ActiveCode API Guide

Complete Guide for Authenticating ActiveCode Users with the Player API

CRITICAL: Authentication Requirements for ActiveCode

When using ActiveCode subscriptions, the mac (Device ID) parameter is REQUIRED on ALL URLs, not just API endpoints.

This includes:

If appname is configured, it must also be included in ALL URLs consistently.

Understanding Security Layers
Layer 1: Device ID Security REQUIRED

The Device ID is a unique identifier that provides the first layer of security for your ActiveCode authentication. Think of it as a digital fingerprint for each device using your service.

How it Works:
  • Pairing: When a device first authenticates, its Device ID gets paired with the ActiveCode
  • Persistence: The same Device ID must be used for ALL requests and URLs
  • Security: This prevents unauthorized access even if someone obtains your ActiveCode
  • Universal Requirement: Must be included in every single URL when using ActiveCode
Device ID Requirements:
  • Must be unique per device
  • Should remain the same even after app reinstallation
  • Can be device MAC address or any static hardware identifier
  • Must be consistent across ALL API calls and streaming URLs
Important: Once a Device ID is paired with an ActiveCode, only that specific device can access the streams. This ensures that credentials cannot be shared across multiple devices.
Layer 2: Application Lock (Optional)

The Application Lock provides an additional optional security layer by binding the ActiveCode to a specific application. This ensures that even if someone has the correct Device ID and ActiveCode, they can only access streams through your authorized application.

Application Lock Benefits:
  • App-Specific Access: Lock ActiveCodes to your specific application
  • Prevent Cloning: Stops users from using credentials in unauthorized apps
  • Brand Protection: Ensures users only access through your branded app
  • Enhanced Control: Additional layer beyond device locking
How to Implement:
  • Add appname parameter to ALL API calls and URLs
  • Use a consistent app name or serial number
  • Can be your app's name or a fixed serial key
  • Must remain constant across ALL requests and streaming URLs
Tip: Using the appname parameter is optional but highly recommended for production applications. If you use it, it must be included in ALL URLs, not just API endpoints.

Skip Development - Get Your Ready App Now!

Forget about complex API integration, decryption functions, and endless testing. Get your 2-in-1 ActiveCode Ready App customized for your panel!

Android & iOS Ready

Fully functional apps for both platforms

Pre-Integrated API

All endpoints already configured with proper authentication

Device ID Security

Built-in device pairing for all URLs

What is included

  • Fully branded app with your logo & name
  • ActiveCode authentication system ready
  • Username/Password based system ready
  • Device ID on ALL URLs automatically
  • Application lock (appname) support included
  • Live TV, VOD & Series support
  • EPG integration included
  • Automatic decryption handling
  • Ready for App Store & Play Store

- Order Your Custom App -

Order Your Custom App Now
Streaming URL Authentication

IMPORTANT: When using ActiveCode subscriptions, authentication parameters must be included in ALL streaming URLs, not just API endpoints.

Examples of Streaming URLs that REQUIRE authentication:
Live Stream URL
# Live stream playback URL
http://your.dns:stream_port/live/{ActiveCode}/{DecryptPassword}/{stream_id}.ts?mac={yourdeviceid}
http://your.dns:stream_port/live/{ActiveCode}/{DecryptPassword}/{stream_id}.m3u8?mac={yourdeviceid}

# With Application Lock
http://your.dns:stream_port/live/{ActiveCode}/{DecryptPassword}/{stream_id}.ts?mac={yourdeviceid}&appname={YourAppName}
VOD Stream URL
# VOD playback URL
http://your.dns:stream_port/movie/{ActiveCode}/{DecryptPassword}/{vod_id}.mp4?mac={yourdeviceid}
http://your.dns:stream_port/movie/{ActiveCode}/{DecryptPassword}/{vod_id}.mkv?mac={yourdeviceid}

# With Application Lock
http://your.dns:stream_port/movie/{ActiveCode}/{DecryptPassword}/{vod_id}.mp4?mac={yourdeviceid}&appname={YourAppName}
Series Episode URL
# Series episode playback URL
http://your.dns:stream_port/series/{ActiveCode}/{DecryptPassword}/{episode_id}.mp4?mac={yourdeviceid}

# With Application Lock
http://your.dns:stream_port/series/{ActiveCode}/{DecryptPassword}/{episode_id}.mp4?mac={yourdeviceid}&appname={YourAppName}
M3U Playlist URL
# M3U playlist URL
http://your.dns:stream_port/get.php?username={ActiveCode}&password={DecryptPassword}&type=m3u_plus&output=ts&mac={yourdeviceid}

# With Application Lock
http://your.dns:stream_port/get.php?username={ActiveCode}&password={DecryptPassword}&type=m3u_plus&output=ts&mac={yourdeviceid}&appname={YourAppName}
Warning: Streaming URLs without the mac parameter will be rejected for ActiveCode subscriptions. Always ensure the Device ID is included in every URL.
Panel Configuration
1
Set Up Decryption Key

This key is crucial for decrypting the password string your app will receive.

