Hide.lat Documentation

Complete guide to using Hide.lat products and services

← Back to Home | Dashboard

Standalone Auth API

The Standalone Auth API allows you to implement key-based authentication for your external projects. This is perfect for monetizing applications, games, or services outside of Hide.lat's script ecosystem.

Premium/Deluxe Feature

Standalone Auth is available for Premium and Deluxe plan users. Upgrade your plan to access this feature.

Getting Started

  1. Navigate to Auth tab in your dashboard
  2. Click on Standalone Auth Keys tab
  3. Create a new project and copy your API Key
  4. Generate keys for your project
  5. Integrate the API into your application

API Endpoint

POST https:

Request Parameters

Parameter Type Required Description
api_key string Yes Your project's API key (found in Auth Manager)
key string Yes The user's license key to validate

Response Format

Success Response (200):

{
  "success": true,
  "message": "Key valid",
  "expires_at": "2024-12-31T23:59:59.000Z",
  "time_left": 2592000
}

Error Response (403):

{
  "error": "Invalid or banned key"
}

Common Error Codes

  • 400 - Missing required parameters
  • 403 - Invalid API key, banned key, expired key, or project disabled

Integration Examples

Python Example

import requests

def check_key(api_key, user_key):
    url = "https:
    data = {
        "api_key": api_key,
        "key": user_key
    }
    
    response = requests.post(url, json=data)
    result = response.json()
    
    if result.get("success"):
        print("Key is valid!")
        return True
    else:
        print(f"Error: {result.get('error')}")
        return False

# Usage
if check_key("AUTH-XXXXXXXX", "KEY-XXXXX"):
    # User is authenticated
    print("Access granted")
else:
    # User is not authenticated
    print("Access denied")
    exit()

JavaScript/Node.js Example

async function checkKey(apiKey, userKey) {
    const response = await fetch('https:
        method: 'POST',
        headers: {
            'Content-Type': 'application/json'
        },
        body: JSON.stringify({
            api_key: apiKey,
            key: userKey
        })
    });
    
    const result = await response.json();
    
    if (result.success) {
        console.log('Key is valid!');
        return true;
    } else {
        console.error('Error:', result.error);
        return false;
    }
}


const isValid = await checkKey('AUTH-XXXXXXXX', 'KEY-XXXXX');
if (isValid) {
    
} else {
    
}

Lua (Roblox) Example

local function checkKey(apiKey, userKey)
    local response = game:HttpGet("https:
        ["Content-Type"] = "application/json"
    }, {
        api_key = apiKey,
        key = userKey
    })
    
    local result = game:GetService("HttpService"):JSONDecode(response)
    
    if result.success then
        print("Key is valid!")
        return true
    else
        warn("Error: " .. result.error)
        return false
    end
end

-- Usage
local isValid = checkKey("AUTH-XXXXXXXX", "KEY-XXXXX")
if isValid then
    -- Grant access
else
    -- Deny access
end

C# Example

using System;
using System.Net.Http;
using System.Text;
using Newtonsoft.Json;

public class AuthChecker
{
    private static readonly HttpClient client = new HttpClient();
    
    public static async Task<bool> CheckKey(string apiKey, string userKey)
    {
        var payload = new
        {
            api_key = apiKey,
            key = userKey
        };
        
        var json = JsonConvert.SerializeObject(payload);
        var content = new StringContent(json, Encoding.UTF8, "application/json");
        
        var response = await client.PostAsync("https:
        var result = await response.Content.ReadAsStringAsync();
        var data = JsonConvert.DeserializeObject<dynamic>(result);
        
        if (data.success == true)
        {
            Console.WriteLine("Key is valid!");
            return true;
        }
        else
        {
            Console.WriteLine($"Error: {data.error}");
            return false;
        }
    }
}


bool isValid = await AuthChecker.CheckKey("AUTH-XXXXXXXX", "KEY-XXXXX");
if (isValid)
{
    
}
else
{
    
}

Ad Gateway System Deluxe Only

The Ad Gateway system allows users to complete advertisements in exchange for temporary access keys. This is perfect for monetizing free access to your projects.

