Skip to content

Reseller API guide

HTTP API for authorized partners who resell Roblox resolve capacity. Calls hit the same upstream resolve pipeline as Discord /resolve, authenticated with your personal SSW-* key.

Interactive reference (Swagger): API docs — served live from your Sinister host.


What this API is

YesNo
Automate username, game, VIP, reserved resolves from your backendReplace SinisterClient or cookie linking for end users
Integrate resolves into your own panel or botGrant Sinister Script or in-game UI access
Yuni-compatible GET paths plus legacy POST aliasesObfuscate Lua (OBF-* is a separate product)

Reseller keys meter resolve calls only. They do not include subscriber features (desktop app, script builds, Discord sub perks) unless you also sell those separately.


Base URL

All paths are on your Sinister host — the same HTTPS domain as the public app and help site:

https://YOUR_SINISTER_HOST

Examples below use placeholders. Replace YOUR_SINISTER_HOST and SSW-YOUR_KEY.

Discovery:

URLPurpose
/api/docsSwagger UI (try requests in browser)
/api/openapi.jsonMachine-readable OpenAPI 3 spec

Authentication

Send your reseller key on every resolve request.

http
X-API-Key: SSW-YOUR_KEY

Alternate header (legacy)

http
X-Proxy-API-Key: SSW-YOUR_KEY

Query string (avoid in production logs)

http
GET /api/roblox?username=RobloxUser&api_key=SSW-YOUR_KEY

Bearer SSW-… in X-API-Key is also accepted.

Staff keys (not for resellers)

/staff/* routes use a separate X-Staff-API-Key configured on the server. That key manages reseller keys; it is not your SSW-* resolve key. Never embed staff keys in client apps.


Getting a reseller key

SSW-* keys are issued by Sinister Softworks to approved partners. You receive:

FieldMeaning
SSW-…API key value
ExpiryOptional expiration timestamp
Daily limitOptional max resolves per UTC day (0 = unlimited)
LabelInternal note for support

Contact support or your account rep to request a key, rotation, or limit change.


Response format

Success

json
{
  "success": true,
  "response": "Command sent",
  "ip": "203.0.113.10",
  "port": "53640"
}
  • ip / port — join target returned by the resolver (string port is normal).
  • response — human-readable status from upstream.

Failure

json
{
  "success": false,
  "error": "User is not in a game"
}

HTTP status is usually 200 with success: false for resolve failures. Auth and limit errors use 403 / 429 / 503 as listed below.


Shared query parameters

Most GET resolve endpoints accept:

ParameterTypeDefaultPurpose
cookiestringOptional .ROBLOSECURITY for upstream (use carefully; prefer server-side storage)
hubboolfalseHub-mode teleport resolves (username / userid paths)
powernumber3Resolve power passed upstream
secondsinteger0Duration / timeout hint upstream

Resolve endpoints (GET)

Preferred paths use the /api/resolve/… prefix. Legacy yuni names (/api/roblox, etc.) call the same handlers.

Username snipe

http
GET /api/resolve/username?username=DisplayName
GET /api/roblox?username=DisplayName
ParamRequired
usernameYes

User ID

http
GET /api/resolve/userid?userid=123456789
GET /api/roblox-id?userid=123456789

In-game (place + job)

http
GET /api/resolve/game?placeid=920587237&gameid=aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
GET /api/roblox-game?placeid=920587237&gameid=aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
ParamRequired
placeidYes (integer)
gameidYes (job UUID string)

Reserved server

http
GET /api/resolve/reserved?placeid=920587237&accesscode=YOUR_ACCESS_CODE
GET /api/roblox-reserved?placeid=920587237&accesscode=YOUR_ACCESS_CODE
http
GET /api/resolve/private/linkid?linkid=1234567890123456789
GET /api/roblox-private-linkid?linkid=1234567890123456789
http
GET /api/resolve/private/linkcode?placeid=920587237&linkcode=AbCdEfGh
GET /api/roblox-private-linkcode?placeid=920587237&linkcode=AbCdEfGh

Private server — access code

http
GET /api/resolve/private/accesscode?placeid=920587237&accesscode=YOUR_CODE
GET /api/roblox-private-accesscode?placeid=920587237&accesscode=YOUR_CODE

Friend private server

http
GET /api/resolve/private/friends?friend=FriendUsername&placeid=920587237
GET /api/roblox-private-friends?friend=FriendUsername&placeid=920587237

Legacy POST endpoints

Older integrations may use JSON POST bodies. Same auth headers apply.