Navigate to: General Settings > General Tab > Load Balancing Key

2
Set Up ActiveCode Unique Password

This is the unique password associated with an ActiveCode (additional security) that your app will need to retrieve.

Navigate to: General Settings > Streaming Tab > Unique Password

The Authentication Process
1
Fetch the Encrypted Password

Make a GET request to the following API endpoint to retrieve the encrypted unique password string.

GET http://your.dns:stream_port/player_api.php?action=getactivecodepass
2
Decrypt the Password String

Use the Load Balancing Key you set in the panel to decrypt the string received from the player_api call. We've provided the necessary functions in multiple languages below.

3
Authenticate the User

Once you have the decrypted password, you can authenticate the user via the Player API and use these credentials for ALL URLs.

  • mac: Required Your unique device identifier (MAC address or static hardware ID) - Required on ALL URLs
  • username: Use the ActiveCode as username
  • password: Use the decrypted Unique Password
  • appname: Optional Your application name or fixed serial (if used, required on ALL URLs)
Player API Endpoints

Below are all available Player API endpoints. Replace the placeholders with your actual values:

  • {yourdeviceid} - Required Your unique device identifier (required on ALL URLs)
  • {ActiveCode} - The ActiveCode username
  • {DecryptPassword} - The decrypted password from step 2
  • {YourAppName} - Optional Your application name or fixed serial for app locking (if used, required on ALL URLs)
  • X - Specific ID values (category_id, stream_id, etc.)
Critical: The mac parameter is REQUIRED on ALL URLs when using ActiveCode subscriptions. The appname parameter is optional but if used, it must be included in ALL URLs consistently.
Authentication & User Info
GET http://your.dns:stream_port/player_api.php?mac={yourdeviceid}&username={ActiveCode}&password={DecryptPassword}

# With Application Lock (Optional)
GET http://your.dns:stream_port/player_api.php?mac={yourdeviceid}&username={ActiveCode}&password={DecryptPassword}&appname={YourAppName}
Live Streams
Get Live Stream Categories
GET http://your.dns:stream_port/player_api.php?mac={yourdeviceid}&username={ActiveCode}&password={DecryptPassword}&action=get_live_categories

# With Application Lock (Optional)
GET http://your.dns:stream_port/player_api.php?mac={yourdeviceid}&username={ActiveCode}&password={DecryptPassword}&action=get_live_categories&appname={YourAppName}
Get All Live Streams
GET http://your.dns:stream_port/player_api.php?mac={yourdeviceid}&username={ActiveCode}&password={DecryptPassword}&action=get_live_streams

# With Application Lock (Optional)
GET http://your.dns:stream_port/player_api.php?mac={yourdeviceid}&username={ActiveCode}&password={DecryptPassword}&action=get_live_streams&appname={YourAppName}
Get Live Streams by Category
GET http://your.dns:stream_port/player_api.php?mac={yourdeviceid}&username={ActiveCode}&password={DecryptPassword}&action=get_live_streams&category_id=X

# With Application Lock (Optional)
GET http://your.dns:stream_port/player_api.php?mac={yourdeviceid}&username={ActiveCode}&password={DecryptPassword}&action=get_live_streams&category_id=X&appname={YourAppName}
Get Short EPG for Live Stream
GET http://your.dns:stream_port/player_api.php?mac={yourdeviceid}&username={ActiveCode}&password={DecryptPassword}&action=get_short_epg&stream_id=X
GET http://your.dns:stream_port/player_api.php?mac={yourdeviceid}&username={ActiveCode}&password={DecryptPassword}&action=get_short_epg&stream_id=X&limit=X

# With Application Lock (Optional)
GET http://your.dns:stream_port/player_api.php?mac={yourdeviceid}&username={ActiveCode}&password={DecryptPassword}&action=get_short_epg&stream_id=X&appname={YourAppName}
Get Full EPG for Live Stream
GET http://your.dns:stream_port/player_api.php?mac={yourdeviceid}&username={ActiveCode}&password={DecryptPassword}&action=get_simple_data_table&stream_id=X

# With Application Lock (Optional)
GET http://your.dns:stream_port/player_api.php?mac={yourdeviceid}&username={ActiveCode}&password={DecryptPassword}&action=get_simple_data_table&stream_id=X&appname={YourAppName}
VOD (Video on Demand)
Get VOD Categories
GET http://your.dns:stream_port/player_api.php?mac={yourdeviceid}&username={ActiveCode}&password={DecryptPassword}&action=get_vod_categories

# With Application Lock (Optional)
GET http://your.dns:stream_port/player_api.php?mac={yourdeviceid}&username={ActiveCode}&password={DecryptPassword}&action=get_vod_categories&appname={YourAppName}
Get All VOD Streams
GET http://your.dns:stream_port/player_api.php?mac={yourdeviceid}&username={ActiveCode}&password={DecryptPassword}&action=get_vod_streams

# With Application Lock (Optional)
GET http://your.dns:stream_port/player_api.php?mac={yourdeviceid}&username={ActiveCode}&password={DecryptPassword}&action=get_vod_streams&appname={YourAppName}
Get VOD Streams by Category
GET http://your.dns:stream_port/player_api.php?mac={yourdeviceid}&username={ActiveCode}&password={DecryptPassword}&action=get_vod_streams&category_id=X