How It Works

  1. Enable Ad Gateway for your project in the Auth Manager
  2. Configure the number of ad steps required (1-3)
  3. Set the key duration (hours) users receive after completion
  4. Users visit: https:
  5. After completing ads, users receive a temporary key

Gateway URL Format

https:
Note

The Ad Gateway feature requires a Deluxe plan and proper Work.ink API configuration on the server.

Configuration

In your project settings, you can configure:

  • Enable/Disable: Toggle the gateway on or off
  • Ad Steps: Number of ads users must complete (1-3)
  • Key Duration: How long the generated key lasts (in hours)

Script Obfuscation

Hide.lat provides powerful script obfuscation for Lua scripts, perfect for protecting your Roblox scripts and other Lua-based projects.

Obfuscation Tiers

We now offer Luraph obfuscation for Premium and Deluxe users, providing industry-leading protection for your scripts.

Plan Comparison

Plan Obfuscation Type Monthly Limit Extra Credits
Free Prometheus (Basic) Unlimited N/A
Premium Luraph (Advanced) 3/month $2.50/each
Deluxe Luraph (Advanced) 10/month $2.50/each

Luraph Protection Features

  • VM-Based Protection: Scripts run inside a custom virtual machine
  • Control Flow Obfuscation: Makes reverse engineering extremely difficult
  • String Encryption: All strings are encrypted and decrypted at runtime
  • Constant Encryption: Numbers and constants are protected
  • Anti-Tamper: Built-in detection for script modification
  • CDN Gateway: Secure loader system similar to LuArmor

Basic Protection (Free Users)

  • Prometheus: Basic obfuscation with variable renaming
  • Control Flow: Basic control flow changes
  • Unlimited Usage: No monthly limits

Additional Features

  • Universal Compatibility (Default): Best for most scripts - Maximum compatibility across all executors with strong protection
  • Raw Hosting: Direct script hosting without protection
  • Key System Integration: Built-in key validation
  • HWID Locking: Bind keys to specific hardware (Roblox only)

Purchasing Extra Credits

If you've used all your monthly Luraph obfuscations, you can purchase additional credits:

  • Each credit costs $2.50
  • Credits never expire
  • Pay via Stripe (Card) or CCPayment (Crypto)
  • Purchase in the dashboard under the Obfuscate section

Using Obfuscated Scripts

After obfuscating a script, you'll receive a loadstring. Use it like this:

-- If key system is enabled:
_G.script_key = "YOUR-KEY-HERE"
loadstring(game:HttpGet("https:

-- If no key system:
loadstring(game:HttpGet("https:

Key Management

Manage keys for both script obfuscation and standalone auth projects.

Key Types

  • Lifetime Keys: Never expire (duration: -1)
  • Time-Limited Keys: Expire after a set number of hours

Key Status

  • Unused: Key has not been activated yet
  • Active: Key is in use and valid
  • Expired: Key has passed its expiration date
  • Banned: Key has been manually banned

Bulk Operations

You can perform bulk operations on multiple keys at once:

  • Bulk Delete: Remove multiple keys at once
  • Bulk Ban: Ban multiple keys simultaneously
  • Bulk Reset: Reset HWID bindings (Script Keys only)

Webhooks & Logging

Set up Discord webhooks to receive notifications when keys are used or scripts are executed.

Webhook Configuration

  1. Create a Discord webhook in your server settings
  2. Copy the webhook URL
  3. Paste it in your project/script settings
  4. Configure what information to include (user, IP, etc.)

Webhook Events

  • Key Usage: Triggered when a key is validated
  • Script Execution: Triggered when an obfuscated script runs
Premium/Deluxe Feature

Discord webhooks are available for Premium and Deluxe plan users.

API Key Management

Manage API keys for third-party services like Work.ink, LootLabs, and Linkvertise. These keys are stored securely and used for gateway operations and integrations.

Supported Services

  • Work.ink: Used for Ad Gateway monetization. Requires both API key and URL.
  • LootLabs: For creating monetized redirect links with anti-bypass features.
  • Linkvertise: Anti-bypass verification token for target links.

