Generate a valid tmpt anti-bot token for a target site, ready to replay.

Base URL & auth

All requests go to:

https://api.antibot.primeseats.dev

Every request must carry your license key in a header:

X-License-Key: tmpt_live_xxxxxxxxxxxxxxxx

Authorization: Bearer tmpt_live_… is also accepted.

Generate a token

POST /api/captcha/tmpt

Request body (JSON)

FieldTypeDescription
proxystringrequired Proxy used to mint the token. Format http://user:pass@host:port (or http://host:port). Use the same proxy when you replay the token.
targetstringrequired The site the token is for, e.g. https://www.eticketing.co.uk. Origin & host are derived from it.
actionstringoptional Flow action. Defaults to LoginPage. Common: Event, LoginPage.
user_agentstringoptional If set, the token is minted for this exact User-Agent. When no explicit client-hints are sent, sec_ch_ua* are derived from it. If omitted, a random desktop profile is used.
sec_ch_uastringoptional Pin the Sec-CH-UA header value instead of deriving it.
sec_ch_ua_platformstringoptional Pin Sec-CH-UA-Platform, e.g. "Windows", "macOS".
sec_ch_ua_mobilestringoptional Pin Sec-CH-UA-Mobile, e.g. ?0.
accept_languagestringoptional Pin Accept-Language, e.g. en-US,en;q=0.9.
site_keystringoptional reCAPTCHA site key. Defaults to the standard eps site key.

Success response — 200

{
  "success": true,
  "token": "Oeqx…the-tmpt-cookie-value…",
  "session_id": "a1b2c3…",
  "fingerprint": {
    "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) … Chrome/148.0.0.0 Safari/537.36",
    "accept_language": "en-US,en;q=0.9",
    "sec_ch_ua": "\"Chromium\";v=\"148\", \"Google Chrome\";v=\"148\", \"Not/A)Brand\";v=\"99\"",
    "sec_ch_ua_mobile": "?0",
    "sec_ch_ua_platform": "\"Windows\""
  }
}
FieldDescription
tokenThe value to set as the tmpt cookie on your target request.
session_idThe eps session id bound to the token (informational).
fingerprintThe browser identity the token was minted for — replay these exact headers alongside the cookie.

Error response

{ "success": false, "error": "proxy required" }
HTTPMeaning
400Bad request (missing proxy/target, invalid JSON or proxy).
401License key missing or invalid.
402Quota exhausted.
403License revoked or expired.
429Per-second rate limit exceeded — retry shortly.
503Licensing backend temporarily unavailable.

Usage headers on every response: X-License-Plan, X-Usage-Used, X-Usage-Limit.

Example

# mint a token
curl -X POST https://api.antibot.primeseats.dev/api/captcha/tmpt \
  -H "X-License-Key: tmpt_live_xxxxxxxx" \
  -H "Content-Type: application/json" \
  -d '{
    "proxy": "http://user:pass@host:port",
    "target": "https://www.eticketing.co.uk",
    "action": "Event"
  }'
Replaying the token. On your request to target, send the cookie tmpt=<token> together with the user_agent, accept_language and sec_ch_ua* headers exactly as returned in fingerprint. Use the same proxy.

Pinning your own identity

When your session already runs a fixed browser identity, pin it so the token matches. Send user_agent alone to auto-derive the hints, or pin the full set — only the remaining fingerprint fields (screen, WebGL, …) are randomized.

{
  "proxy": "http://user:pass@host:port",
  "target": "https://www.eticketing.co.uk",
  "action": "Event",
  "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/148.0.0.0 Safari/537.36",
  "sec_ch_ua": "\"Chromium\";v=\"148\", \"Google Chrome\";v=\"148\", \"Not/A)Brand\";v=\"99\"",
  "sec_ch_ua_platform": "\"macOS\"",
  "sec_ch_ua_mobile": "?0",
  "accept_language": "en-US,en;q=0.9"
}

Every pinned field is echoed back verbatim in the response fingerprint; anything you omit is derived (from the UA) or randomized.

Health

GET /health — no key required. Returns service status.