issued_at": null
}

URL Health Check

Checks a URL's HTTP status code, response time, and SSL certificate details. Combine with resolve_url to inspect the final destination of shortened URLs.

MCP tool: inspect_url

GET /v1/url/inspect

Parameters:

ParameterTypeRequiredDescription
urlstringURL to inspect (http/https only)

Request example:

curl "https://api.thousand-api.com/v1/url/inspect?url=https%3A%2F%2Fwww.thousand-api.com" \
  -H "x-api-key: YOUR_API_KEY"

Response example:

{
  "url": "https://www.thousand-api.com",
  "status_code": 200,
  "response_time_ms": 234,
  "reachable": true,
  "headers": {
    "content-type": "text/html",
    "x-frame-options": "DENY"
  },
  "ssl": {
    "valid": true,
    "expires_at": "2027-01-01T00:00:00.000Z",
    "days_remaining": 220,
    "issuer": "Amazon"
  }
}

Unit Conversion

Converts values between units for length, mass, temperature, area, volume, speed, and data sizes. No external APIs; accurate math via mathjs.

MCP tool: convert_unit

Categories: length (m, km, mile, foot, inch, etc.), mass (kg, g, lb, oz, etc.), temperature (celsius, fahrenheit, kelvin), area (m2, ha, acre, sqft, etc.), volume (l, ml, gallon, cup, etc.), speed (m/s, km/h, mph, knot, etc.), data (byte, KB, MB, GB, TB, KiB, MiB, etc.)

GET /v1/unit/convert

Parameters:

ParameterTypeRequiredDescription
valuenumberValue to convert
fromstringSource unit
tostringTarget unit

Request example:

curl "https://api.thousand-api.com/v1/unit/convert?value=1&from=km&to=mile" \
  -H "x-api-key: YOUR_API_KEY"

Response example:

{
  "value": 1,
  "from": "km",
  "to": "mile",
  "result": 0.621371,
  "formula": "1 km = 0.621371 mile"
}

Hash Generation

Generate MD5, SHA-1, SHA-256, or SHA-512 hashes from text. Uses Node.js built-in crypto with no external dependencies.

MCP tool name: generate_hash

URL-encode the text query parameter when it contains spaces or special characters (e.g. hello world → hello+world or hello%20world).

GET /v1/hash/generate

Parameters:

ParameterTypeRequiredDescription
textstringText to hash (max 100KB)
algorithmstring-md5 / sha1 / sha256 / sha512 (default: sha256)

Request example:

curl "https://api.thousand-api.com/v1/hash/generate?text=hello+world&algorithm=sha256" \
  -H "x-api-key: YOUR_API_KEY"

Response example:

{
  "text": "hello world",
  "algorithm": "sha256",
  "hash": "b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9",
  "length": 64
}

HMAC Sign & Verify

Generate or verify HMAC signatures. Supports SHA-256, SHA-512, SHA-1, and MD5. Uses Node.js built-in crypto with no external dependencies. Useful for validating GitHub, Stripe, and Slack webhook signatures.

MCP tool name: generate_hmac

POST /v1/crypto/hmac

Parameters:

ParameterTypeRequiredDescription
modestringsign (generate) / verify (compare)
algorithmstringsha256 / sha512 / sha1 / md5
secretstringHMAC secret key (max 64KB)
messagestringMessage to sign or verify (max 64KB)
encodingstring-hex / base64 (default: hex)
signaturestring-Signature to verify (required when mode is verify)

Response fields (mode: sign):

ParameterTypeDescription
modestringsign
algorithmstringHMAC algorithm used
encodingstringOutput encoding (hex / base64)
signaturestringGenerated HMAC signature

Response fields (mode: verify):

ParameterTypeDescription
modestringverify
algorithmstringHMAC algorithm used
encodingstringOutput encoding (hex / base64)
verifiedbooleanWhether the signature matched (timing-safe compare)

Sign example (GitHub Webhooks style):

