Business API Documentation

Generate a complete configuration in one request

Send configuration, server, and tweak parameters from your server and receive import-ready encrypted configuration text. No configuration must be created manually first.

POSThttps://httptweak.com/api/business/v1/config/generate
Not sure which API fits?

Choose by where your configuration starts

You do not need both APIs for the same workflow. Match the API to what your integration already has.

Client API

The configuration already exists in Panel.

Use Client API to list that saved configuration and sync or manage its servers, tweaks, cloud device IDs, and cloud passwords.

Example: You create "Premium Config" in Panel first, then your backend keeps its resources up to date.

Read Client API documentation

Business API

You are here

Your integration has parameters and needs a configuration now.

Use Business API from your backend to send configuration, server, and tweak values and receive import-ready encrypted config text in one request. Nothing needs to be created in Panel first, and the generated result is not saved there.

Example: A customer chooses options on your website or app, then your backend generates the config on demand.

Continue with Business API

Quick rule: Saved config in Panel means Client API. Request parameters that must become config text means Business API.

The credentials are separate: find your Client API key in Profile and your Business API credential in Account > Business API.

Overview

The endpoint validates the complete payload, builds the configuration and resources in memory, encrypts the export, and returns it as plain text. It is intended for server-to-server partner automation.

Authentication

Send the credential using one of the supported transports. If both are present, X-Business-API-Key takes precedence.

TransportExampleNotes
X-Business-API-KeyX-Business-API-Key: YOUR_BUSINESS_API_KEYRecommended explicit header for server-to-server requests.
AuthorizationAuthorization: Bearer YOUR_BUSINESS_API_KEYStandard Bearer authentication alternative.
Where do I get my Business API key? Create your Business API account to receive its credential once, or rotate an existing credential if you no longer have it. Open Business API account management.
Keep credentials server-side. Never embed the Business API credential in a mobile app, browser bundle, public repository, or client-visible log.

Complete request

This example includes configuration fields, one server, and one tweak. Omit optional fields that your generated configuration does not need.

curl --request POST "https://httptweak.com/api/business/v1/config/generate" \
  --header "Accept: text/plain" \
  --header "Content-Type: application/json" \
  --header "X-Business-API-Key: YOUR_BUSINESS_API_KEY" \
  --data '{
    "name": "Partner Starter Config",
    "message": "Generated for a partner subscriber",
    "unlock_server": true,
    "servers": [
      {
        "name": "Primary SSH",
        "category": "Premium",
        "tunnel_type": "ssh",
        "ip_port_user_pass": "203.0.113.10:22@demo:secret",
        "note": "Singapore"
      }
    ],
    "tweaks": [
      {
        "name": "WebSocket Payload",
        "category": "Premium",
        "tunnel_type": "ssh",
        "payload": "GET / HTTP/1.1[crlf]Host: example.com[crlf][crlf]",
        "sni": "example.com",
        "tls_version": "TLSv1.3"
      }
    ]
  }'

Smallest valid request

Only name is required. Omitting servers and tweaks produces a valid generated configuration with empty resource lists.

{
  "name": "Minimal Partner Config"
}

Bearer alternative

Authorization: Bearer YOUR_BUSINESS_API_KEY

Request text/plain for the successful generated body. Authentication, validation, quota, and service errors remain JSON.

