But IIRC the hash is simply to verify that you have the correct key, to prevent clients from sending up file data that is encrypted with the wrong key and thus messing up the vault data. The API server doesn’t handle any actual data or encryption.
The other thing is, we purposefully don’t have APIs published and discourage third party sync clients, because we are unable to quality control and prevent undefined behavior when third party sync clients misbehave. It’s easy to get the encryption details wrong and end up with corrupted or deleted files, introduce errors to the sync process and interrupting sync for the Sync plugin, or possibly trigger infinite loops that overflows the user’s storage, or worse, causes an unintended DoS attack on the sync server.