Send configuration, server, and tweak parameters from your server and receive import-ready encrypted configuration text. No configuration must be created manually first.
Your integration has parameters and needs a configuration now.
Use Business API from your backend to send configuration, server, and tweak values and receive import-ready encrypted config text in one request. Nothing needs to be created in Panel first, and the generated result is not saved there.
Example: A customer chooses options on your website or app, then your backend generates the config on demand.
Quick rule: Saved config in Panel means Client API. Request parameters that must become config text means Business API.
The credentials are separate: find your Client API key in Profile and your Business API credential in Account > Business API.
Overview
The endpoint validates the complete payload, builds the configuration and resources in memory, encrypts the export, and returns it as plain text. It is intended for server-to-server partner automation.
Authentication
Send the credential using one of the supported transports. If both are present, X-Business-API-Key takes precedence.
Transport
Example
Notes
X-Business-API-Key
X-Business-API-Key: YOUR_BUSINESS_API_KEY
Recommended explicit header for server-to-server requests.
Authorization
Authorization: Bearer YOUR_BUSINESS_API_KEY
Standard Bearer authentication alternative.
Where do I get my Business API key?
Create your Business API account to receive its credential once, or rotate an existing credential if you no longer have it.
Open Business API account management.
Keep credentials server-side. Never embed the Business API credential in a mobile app, browser bundle, public repository, or client-visible log.
Complete request
This example includes configuration fields, one server, and one tweak. Omit optional fields that your generated configuration does not need.
Always generated by the service as a lowercase 32-character UUID hex value, matching configurations created in Panel. It is returned in X-Configuration-Key and in the generated root object.
A direct URL the client can use as the configuration update source. Use HTTPS and return importable configuration content from that URL; omit it when the file should not update from a remote source.
The date after which the client must no longer use the configuration. YYYY-MM-DD is recommended. Omit or send null for no expiry; the export normalizes accepted dates to YYYY-MM-DD.
The access password recipients must supply when opening the configuration. Send plaintext over HTTPS; the service hashes it before export and never returns or stores the plaintext.
A local allowlist of app Device IDs, separated by semicolons, such as ID1;ID2;ID3. Omit it to allow any device. Cloud HWID lookup is not available for generated files.
When true, allows the servers and tweaks in this configuration to be offered as shared resources to other configurations in the app. Defaults to false.
When true, the recipient can export and reshare the generated configuration from the app. Defaults to false when omitted, keeping the file locked to its recipient.
An optional array of server objects. Omit it or send an empty array for no servers. Items are generated only for this response and are not saved in Panel.
An optional array of tweak objects. Omit it or send an empty array for no tweaks. Items are generated only for this response and are not saved in Panel.
The top-level version is derived from the selected encryption profile so it always matches the real data cipher. version_code and version_name come from Business API administration. Callers do not send version fields.
Encryption is administrator-owned. Latest configured follows the highest client crypto profile (currently data and identity v5); a named compatibility profile can be pinned when older clients must import generated files. app_version in a request is ignored.
When unlock_all is true, device and app restrictions, expiry, password, HWID lock, individual unlock flags, and custom-resource mode are normalized off in the generated export.
Required for OVPN, SSH, DNSTT, and Hysteria tunnel types.
Connection hosts and credentials in the tunnel-specific format shown below. Separators such as semicolons, colons, and @ are part of the value and must not be URL-encoded.
Optional HTTP payload for OVPN/SSH-style tunnels. Use app tokens such as [crlf] for line boundaries; line breaks and surrounding whitespace are preserved exactly.
Read the response body as text. X-Configuration-Key identifies the generated configuration. Cache-Control: no-store tells intermediaries and clients not to retain the sensitive response.
Quotas and rate limits
Every account inherits administrator defaults unless it has an override. Read the response headers instead of hard-coding those limits.
UTC calendar-day limit, consumed requests, remaining requests, and reset time.
Retry-After
Seconds until retry, included on a 429 response.
A valid authenticated request consumes the per-minute limit, including a request that later fails payload validation.
Daily quota is consumed only after the payload passes validation and generation is about to run.
A generation that fails after validation (HTTP 500) does not refund its consumed daily quota unit.
Reset header values are Unix timestamps. Daily windows reset at 00:00 UTC; minute windows are aligned to UTC epoch minutes.
Credential rotation does not reset usage because counters belong to the Business API account, not its credential.
JSON errors
HTTP status
Meaning
401
The credential is missing, malformed, or invalid.
403
The Business API account, its owner, or access status is inactive.
422
One or more configuration, server, or tweak parameters failed validation.
429
The per-minute limit, daily quota, or invalid-authentication limit was exceeded.
500
An unexpected generation or server failure occurred. The consumed daily quota unit is not refunded. Do not retry indefinitely.
503
Quota enforcement is temporarily unavailable, or the API is in maintenance mode.
Validation error example
{
"success": false,
"message": "The given data was invalid.",
"errors": {
"name": ["The name field is required."]
}
}
Daily quota error example
{
"success": false,
"message": "The Business API daily quota has been exceeded.",
"error": "daily_quota_exceeded",
"scope": "daily",
"daily_quota": {
"limit": 1000,
"used": 1000,
"remaining": 0,
"reset_at": 1783814400,
"reset_at_iso8601": "2026-07-12T00:00:00+00:00",
"retry_after": 22500
}
}
A per-minute 429 has error rate_limit_exceeded and places the same metadata shape under rate_limit.
A quota-enforcement 503 has error quota_service_unavailable and a Retry-After header; retry only after that interval. A maintenance 503 from the global API status carries a status field instead, has no Retry-After header, and clears when the API status returns to available.
Behavior and security
Generated configurations, servers, and tweaks are built in memory and are not saved to the panel database.
unique_key is system-owned for the configuration and every server and tweak. Callers must not send it. Each successful generation, including a retry, receives fresh values; no stored record is created or updated.
Cloud update, cloud password, and cloud HWID are disabled for generated output. Generated configurations are locked to their recipient by default; send allow_reshare: true to permit re-export.
Each panel user has one Business API account and one current credential.
Send requests only over HTTPS and apply strict outbound timeout and retry limits.
Do not log credentials, configuration passwords, private keys, or full generated response bodies.
Rotate the credential immediately after suspected exposure. The previous credential stops authenticating, while daily usage remains unchanged.
Credential display is one-time only. The panel stores a hash and a short preview, not a recoverable copy. Losing the secret requires credential rotation.