Developers

VPN Configuration APIs for Developers: Client vs Business API

A practical architecture guide to automating saved HTTP Tweak configurations with the Client API or generating configuration output with the stateless Business API.

HTTP Tweak Editorial Team 6 min read

HTTP Tweak gives developers two server-side integration paths for configuration workflows. The Client API manages configurations and their resources in a Panel account. The Business API accepts configuration inputs and generates encrypted HTTP Tweak configuration output without first creating a persistent configuration record.

That distinction matters. HTTP Tweak packages, imports, configures, protects, and distributes connection settings for its client. It does not create remote SSH users, provision VPN servers, sell bandwidth, or run a reseller's billing system. Those services remain with the infrastructure provider or with systems you operate.

Where HTTP Tweak fits in an integration

A typical delivery chain looks like this:

  1. Your infrastructure or upstream provider issues a usable server, account, or protocol profile.
  2. Your application validates the supplied connection details and associates them with your own customer or product record.
  3. HTTP Tweak turns those details and the desired tweak settings into a client-compatible configuration.
  4. You deliver the resulting configuration through an approved channel.
  5. The Android client imports the package and attempts the connection to the upstream endpoint.
Component Main responsibility What it does not replace
Upstream provider Server availability, remote accounts, credentials, capacity, and protocol service Configuration packaging
Your application Customer workflow, authorization, product rules, billing, and provider synchronization The Android tunnel client
HTTP Tweak Panel Saved configurations, servers, tweaks, access options, import/export, and sharing Remote account provisioning
HTTP Tweak Android client Importing and using supported configurations on the device Provider infrastructure

Keeping these boundaries explicit prevents a common integration bug: treating a successfully generated package as proof that an upstream credential is valid. Generation validates the configuration request; the real endpoint and account still need an end-to-end connection test.

Client API or Business API?

Start with the workflow you need, then use the matching API.

Decision Client API Business API
Data model Works with configurations saved in a user's Panel account Generates output from the submitted request
Best fit CRUD automation, resource updates, access lists, and a managed configuration lifecycle On-demand generation inside an existing service or reseller workflow
Persistence Reads and changes saved configuration records and related resources Stateless generation; your system remains the source of business records
Typical integration Admin tools, synchronization jobs, or bots managing an account's catalog A backend that already owns customers, products, and provider data

Read the current request schemas, authentication requirements, response formats, and quotas in the Client API documentation and Business API documentation. Treat those pages as the contract; avoid copying an old example into production without checking the current documentation.

A reliable integration workflow

1. Keep provider data separate from package data

Use separate identifiers for the upstream account, your customer, and the HTTP Tweak configuration. A configuration key is not a provider account ID. This separation makes credential rotation, provider migration, and incident investigation much easier.

2. Validate before generation

Reject incomplete endpoints, ports outside your accepted range, malformed profile data, and protocol/security combinations your product does not offer. Validate both syntactic shape and business authorization. Never let a customer select another tenant's stored credential simply by changing an ID.

3. Choose persistent or stateless generation

Use the Client API when the Panel should hold a configuration that you will update over time. Use the Business API when your application already owns the lifecycle and needs generated configuration output for a request. Do not create a saved record merely to emulate stateless generation, and do not expect stateless output to become an account-management database.

4. Deliver secrets deliberately

Generated output can contain sensitive access material. Return it only to the authorized customer, avoid writing it to normal application logs, and use transport encryption. If you place the output in object storage or a queue, set access controls and a retention period.

5. Test the whole path

Test at least one profile for every protocol and transport combination you offer:

  • valid and invalid upstream credentials;
  • expired or disabled provider accounts;
  • malformed server or tweak input;
  • API authentication and quota failures;
  • client import on supported app versions;
  • provider rotation and configuration replacement.

Generation success, import success, and connection success are three different checkpoints. Record them separately.

Security and operations checklist

  • Store API credentials in a secret manager or protected server environment, not in the Android app or a public repository.
  • Give each service only the API access it needs.
  • Redact passwords, UUIDs, private keys, full profile URIs, and generated packages from logs.
  • Apply request timeouts and bounded retries. Do not blindly retry invalid requests.
  • Respect documented quotas and design queues with back-pressure.
  • Use idempotency in your own jobs so a retry does not issue duplicate customer deliveries.
  • Revoke or rotate API credentials after suspected exposure.
  • Update the packaged configuration when an upstream endpoint or credential changes.
  • Keep your own audit link between customer, provider record, configuration key, and delivery event.

Example ownership model

Record in your system Suggested owner Lifecycle trigger
Customer and subscription Your business application Purchase, renewal, cancellation
Remote SSH/VPN account Provider integration or your infrastructure Provision, rotate, expire, disable
Configuration recipe Your application or HTTP Tweak Panel Product or connection-setting change
Generated/importable package Delivery service Issue, replace, revoke, expire

This model also makes support clearer. A login rejected by the remote SSH server goes to the account/provider workflow. A package that cannot be imported belongs to the configuration workflow. A request rejected by an HTTP Tweak API belongs to the integration workflow.

Useful HTTP Tweak resources

  • Review exact endpoints in the Client API docs.
  • Compare stateless generation in the Business API docs.
  • Examine optional community-shared profiles on Public Configurations; public availability is not a substitute for provider verification.
  • Follow visual setup material in Tutorials.
  • Ask implementation questions in the listed Communities, without posting credentials or private configuration output.

Frequently asked questions

Does the Business API create a VPN or SSH account?

No. It generates HTTP Tweak configuration output from accepted inputs. The remote endpoint, account, credential, and service capacity must already exist.

Can the Client API manage a saved configuration?

Yes. It is the API path intended for working with saved configurations and related resources in a Panel account. Consult the live documentation for the supported operations and limits.

Should API keys be embedded in my Android application?

No. Long-lived service credentials belong on a controlled backend. Your mobile app should call your authenticated backend, which then performs only the authorized server-side action.

Does a generated configuration guarantee a working connection?

No. It confirms that the generation workflow accepted the supplied data. DNS, routing, firewall rules, provider uptime, account validity, protocol compatibility, and client settings can still affect the connection.

Where should billing and renewals live?

In your own commerce or reseller system. HTTP Tweak can be part of configuration delivery, but it is not the billing or upstream account-provisioning system.

Keep exploring

Browse every published category, tutorial, product article, and future update from one general content hub.

Back to blog