Web API

Configure Web API server, authentication, IP whitelisting, and rate limiting

Introduction

The Web API configuration file (web_api.json) manages the built-in web server for API endpoints, webhooks, and external integrations.

Port

Type: String

Server port for the Web API.

port: "3111"

The bot will listen for HTTP requests on this port.

Authentication Key

Type: Array of Strings

API keys required to access endpoints.

authentication_key: ['09563-34763-36235-36235', 'second-key-here']

Security Warning: Change the default authentication key immediately! Never share these keys publicly.

Requests must include one of these keys in the authentication header.

Whitelisted IPs

Type: Array of Strings

IP addresses allowed to access the API.

whitelisted_ips: ['18.209.80.3', '54.87.231.232', '203.0.113.0']

Default IPs included:

18.209.80.3 - Tebex server
54.87.231.232 - Tebex server

Important: Do not remove the Tebex IPs if you use the Tebex integration, or webhooks will fail.

Secure Mode

Type: Boolean

Restrict API to whitelisted IPs only.

secure_mode: false

When true: Only whitelisted IPs can access the API (still requires authentication) When false: All IPs can access with valid authentication key

Base IP

Type: String

Base URL for API hooks and webhooks.

base_ip: "bot.example.com"

Format options:

With domain: "bot.example.com" or "api.example.com"
Without domain: "192.168.1.100:3111" (IP:port format)

Used to construct full URLs for external services like Tebex webhooks.

Rate Limit

Prevent API abuse with request limiting.

enabled

Type: Boolean

Enable rate limiting.

rate_limit: {
    enabled: true,
}

window_ms

Type: Number

Time window for rate limit in milliseconds.

window_ms: 300000

Example: 300000 = 5 minutes (300,000 milliseconds)

After this window elapses, the request count resets for that client.

max

Type: Number

Maximum requests per window.

max: 150

Clients exceeding this limit during the time window will be rate limited.

proxied

Type: Boolean

Whether API is behind a reverse proxy.

proxied: false

When true: Bot uses proxy headers to identify real client IP (required for Nginx/Apache) When false: Direct connection IP is used

Reverse Proxy Users: If you use Nginx, Apache, or Cloudflare in front of the bot, set this to true to ensure correct IP detection for rate limiting and security.

proxies_between_user_and_server

Type: Number

Number of proxy layers between client and bot.

proxies_between_user_and_server: 1

Only relevant when proxied is true.

Examples:

Direct proxy: 1
Cloudflare + Nginx: 2

Complete Configuration Example

Here's a production-ready Web API configuration:

{
    config: {
        port: "3111",

        authentication_key: ['your-secure-key-here-change-this'],

        whitelisted_ips: [
            '18.209.80.3',      // Tebex
            '54.87.231.232',    // Tebex
            '203.0.113.10',     // Your server IP
        ],

        secure_mode: true,

        base_ip: "api.yourserver.com",

        rate_limit: {
            enabled: true,
            window_ms: 300000,
            max: 150,
            proxied: true,
            proxies_between_user_and_server: 1,
        },
    },
}

Last updated 2 hours ago

hashtagIntroduction

hashtagPort

hashtagAuthentication Key

hashtagWhitelisted IPs

hashtagSecure Mode

hashtagBase IP

hashtagRate Limit

hashtagenabled

hashtagwindow_ms

hashtagmax

hashtagproxied

hashtagproxies_between_user_and_server

hashtagComplete Configuration Example

Introduction

Port

Authentication Key

Whitelisted IPs

Secure Mode

Base IP

Rate Limit

enabled

window_ms

max

proxied

proxies_between_user_and_server

Complete Configuration Example