Parameters

Configuration fields

FieldRuleDescription
namerequired|string|max:255The configuration label displayed to recipients in HTTP Tweak.
unique_keyResponse-only; do not send this field.Always generated by the service as a lowercase 32-character UUID hex value, matching configurations created in Panel. It is returned in X-Configuration-Key and in the generated root object.
update_urlnullable|url|max:255A direct URL the client can use as the configuration update source. Use HTTPS and return importable configuration content from that URL; omit it when the file should not update from a remote source.
messagenullable|string|max_payload_lengthA message displayed with the generated configuration. HTML is supported, and its line breaks and surrounding whitespace are preserved.
expire_datenullable|dateThe date after which the client must no longer use the configuration. YYYY-MM-DD is recommended. Omit or send null for no expiry; the export normalizes accepted dates to YYYY-MM-DD.
passwordnullable|string|max:100The access password recipients must supply when opening the configuration. Send plaintext over HTTPS; the service hashes it before export and never returns or stores the plaintext.
hwid_locknullable|string|max_payload_lengthA local allowlist of app Device IDs, separated by semicolons, such as ID1;ID2;ID3. Omit it to allow any device. Cloud HWID lookup is not available for generated files.
device_hwidnullable|string|max:32An App Device ID, up to 32 characters, permitted to edit this configuration on-device. This is distinct from hwid_lock, which controls who may use it.
block_applicationnullable|string|max:1000Android package names to block while the configuration is used, separated by semicolons; for example com.example.one;com.example.two.
is_mobile_lockednullable|booleanWhen true, enables the client mobile-lock restriction for this configuration. Defaults to false when omitted and is disabled by unlock_all.
is_block_rootnullable|booleanWhen true, prevents use on rooted devices. Defaults to false when omitted and is disabled by unlock_all.
is_ps_installnullable|booleanWhen true, requires an installation recognized as coming from Google Play. Defaults to false when omitted and is disabled by unlock_all.
unlock_allnullable|booleanWhen true, produces an unrestricted file and takes precedence over individual lock and unlock fields. See the normalization note below.
unlock_servernullable|booleanWhen true, permits recipients to view or reuse server connection details. Defaults to false and is superseded by unlock_all.
unlock_user_passnullable|booleanWhen true, permits recipients to view server usernames and passwords. Defaults to false and is superseded by unlock_all.
unlock_proxynullable|booleanWhen true, permits recipients to view proxy values stored in tweaks. Defaults to false and is superseded by unlock_all.
unlock_payloadnullable|booleanWhen true, permits recipients to view payload text stored in tweaks. Defaults to false and is superseded by unlock_all.
is_hide_bannernullable|booleanWhen true, hides the SSH banner in the client. It has no effect on non-SSH tunnels. Defaults to false.
is_shared_resourcesnullable|booleanWhen true, allows the servers and tweaks in this configuration to be offered as shared resources to other configurations in the app. Defaults to false.
is_show_shared_resourcesnullable|booleanWhen true, allows this configuration to display compatible resources shared by other configurations in the app. Defaults to false.
is_custom_resourcesnullable|booleanWhen true, permits recipients to add local custom servers and tweaks for this configuration. Defaults to false and is disabled by unlock_all.
allow_resharenullable|booleanWhen true, the recipient can export and reshare the generated configuration from the app. Defaults to false when omitted, keeping the file locked to its recipient.
serversnullable|array|max:100An optional array of server objects. Omit it or send an empty array for no servers. Items are generated only for this response and are not saved in Panel.
tweaksnullable|array|max:100An optional array of tweak objects. Omit it or send an empty array for no tweaks. Items are generated only for this response and are not saved in Panel.
The top-level version is derived from the selected encryption profile so it always matches the real data cipher. version_code and version_name come from Business API administration. Callers do not send version fields.
Encryption is administrator-owned. Latest configured follows the highest client crypto profile (currently data and identity v5); a named compatibility profile can be pinned when older clients must import generated files. app_version in a request is ignored.
When unlock_all is true, device and app restrictions, expiry, password, HWID lock, individual unlock flags, and custom-resource mode are normalized off in the generated export.

