Authentication
Every request is a POST to a single endpoint. You authenticate by including your API key as the key field in the request body — either form-encoded or JSON.
Where to get your key: sign in, then visit /panels/api. Keys never expire but can be revoked at any time.
Form-encoded
POST /api/v2
curl -X POST https://auto7qaat.1629.lol/api/v2 \
-d "key=YOUR_API_KEY" \
-d "action=balance"
JSON
POST /api/v2
curl -X POST https://auto7qaat.1629.lol/api/v2 \
-H "Content-Type: application/json" \
-d '{"key":"YOUR_API_KEY","action":"balance"}'
HMAC signature optional
For requests originating from untrusted environments you can sign each call with HMAC-SHA256. Add a sign field whose value is hex(hmac_sha256(api_key, canonical_body)). If sign is present the server verifies it; if absent the API key alone is enough.
python
import hmac, hashlib, requests
api_key = "YOUR_API_KEY"
payload = {"key": api_key, "action": "balance"}
canonical = "&".join(f"{k}={v}" for k,v in sorted(payload.items()))
sign = hmac.new(api_key.encode(), canonical.encode(), hashlib.sha256).hexdigest()
payload["sign"] = sign
r = requests.post("https://auto7qaat.1629.lol/api/v2", data=payload)
POSTList services
Returns every active, non-hidden service available to your account, including any custom rates or discounts applied to your user.
Request
| Field | Description |
|---|
| key required | Your API key |
| action required | Always services |
curl
curl -X POST https://auto7qaat.1629.lol/api/v2 \
-d "key=YOUR_API_KEY" \
-d "action=services"
Response
200 OK application/jsonArray
[
{
"service": 1234,
"name": "Instagram Followers — High Quality",
"type": "default",
"category": "Instagram",
"rate": "0.45",
"min": 100,
"max": 100000,
"dripfeed": false,
"refill": true,
"cancel": true,
"avg_time": 3600
}
]
Rate is per 1000 units in your panel's display currency. avg_time is the average completion time in seconds.
POSTPlace an order
Charges the user's wallet and dispatches the order to the configured provider. Returns an order ID you can poll with status.
Request — core fields
| Field | Description |
|---|
| key required | Your API key |
| action required | Always add |
| service required | Service ID from the services list. Matched against the per-domain local_id first, then the global id. |
| link | Target URL (profile, post, channel, etc.). Max 1000 chars. If the URL is missing a protocol, https:// is added automatically. Required for all service types except Package, Custom Comments Package, and Custom Comments. |
| quantity required | Units to order. Must be between the service's min and max. Ignored for Package/Custom Comments Package (auto-set to 1). |
Request — drip-feed (only if service supports it)
| Field | Description |
|---|
| runs optional | Number of runs to split the order into. 1 – 1000. Charge is multiplied by runs. |
| interval optional | Minutes between runs. 1 – 43200 (30 days). Total runs × interval must not exceed 10080 minutes (1 week). |
Request — service-type extras
| Field | Description |
|---|
| comments optional | Custom Comments / Custom Comments Package: newline-separated list of comments. Max 10000 chars. |
| usernames optional | Mentions services: newline-separated list of @usernames to mention. Max 10000 chars. |
| username optional | Mentions Custom Source: single source username to scrape mentions from. |
| hashtags / hashtag optional | Mentions Hashtag: hashtag(s) to target. |
| posts optional | Subscriptions / Comments On Latest Posts: how many recent posts to target. |
| old_posts optional | Include this many older posts in addition to posts. |
| delay optional | Subscriptions: minutes to wait before each new-post action. |
| expiry optional | Subscriptions: subscription end date (YYYY-MM-DD or ISO datetime). |
| min optional | Subscriptions: minimum quantity per post. |
| max optional | Subscriptions: maximum quantity per post. |
| answer_number optional | Poll Votes: which option number to vote for. |
Service-type quick reference. The type returned by services tells you which extras apply. default uses link+quantity only; Package & Custom Comments Package ignore quantity; Custom Comments needs comments; Subscriptions uses posts/min/max/delay/expiry; Mentions* uses usernames, username, or hashtags depending on variant; Poll uses answer_number.
