Generate a valid tmpt anti-bot token for a target site, ready to replay.
All requests go to:
https://api.antibot.primeseats.dev
Every request must carry your license key in a header:
X-License-Key: tmpt_live_xxxxxxxxxxxxxxxx
Authorization: Bearer tmpt_live_… is also accepted.
POST /api/captcha/tmpt
| Field | Type | Description | |
|---|---|---|---|
proxy | string | required | Proxy used to mint the token. Format http://user:pass@host:port (or http://host:port). Use the same proxy when you replay the token. |
target | string | required | The site the token is for, e.g. https://www.eticketing.co.uk. Origin & host are derived from it. |
action | string | optional | Flow action. Defaults to LoginPage. Common: Event, LoginPage. |
user_agent | string | optional | If set, the token is minted for this exact User-Agent. When no explicit client-hints are sent, sec_ch_ua* are derived from it. If omitted, a random desktop profile is used. |
sec_ch_ua | string | optional | Pin the Sec-CH-UA header value instead of deriving it. |
sec_ch_ua_platform | string | optional | Pin Sec-CH-UA-Platform, e.g. "Windows", "macOS". |
sec_ch_ua_mobile | string | optional | Pin Sec-CH-UA-Mobile, e.g. ?0. |
accept_language | string | optional | Pin Accept-Language, e.g. en-US,en;q=0.9. |
site_key | string | optional | reCAPTCHA site key. Defaults to the standard eps site key. |
200{
"success": true,
"token": "Oeqx…the-tmpt-cookie-value…",
"session_id": "a1b2c3…",
"fingerprint": {
"user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) … Chrome/148.0.0.0 Safari/537.36",
"accept_language": "en-US,en;q=0.9",
"sec_ch_ua": "\"Chromium\";v=\"148\", \"Google Chrome\";v=\"148\", \"Not/A)Brand\";v=\"99\"",
"sec_ch_ua_mobile": "?0",
"sec_ch_ua_platform": "\"Windows\""
}
}
| Field | Description |
|---|---|
token | The value to set as the tmpt cookie on your target request. |
session_id | The eps session id bound to the token (informational). |
fingerprint | The browser identity the token was minted for — replay these exact headers alongside the cookie. |
{ "success": false, "error": "proxy required" }
| HTTP | Meaning |
|---|---|
400 | Bad request (missing proxy/target, invalid JSON or proxy). |
401 | License key missing or invalid. |
402 | Quota exhausted. |
403 | License revoked or expired. |
429 | Per-second rate limit exceeded — retry shortly. |
503 | Licensing backend temporarily unavailable. |
Usage headers on every response: X-License-Plan, X-Usage-Used, X-Usage-Limit.
# mint a token
curl -X POST https://api.antibot.primeseats.dev/api/captcha/tmpt \
-H "X-License-Key: tmpt_live_xxxxxxxx" \
-H "Content-Type: application/json" \
-d '{
"proxy": "http://user:pass@host:port",
"target": "https://www.eticketing.co.uk",
"action": "Event"
}'
target, send the cookie
tmpt=<token> together with the user_agent, accept_language
and sec_ch_ua* headers exactly as returned in fingerprint. Use the same proxy.
When your session already runs a fixed browser identity, pin it so the token matches. Send user_agent alone to auto-derive the hints, or pin the full set — only the remaining fingerprint fields (screen, WebGL, …) are randomized.
{
"proxy": "http://user:pass@host:port",
"target": "https://www.eticketing.co.uk",
"action": "Event",
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/148.0.0.0 Safari/537.36",
"sec_ch_ua": "\"Chromium\";v=\"148\", \"Google Chrome\";v=\"148\", \"Not/A)Brand\";v=\"99\"",
"sec_ch_ua_platform": "\"macOS\"",
"sec_ch_ua_mobile": "?0",
"accept_language": "en-US,en;q=0.9"
}
Every pinned field is echoed back verbatim in the response fingerprint; anything you omit is derived (from the UA) or randomized.
GET /health — no key required. Returns service status.