Snipe (username)

http
POST /api/snipe
Content-Type: application/json
X-API-Key: SSW-YOUR_KEY
json
{
  "username": "DisplayName",
  "hub": false,
  "power": 3,
  "seconds": 0,
  "cookie": null
}

Game (place + job)

http
POST /api/game
json
{
  "placeid": 920587237,
  "jobid": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee",
  "hub": false,
  "power": 3,
  "seconds": 0
}
http
POST /api/vip
json
{
  "code": "1234567890123456789",
  "power": 7,
  "seconds": 300
}

code is the private server link id (same as linkid on GET routes).


Example: curl

bash
curl -sS -G "https://YOUR_SINISTER_HOST/api/resolve/username" \
  -H "X-API-Key: SSW-YOUR_KEY" \
  --data-urlencode "username=TargetUser" \
  --data-urlencode "power=5"

Example: Python

python
import requests

HOST = "https://YOUR_SINISTER_HOST"
KEY = "SSW-YOUR_KEY"

def resolve_username(username: str, *, power: float = 3.0) -> dict:
    r = requests.get(
        f"{HOST}/api/resolve/username",
        headers={"X-API-Key": KEY},
        params={"username": username, "power": power},
        timeout=60,
    )
    r.raise_for_status()
    data = r.json()
    if not data.get("success"):
        raise RuntimeError(data.get("error") or "resolve failed")
    return data

print(resolve_username("SomeRobloxUser"))

Rate limits and quotas

Limit typeBehavior
Per-key daily capIf your key has daily_resolves set, exceeding it returns 403 with a daily-limit message until UTC reset
Upstream cooldownResolver may return error: "Rate limited" → HTTP 429; back off exponentially
AbuseKeys may be suspended without notice if traffic is abusive

Do not hammer the API on 429. Wait at least a few seconds and retry with jitter.

Each successful resolve increments your key’s counters server-side for billing and support.


HTTP status codes

CodeMeaning
200Request processed (check success in JSON)
400Missing or invalid query/body parameter
403Missing key, invalid key, expired key, suspended key, or daily limit
429Upstream rate limited (Rate limited in body)
500Unexpected server error
503Reseller API disabled, key service down, or upstream resolver unavailable

Security practices

  1. Server-side only — never ship SSW-* keys in browser JavaScript, mobile apps, or public Git repos.
  2. Rotate on leak — contact support immediately; old key will be suspended.
  3. Log safely — redact keys in application logs; in support tickets share only the last four characters of the key plus UTC timestamp and path.
  4. Cookies — if you pass cookie query/body params, treat them as secrets at rest.
  5. HTTPS only — do not call the API over plain HTTP in production.

Product comparison

ProductKey prefixPurpose
Reseller APISSW-*HTTP resolves for partners
Obfuscator APIOBF-*/api/v1/obfuscate/*
Client buildSCB-*SinisterClient desktop
Script buildSSB-*Sinister Script in-game

See Obfuscator API quickstart for OBF-*.


Vs retail Sinister subscription

Reseller APINormal subscription
You integrate HTTP into your productEnd users use Discord + optional SinisterClient
Per-key meteringPer-user plan flags and daily limits
No cookie portal for your customers unless you build it/auto-link and client proxy built-in

Many partners sell both: retail subs for consumers and API keys for automation.


Support checklist

When opening a ticket, include:

  1. UTC timestamp of the failure
  2. Full request path without the key value
  3. HTTP status code and error field from JSON body
  4. Last four characters of SSW-* key
  5. Resolve type (username, game, VIP, etc.)