My App
Configuration Files

Web API

Configuration reference for web_api.json.

Introduction

The Web API configuration file (web_api.json) manages the built-in web server for API endpoints, webhooks, and external integrations.

Port

Type: String

Server port for the Web API.

port: "3111"

The bot will listen for HTTP requests on this port.

Authentication Key

Type: Array of Strings

API keys required to access endpoints.

authentication_key: ['09563-34763-36235-36235', 'second-key-here']

Security Warning: Change the default authentication key immediately! Never share these keys publicly.

Requests must include one of these keys in the authentication header.

Whitelisted IPs

Type: Array of Strings

IP addresses allowed to access the API.

whitelisted_ips: ['18.209.80.3', '54.87.231.232', '203.0.113.0']

Default IPs included:

  • 18.209.80.3 - Tebex server
  • 54.87.231.232 - Tebex server

Important: Do not remove the Tebex IPs if you use the Tebex integration, or webhooks will fail.

Secure Mode

Type: Boolean

Restrict API to whitelisted IPs only.

secure_mode: false

When true: Only whitelisted IPs can access the API (still requires authentication)

When false: All IPs can access with valid authentication key

Base IP

Type: String

Base URL for API hooks and webhooks.

base_ip: "bot.example.com"

Format options:

  • With domain: "bot.example.com" or "api.example.com"
  • Without domain: "192.168.1.100:3111" (IP:port format)

Used to construct full URLs for external services like Tebex webhooks.

Rate Limit

Prevent API abuse with request limiting.

enabled

Type: Boolean

Enable rate limiting.

rate_limit: {
    enabled: true,
}

window_ms

Type: Number

Time window for rate limit in milliseconds.

window_ms: 300000

Example: 300000 = 5 minutes (300,000 milliseconds)

After this window elapses, the request count resets for that client.

max

Type: Number

Maximum requests per window.

max: 150

Clients exceeding this limit during the time window will be rate limited.

proxied

Type: Boolean

Whether API is behind a reverse proxy.

proxied: false

When true: Bot uses proxy headers to identify real client IP (required for Nginx/Apache)

When false: Direct connection IP is used

Reverse Proxy Users: If you use Nginx, Apache, or Cloudflare in front of the bot, set this to true to ensure correct IP detection for rate limiting and security.

proxies_between_user_and_server

Type: Number

Number of proxy layers between client and bot.

proxies_between_user_and_server: 1

Only relevant when proxied is true.

Examples:

  • Direct proxy: 1
  • Cloudflare + Nginx: 2

Complete Configuration Example

Here's a production-ready Web API configuration:

{
    config: {
        port: "3111",

        authentication_key: ['your-secure-key-here-change-this'],

        whitelisted_ips: [
            '18.209.80.3',      // Tebex
            '54.87.231.232',    // Tebex
            '203.0.113.10',     // Your server IP
        ],

        secure_mode: true,

        base_ip: "api.yourserver.com",

        rate_limit: {
            enabled: true,
            window_ms: 300000,
            max: 150,
            proxied: true,
            proxies_between_user_and_server: 1,
        },
    },
}

Permission

Configuration reference for permission.json.

AthenaBot Terms of Service

Software License Agreement for AthenaBot — standard and source tier.

On this page

IntroductionPortAuthentication KeyWhitelisted IPsSecure ModeBase IPRate Limitenabledwindow_msmaxproxiedproxies_between_user_and_serverComplete Configuration Example