Server object fields

FieldRuleDescription
namerequired|string|max:255The server label displayed in HTTP Tweak. It must be non-empty.
categorynullable|string|max:255Groups the server with tweaks. When set, the server appears when a selected tweak uses the same category. Examples: WS, CF, Free, or Paid.
notenullable|string|max:255Optional display note for the server. It does not affect the connection.
unique_keyResponse-only; do not send this field.Always generated independently for every server or tweak as a lowercase 32-character UUID hex value, matching resources created in Panel.
tunnel_typeRequired; one exact supported tunnel value.ovpn_tcp_ssh, ovpn_tcp, ovpn_udp, ssh, dnstt, hysteria, v2ray_default, v2ray_vless, v2ray_vmess, v2ray_hysteria2, v2ray_socks, v2ray_http, v2ray_ss, v2ray_trojan, v2ray_wireguard.
ip_port_user_passRequired for OVPN, SSH, DNSTT, and Hysteria tunnel types.Connection hosts and credentials in the tunnel-specific format shown below. Separators such as semicolons, colons, and @ are part of the value and must not be URL-encoded.
ssl_portnullable|integer|between:1,65535Optional SSL/TLS port for compatible OVPN and SSH connections, commonly 443. It must be from 1 through 65535.
ovpn_configRequired for ovpn_tcp_ssh, ovpn_tcp, and ovpn_udp; string up to max_payload_length.The complete OpenVPN profile text, including remote directives. Line breaks and surrounding whitespace are preserved exactly.
ovpn_pknullable|string|max_payload_lengthOptional OpenVPN private-key text. Line breaks and surrounding whitespace are preserved exactly.
ssh_pkOptional string up to max_payload_length; for SSH it must contain a BEGIN ... KEY PEM header.Optional SSH private key in PEM form. Preserve its header, footer, and line breaks exactly.
hysteria_bandwidthnullable|string|max:10Optional upload:download bandwidth pair for Hysteria, for example 100:100.
v2ray_configRequired for every v2ray_* tunnel type; string up to max_payload_length.Complete V2Ray connection input. It may be JSON, a supported protocol URI, or WireGuard INI text, depending on tunnel_type. Whitespace is preserved.
dnstt_pubkeyRequired when tunnel_type is dnstt; string, maximum 255 characters.The DNSTT server public key paired with the nameserver credentials.

Tunnel-specific server formats

Conditional fields are selected by tunnel_type. The following examples show the expected separators and minimum companion fields.

TunnelRequired fieldsFormat example
OVPN typesip_port_user_pass, ovpn_configuser:pass
remote vpn.example.com 1194
sship_port_user_passhost1;host2:22@user:pass
dnsttip_port_user_pass, dnstt_pubkeyns1.example.com;ns2.example.com@user:pass
hysteriaip_port_user_passhost1;host2:443@auth-string:obfs
hysteria_bandwidth: "100:100"
v2ray_*v2ray_configJSON, protocol URI, or WireGuard INI text.

Tweak object fields

FieldRuleDescription
namerequired|string|max:255The tweak label displayed in HTTP Tweak. It must be non-empty.
categorynullable|string|max:255Groups the tweak with servers. When set, only servers using the same category are shown after this tweak is selected. Examples: WS, CF, Free, or Paid.
notenullable|string|max:255Optional display note for the tweak. It does not change tunnel behavior.
unique_keyResponse-only; do not send this field.Always generated independently for every server or tweak as a lowercase 32-character UUID hex value, matching resources created in Panel.
tunnel_typeRequired; one exact supported tunnel value.Uses the same tunnel_type values listed in the server table.
payloadnullable|string|max_payload_lengthOptional HTTP payload for OVPN/SSH-style tunnels. Use app tokens such as [crlf] for line boundaries; line breaks and surrounding whitespace are preserved exactly.
sninullable|string|max_payload_lengthOptional TLS Server Name Indication host. Multiple candidates may be separated with semicolons, for example sni1.example;sni2.example.
proxynullable|string|max_payload_lengthOptional proxy value. Use host:port or host:port@user:pass; multiple hosts may be separated with semicolons.
dnstt_payloadnullable|string|max_payload_lengthOptional payload used with a DNSTT tweak. It supports the same payload tokens and whitespace-preservation behavior as payload.
bug_hostnullable|string|max:255Optional host for V2Ray-style tweaks. Place [bughost] in v2ray_config where this value should be substituted by the app.
tls_versionnullable|in:default,TLSv1.1,TLSv1.2,TLSv1.3Optional exact TLS mode for compatible OVPN/SSH tweaks. Use default to let the client choose, or select TLSv1.1, TLSv1.2, or TLSv1.3.
dnstt_resolverRequired when tunnel_type is dnstt; string, maximum 255 characters.DNSTT resolver address. Examples: https://resolver.example/dns-query for DoH, resolver.example:853 for DoT, or 1.1.1.1:53 for UDP.

