overview

The Syntrix key system is a multi-step flow that runs entirely on the Syntrix backend. When a user runs your script in an executor, the loader contacts the Syntrix API to validate a key before releasing the payload.

The Full Flow

User runs script in executor
        │
        ▼
Loader requests a challenge token
        │
        ▼
Challenge verified → POST /api/execute with { key, scriptId, hwid, challenge }
        │
        ├─ Key valid, HWID matches → payload returned (your obfuscated script)
        └─ Key invalid / banned   → error returned (loader shows message)

Before the user has a key, they go through the Get Key flow:

User opens Get Key page (/getkey/:scriptId)
        │
        ▼
Session created → user completes link shortener steps (Linkvertise, LootLabs, etc.)
        │
        ▼
Each step redirects back to /api/getkey/:scriptId/verify
        │
        ▼
All steps complete → key generated, bound to user's HWID

Key Concepts

Services

A Service is a top-level container for your scripts. Every script must belong to a service. Services can be set to keyless mode independently of individual providers.

Providers

A Provider is attached to a script and defines:

Which link shortener steps users must complete
How long keys are valid (timed, permanent, limited, onetime)
Whether the script is keyless (globally or by day)
HWID limit per key

Integrations

An Integration is a connected account with a link shortener service (e.g. your Linkvertise publisher ID, your LootLabs API token). Integrations are added to provider steps.

Keys

Keys are generated after a user completes all provider steps. They are:

Bound to the user's HWID on first validation
Stored with a type: timed (expires after X minutes), permanent, limited (N uses), or onetime
Revocable from the dashboard at any time

HWID Locking

When a key is first used, the HWID sent by the executor is stored against that key. All future validations must match. If the HWID changes (e.g. the user switches PC), validation fails with:

Bound to different hardware

You can reset a key's HWID from the Keys tab in the dashboard.

Anti-Bot & Deception

The /api/execute endpoint runs a bot detection pass on every request. If flagged as a bot, the server returns a fake success response with a script that errors after a delay — the bot never knows it was rejected.

Honeypot routes (/api/getscript, /api/raw, etc.) auto-ban any IP that hits them for 7 days.

Previouspreset gui Nextcustom gui

Good evening

hashtagThe Full Flow

hashtagKey Concepts

hashtagServices

hashtagProviders

hashtagIntegrations

hashtagKeys

hashtagHWID Locking

hashtagAnti-Bot & Deception