Request example:

curl -X POST "https://api.thousand-api.com/v1/crypto/hmac" \
  -H "x-api-key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "mode": "sign",
    "algorithm": "sha256",
    "secret": "your-webhook-secret",
    "message": "{\"action\":\"opened\",\"number\":1}"
  }'

Response example:

{
  "mode": "sign",
  "algorithm": "sha256",
  "encoding": "hex",
  "signature": "a1b2c3d4e5f6789012345678901234567890abcdef1234567890abcdef123456"
}

Verify example (incoming webhook validation):

Request example:

curl -X POST "https://api.thousand-api.com/v1/crypto/hmac" \
  -H "x-api-key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "mode": "verify",
    "algorithm": "sha256",
    "secret": "your-webhook-secret",
    "message": "{\"action\":\"opened\",\"number\":1}",
    "signature": "sha256=abc123..."
  }'

Response example:

{
  "mode": "verify",
  "algorithm": "sha256",
  "encoding": "hex",
  "verified": true
}

Base64-encoded output example:

Request example:

curl -X POST "https://api.thousand-api.com/v1/crypto/hmac" \
  -H "x-api-key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "mode": "sign",
    "algorithm": "sha256",
    "secret": "my-secret",
    "message": "hello world",
    "encoding": "base64"
  }'

Response example:

{
  "mode": "sign",
  "algorithm": "sha256",
  "encoding": "base64",
  "signature": "K8D9a2..."
}

UUID Generate & Validate

Generate cryptographically secure UUID v4 strings and validate UUID format (versions 1-5). Uses Node.js crypto.randomUUID() only; no external dependencies.

MCP tool names: generate_uuid, validate_uuid

GET /v1/uuid/generate

Parameters:

ParameterTypeRequiredDescription
countinteger-Number to generate (1-100, default 1)
versionstring-UUID version (v4 only, default v4)

Response fields:

ParameterTypeDescription
versionstringGenerated UUID version (v4)
countintegerNumber of UUIDs generated
uuidsstring[]Array of generated UUIDs

Generate multiple UUIDs (count: 3):

Request example:

curl "https://api.thousand-api.com/v1/uuid/generate?count=3&version=v4" \
  -H "x-api-key: YOUR_API_KEY"

Response example:

{
  "version": "v4",
  "count": 3,
  "uuids": [
    "f47ac10b-58cc-4372-a567-0e02b2c3d479",
    "6ecc5f60-7e11-4f4a-9b2c-1a2b3c4d5e6f",
    "a1b2c3d4-e5f6-4789-ab01-234567890abc"
  ]
}

POST /v1/uuid/validate

Parameters:

ParameterTypeRequiredDescription
valuesstring[]Strings to validate (1-100 items)

Response fields:

ParameterTypeDescription
resultsobject[]Per-input validation results
results[].valuestringInput value echoed back
results[].validbooleanWhether the string is a valid UUID
results[].versioninteger | nullVersion 1-5 when valid
results[].variantstring | nulle.g. RFC 4122 when valid
all_validbooleanTrue when every result is valid

Validate a mix of valid and invalid strings:

Request example:

curl -X POST "https://api.thousand-api.com/v1/uuid/validate" \
  -H "x-api-key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "values": [
      "550e8400-e29b-41d4-a716-446655440000",
      "not-a-uuid",
      "12345"
    ]
  }'

Response example:

{
  "results": [
    {
      "value": "550e8400-e29b-41d4-a716-446655440000",
      "valid": true,
      "version": 4,
      "variant": "RFC 4122"
    },
    {
      "value": "not-a-uuid",
      "valid": false,
      "version": null,
      "variant": null
    },
    {
      "value": "12345",
      "valid": false,
      "version": null,
      "variant": null
    }
  ],
  "all_valid": false
}

MCP workflow (generate → validate):

1. Generate IDs with generate_uuid:
   { "count": 2 }

2. Validate returned uuids with validate_uuid:
   { "values": ["<uuid-1>", "<uuid-2>"] }

→ When all_valid is true, the IDs are RFC 4122-compliant.