Idempotency
Send an idempotency token to safely retry the same order without double-charging. Replays within 24 hours return the original response unchanged. Either form works:
| Where | Field / header |
|---|
| HTTP header | Idempotency-Key: <any-string> |
| Body field | idempotency_key=<any-string> |
Token length is capped at 128 chars. While the first request with a given token is in flight, a second request with the same token returns 409 Duplicate request instead of being processed twice.
curlPlace order
curl -X POST https://auto7qaat.1629.lol/api/v2 \
-H "Idempotency-Key: order-2026-05-16-8842" \
-d "key=YOUR_API_KEY" \
-d "action=add" \
-d "service=1234" \
-d "link=https://instagram.com/yourtarget" \
-d "quantity=1000"
Response
200 OKResponse
{
"order": 8842
}
POSTOrder status
Look up a single order or up to 100 orders at once.
| Field | Description |
|---|
| key required | Your API key |
| action required | Always status |
| order | Single order ID |
| orders | Comma-separated IDs (alternative to order) |
Single order — request
curl
curl -X POST https://auto7qaat.1629.lol/api/v2 \
-d "key=YOUR_API_KEY" \
-d "action=status" \
-d "order=8842"
Response
200 OKResponse
{
"charge": "0.45",
"start_count": "14523",
"status": "In progress",
"remains": "1000",
"currency": "USD"
}
Possible status values: Pending, In progress, Completed, Partial, Canceled, Refunded, Error.
Multi-status — request
curl
curl -X POST https://auto7qaat.1629.lol/api/v2 \
-d "key=YOUR_API_KEY" \
-d "action=status" \
-d "orders=8842,8843,8844"
POSTAccount balance
Returns the current wallet balance of the authenticated user.
curl
curl -X POST https://auto7qaat.1629.lol/api/v2 \
-d "key=YOUR_API_KEY" \
-d "action=balance"
Response
200 OKResponse
{
"balance": "42.81",
"currency": "USD"
}
POSTCancel orders
Requests cancellation for one or more orders. Only orders whose service supports cancel (and that have not started yet) will succeed; the response reports per-order status.
| Field | Description |
|---|
| action required | Always cancel |
| order | Single order ID |
| orders | Comma-separated IDs |
curl
curl -X POST https://auto7qaat.1629.lol/api/v2 \
-d "key=YOUR_API_KEY" \
-d "action=cancel" \
-d "orders=8842,8843"
POSTRefill orders
Requests a refill on completed orders whose service supports refill. Returns one refill ID per order; poll it with refill_status.
| Field | Description |
|---|
| action required | Always refill |
| order | Single order ID |
| orders | Comma-separated IDs |
Refill — request
curl
curl -X POST https://auto7qaat.1629.lol/api/v2 \
-d "key=YOUR_API_KEY" \
-d "action=refill" \
-d "order=8842"
Response
200 OKResponse
{
"refill": 317
}
Refill status
curl
curl -X POST https://auto7qaat.1629.lol/api/v2 \
-d "key=YOUR_API_KEY" \
-d "action=refill_status" \
-d "refill=317"
Errors & rate limits
Errors are returned with an HTTP status code (400, 401, 429, etc.) and a JSON body of the form {"error":"..."}.
| Code | Meaning |
|---|
| 400 | Bad request — missing or invalid field |
| 401 | Invalid API key |
| 402 | Insufficient balance |
| 409 | Duplicate Idempotency-Key in flight |
| 429 | Rate limit exceeded (per-IP or per-user) |
| 500 | Server error — please retry with backoff |
Rate limits
| Limit | Value |
|---|
| Global per-IP | 100 requests/sec at the edge |
| Per authenticated user | Soft cap — return 429 over the configured threshold |
| Per-user order placement | action=add only — hardcoded floor of 30 orders/min. Admins can lower this via the sec_order_max_per_min setting, never raise it. |
| Invalid-key auto-block | Repeated failed API-key attempts from the same IP temporarily block that IP (returns 429 before the body is even parsed) |
Keep your key safe. Revoke from /panels/api takes effect immediately.