Welcome

Introduction

Phantom is an authentication & key management service built for loaders, game tools and desktop utilities. It handles registration, licensing, device sessions and Discord integration so you can focus on your actual project.

The docs are split into Overview, Core, Integrations and Reference. You can jump between sections using the navigation on the left (or the menu button on mobile).

What Phantom gives you

Email + password vendor panel with per-app key management.
REST API for loaders, desktop apps and web dashboards.
Device session tracking (IP + HWID) with audit logging.
Optional Discord checks, role gating and bot integrations.

TL;DR — You send keys and optional device info to Phantom. Phantom replies with a simple status and metadata. Your app decides what to do next.

Overview

Getting Started

This section walks through the minimum steps to get from a blank vendor account to a working app with real keys you can test.

1. Create your vendor account

Open the Phantom panel and register with your email.
Sign in using your credentials or vendor token.

2. Create your first app

Apps represent individual products or loaders.

POST /vendor/apps
Authorization: Bearer <vendor JWT>
{
  "name": "My Loader"
}

3. Generate some keys

Inside the vendor dashboard, open your app and click Generate Keys, or use the API:

POST /vendor/apps/{appId}/keys/create
Authorization: Bearer <vendor JWT>
{
  "count": 10
}

Next step: once you have keys, wire them into your loader using the Game / Loader Integrations page.

Core

Creating Apps

Each app in Phantom tracks its own keys, sessions and audit log. If you sell multiple tools, give each one its own app.

Fields

Name — friendly name shown in the vendor panel.
Created at — timestamp for auditing.

API example

POST /vendor/apps
Authorization: Bearer <vendor JWT>
Content-Type: application/json

{
  "name": "Internal Test Loader"
}

Core

Managing Keys

Keys are short strings like PH-ABCDEFGH.... Keys can be unused, active or banned.

Key lifecycle

Vendor generates keys for an app.
User redeems a key in your loader or panel.
Loader talks to Phantom and marks it active.
Vendor can extend, ban or delete the key at any time.

Create keys

POST /vendor/apps/{appId}/keys/create
{
  "count": 25
}

Ban / unban / delete

POST /vendor/keys/ban      { "key": "PH-..." }
POST /vendor/keys/unban    { "key": "PH-..." }
POST /vendor/keys/delete   { "key": "PH-..." }

Core

Device Sessions

Sessions track when a key is actively being used from a particular IP / HWID combo. They’re useful for enforcing “one device at a time” rules and spotting shared keys.

Typical flow

Loader calls your /auth/check endpoint.
Backend validates the key with Phantom.
If valid, backend records a session for that key + HWID.

Important: sessions are intentionally kept simple. The loader should focus on sending consistent identifiers, not complex logic.

Integrations

Discord Integration

Phantom can be paired with a Discord bot or server to restrict access to customers who own valid keys or specific roles.

Vendor Discord settings

GET  /vendor/discord/settings
POST /vendor/discord/settings
{
  "guildId": "123...",
  "roleId": "456...",
  "logChannelId": "789...",
  "allowCommands": true
}

Bot token login

Your bot can log into Phantom using the token panel, then attach the returned JWT to API calls.

Integrations

Desktop Integrations

Desktop apps can talk to Phantom using plain HTTPS calls. Any language that can perform JSON requests will work.

// pseudo C#
var payload = new {
  appId = 1,
  key   = userKey,
  hwid  = myHardwareId
};

var json   = Json.Serialize(payload);
var result = await http.Post("https://your-backend/auth/check", json);

Integrations

Game / Loader Integrations

Loaders and game tools often run before anything else. They’re a natural place to perform a key check.

Typical loader flow

Show a simple window or console asking for a key.
Send the key (plus app info + HWID) to your backend.
Backend calls Phantom’s API to validate.
If the response is ok, continue running; otherwise exit.

Unity-style pseudo example

// inside an async Unity method
var payload = new { appId = 1, key = userKey, hwid = hwidString };
// send JSON using UnityWebRequest, then check the status field
// in your backend's response

Integrations

Web Integrations

Web dashboards can call Phantom from a backend API route while keeping vendor tokens off the client.

// example: Node.js backend route
app.post("/api/phantom/check", async (req, res) => {
  const { key, hwid } = req.body;

  // talk to Phantom from server-side
  // then proxy back a simple status to the browser
});

Reference

REST API

Phantom exposes JSON endpoints for vendor dashboards, bots and loaders. All protected routes require a Bearer token.

Auth

POST /login           // email + password
POST /auth/token-login

Vendor

GET  /vendor/apps
POST /vendor/apps
GET  /vendor/apps/{appId}/keys
POST /vendor/apps/{appId}/keys/create

Reference

Error Codes

Most responses from Phantom include a short error string when something goes wrong.

invalid_credentials — email or password wrong.
no_token — missing Authorization header.
invalid_token — JWT is expired or malformed.
not_found — key or app doesn’t exist.
server_error — unexpected exception.

Best practice: show friendly text to users, but log the raw error code somewhere you can see it.

Reference

FAQ

Can I rotate my vendor token?

Yes. Use the /vendor/token/regenerate endpoint.

Does Phantom care what my app does?

No. Phantom just answers “is this key valid?” and optionally tracks sessions. Your project keeps full control.