A request may contain up to 100 servers and 100 tweaks. Heavy text fields are limited to 100000 characters unless a smaller field limit is shown.

Success response

A successful request returns the generated encrypted configuration directly, not a JSON wrapper.

HTTP/1.1 200 OK
Content-Type: text/plain; charset=UTF-8
Cache-Control: no-store, private
X-Configuration-Key: 9d7d6d874a9c4b2ea70c409d70bcb410
X-RateLimit-Limit: 120
X-RateLimit-Remaining: 119
X-RateLimit-Reset: 1783737660
X-DailyQuota-Limit: 1000
X-DailyQuota-Used: 18
X-DailyQuota-Remaining: 982
X-DailyQuota-Reset: 1783814400

<generated encrypted configuration text>
Read the response body as text. X-Configuration-Key identifies the generated configuration. Cache-Control: no-store tells intermediaries and clients not to retain the sensitive response.

Quotas and rate limits

Every account inherits administrator defaults unless it has an override. Read the response headers instead of hard-coding those limits.

HeaderMeaning
X-RateLimit-Limit
X-RateLimit-Remaining
X-RateLimit-Reset
Per-account aligned-minute limit, remaining requests, and reset time.
X-DailyQuota-Limit
X-DailyQuota-Used
X-DailyQuota-Remaining
X-DailyQuota-Reset
UTC calendar-day limit, consumed requests, remaining requests, and reset time.
Retry-AfterSeconds until retry, included on a 429 response.
  • A valid authenticated request consumes the per-minute limit, including a request that later fails payload validation.
  • Daily quota is consumed only after the payload passes validation and generation is about to run.
  • A generation that fails after validation (HTTP 500) does not refund its consumed daily quota unit.
  • Reset header values are Unix timestamps. Daily windows reset at 00:00 UTC; minute windows are aligned to UTC epoch minutes.
  • Credential rotation does not reset usage because counters belong to the Business API account, not its credential.

JSON errors

HTTP statusMeaning
401The credential is missing, malformed, or invalid.
403The Business API account, its owner, or access status is inactive.
422One or more configuration, server, or tweak parameters failed validation.
429The per-minute limit, daily quota, or invalid-authentication limit was exceeded.
500An unexpected generation or server failure occurred. The consumed daily quota unit is not refunded. Do not retry indefinitely.
503Quota enforcement is temporarily unavailable, or the API is in maintenance mode.

Validation error example

{
  "success": false,
  "message": "The given data was invalid.",
  "errors": {
    "name": ["The name field is required."]
  }
}

Daily quota error example

{
  "success": false,
  "message": "The Business API daily quota has been exceeded.",
  "error": "daily_quota_exceeded",
  "scope": "daily",
  "daily_quota": {
    "limit": 1000,
    "used": 1000,
    "remaining": 0,
    "reset_at": 1783814400,
    "reset_at_iso8601": "2026-07-12T00:00:00+00:00",
    "retry_after": 22500
  }
}

A per-minute 429 has error rate_limit_exceeded and places the same metadata shape under rate_limit.

A quota-enforcement 503 has error quota_service_unavailable and a Retry-After header; retry only after that interval. A maintenance 503 from the global API status carries a status field instead, has no Retry-After header, and clears when the API status returns to available.

Behavior and security

  • Generated configurations, servers, and tweaks are built in memory and are not saved to the panel database.
  • unique_key is system-owned for the configuration and every server and tweak. Callers must not send it. Each successful generation, including a retry, receives fresh values; no stored record is created or updated.
  • Cloud update, cloud password, and cloud HWID are disabled for generated output. Generated configurations are locked to their recipient by default; send allow_reshare: true to permit re-export.
  • Each panel user has one Business API account and one current credential.
  • Send requests only over HTTPS and apply strict outbound timeout and retry limits.
  • Do not log credentials, configuration passwords, private keys, or full generated response bodies.
  • Rotate the credential immediately after suspected exposure. The previous credential stops authenticating, while daily usage remains unchanged.
Credential display is one-time only. The panel stores a hash and a short preview, not a recoverable copy. Losing the secret requires credential rotation.