Managing API Keys

  1. Navigate to Integrations → API Keys in your dashboard
  2. Enter your API key for the desired service
  3. For Work.ink, also provide your Work.ink URL
  4. Click Save to store the key
  5. Keys are encrypted and stored securely
Security Note

Never share your API keys. These keys are used to authenticate with third-party services and should be kept confidential.

LootLabs Integration

LootLabs allows you to create monetized redirect links with anti-bypass features. Users must complete advertisements before accessing your target URL.

Getting Started

  1. Obtain your LootLabs API token from the LootLabs Creator Panel
  2. Configure your API key in Integrations → API Keys
  3. Navigate to Integrations → LootLabs in your dashboard
  4. Create your first monetized link

API Endpoint

POST https:

Request Parameters

Parameter Type Required Description
title string Yes Link title (max 30 characters)
url string Yes Target URL to redirect to
tier_id integer Yes Ad tier (1-4): 1=Trending, 2=Gaming, 3=Profit Max, 4=Max Profit
number_of_tasks integer Yes Number of ads (1-5)
theme integer No Theme (1-5): 1=Classic, 2=Sims, 3=Minecraft, 4=GTA, 5=Space
thumbnail string No Thumbnail image URL or YouTube link

Response Format

{
  "success": true,
  "link": {
    "title": "My Link",
    "url": "https:
    "loot_url": "https:
    "short": "xxxx"
  },
  "id": "link-id"
}
Note

You must fill in your mandatory creator details in the LootLabs panel before the API will work. Visit LootLabs Creator Panel

Linkvertise Anti-Bypass

Linkvertise anti-bypass extends your target links with a hash parameter that must be verified on your backend to prevent bypassing advertisements.

Important
  • This ONLY works for Target-Links, NOT Paste-Links
  • Do not activate this unless you have built out the backend verification
  • If used incorrectly, visitors may not reach the target, resulting in negative user experience
  • This affects ALL your links

How It Works

  1. User completes ads on Linkvertise
  2. Linkvertise redirects to your target with ?hash=HASH_VALUE parameter
  3. The hash is stored on Linkvertise's side for 10 seconds
  4. Your backend must verify the hash immediately
  5. Hash is deleted after verification (one-time use)

Verification Endpoint

POST https:

Response Values

  • "TRUE" - Hash was found and deleted (valid)
  • "FALSE" - Hash could not be found (invalid or expired)
  • "Invalid token." - Authentication token is incorrect

Example Implementation


app.get('/your-target', async (req, res) => {
    const hash = req.query.hash;
    if (!hash) {
        return res.status(403).send('Missing hash parameter');
    }
    
    const token = 'YOUR_LINKVERTISE_TOKEN';
    const verifyUrl = `https:
    
    try {
        const response = await fetch(verifyUrl, { method: 'POST' });
        const result = await response.text();
        
        if (result === 'TRUE') {
            
            res.send('Access granted!');
        } else {
            
            res.status(403).send('Access denied');
        }
    } catch (error) {
        res.status(500).send('Verification failed');
    }
});

Getting Your Token

  1. Log into your Linkvertise Publisher Dashboard
  2. Navigate to API settings
  3. Generate an authentication token (64 characters)
  4. Configure it in Integrations → Linkvertise in your dashboard

Hide.lat Anti-Bypass API

Our own anti-bypass system allows you to generate and verify hashes for your target URLs, similar to Linkvertise but fully controlled by you.

Generate Hash

POST https:

Request Body

{
  "target_url": "https:
}

Response

{
  "hash": "f836af77649b195e92aaf46fd7aa397993a6fe985a03289f98beae12c267f9f3",
  "expires_at": "2024-01-01T12:00:10.000Z"
}

Verify Hash

POST https:

Request Body

{
  "hash": "f836af77649b195e92aaf46fd7aa397993a6fe985a03289f98beae12c267f9f3",
  "api_key": "YOUR_USER_ID_OR_API_KEY"
}

Response

{
  "valid": true
}
Note

Hashes expire after 10 seconds, just like Linkvertise. They can only be verified once and are deleted after successful verification.