# With Application Lock (Optional)
GET http://your.dns:stream_port/player_api.php?mac={yourdeviceid}&username={ActiveCode}&password={DecryptPassword}&action=get_vod_streams&category_id=X&appname={YourAppName}
Get Latest VOD Streams Returns 100 latest
GET http://your.dns:stream_port/player_api.php?mac={yourdeviceid}&username={ActiveCode}&password={DecryptPassword}&action=get_vod_latest

# With Application Lock (Optional)
GET http://your.dns:stream_port/player_api.php?mac={yourdeviceid}&username={ActiveCode}&password={DecryptPassword}&action=get_vod_latest&appname={YourAppName}
Get VOD Info
GET http://your.dns:stream_port/player_api.php?mac={yourdeviceid}&username={ActiveCode}&password={DecryptPassword}&action=get_vod_info&vod_id=X

# With Application Lock (Optional)
GET http://your.dns:stream_port/player_api.php?mac={yourdeviceid}&username={ActiveCode}&password={DecryptPassword}&action=get_vod_info&vod_id=X&appname={YourAppName}
Series
Get Series Categories
GET http://your.dns:stream_port/player_api.php?mac={yourdeviceid}&username={ActiveCode}&password={DecryptPassword}&action=get_series_categories

# With Application Lock (Optional)
GET http://your.dns:stream_port/player_api.php?mac={yourdeviceid}&username={ActiveCode}&password={DecryptPassword}&action=get_series_categories&appname={YourAppName}
Get All Series
GET http://your.dns:stream_port/player_api.php?mac={yourdeviceid}&username={ActiveCode}&password={DecryptPassword}&action=get_series

# With Application Lock (Optional)
GET http://your.dns:stream_port/player_api.php?mac={yourdeviceid}&username={ActiveCode}&password={DecryptPassword}&action=get_series&appname={YourAppName}
Get Series by Category
GET http://your.dns:stream_port/player_api.php?mac={yourdeviceid}&username={ActiveCode}&password={DecryptPassword}&action=get_series&category_id=X

# With Application Lock (Optional)
GET http://your.dns:stream_port/player_api.php?mac={yourdeviceid}&username={ActiveCode}&password={DecryptPassword}&action=get_series&category_id=X&appname={YourAppName}
Get Latest Series Returns 100 latest
GET http://your.dns:stream_port/player_api.php?mac={yourdeviceid}&username={ActiveCode}&password={DecryptPassword}&action=get_series_latest

# With Application Lock (Optional)
GET http://your.dns:stream_port/player_api.php?mac={yourdeviceid}&username={ActiveCode}&password={DecryptPassword}&action=get_series_latest&appname={YourAppName}
Get Series Info
GET http://your.dns:stream_port/player_api.php?mac={yourdeviceid}&username={ActiveCode}&password={DecryptPassword}&action=get_series_info&series_id=X

# With Application Lock (Optional)
GET http://your.dns:stream_port/player_api.php?mac={yourdeviceid}&username={ActiveCode}&password={DecryptPassword}&action=get_series_info&series_id=X&appname={YourAppName}
Special Endpoints
Get ActiveCode Password (Encrypted)
GET http://your.dns:stream_port/player_api.php?action=getactivecodepass
Full EPG List (XMLTV Format)
GET http://your.dns:stream_port/xmltv.php?mac={yourdeviceid}&username={ActiveCode}&password={DecryptPassword}

# With Application Lock (Optional)
GET http://your.dns:stream_port/xmltv.php?mac={yourdeviceid}&username={ActiveCode}&password={DecryptPassword}&appname={YourAppName}
API String Decryption Functions

Here are the functions for AES-256-CBC decryption. Use the `decrypt` function in your application with your Load Balancing Key to decode the API response.


function decrypt($data, $key) {
    $key = hash('sha256', $key, true);
    $data = base64_decode($data);
    $iv = substr($data, 0, 16);
    $ciphertext = substr($data, 16);
    return openssl_decrypt($ciphertext, 'aes-256-cbc', $key, OPENSSL_RAW_DATA, $iv);
}


import javax.crypto.Cipher;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import java.security.MessageDigest;
import java.util.Base64;

public class Crypto {

    public static String decrypt(String data, String key) throws Exception {
        byte[] keyBytes = MessageDigest.getInstance("SHA-256").digest(key.getBytes());
        byte[] combined = Base64.getDecoder().decode(data);
        byte[] iv = new byte[16];
        byte[] ciphertext = new byte[combined.length - 16];
        
        System.arraycopy(combined, 0, iv, 0, 16);
        System.arraycopy(combined, 16, ciphertext, 0, ciphertext.length);
        
        Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
        cipher.init(Cipher.DECRYPT_MODE, new SecretKeySpec(keyBytes, "AES"), new IvParameterSpec(iv));
        
        return new String(cipher.doFinal(ciphertext));
    }
}


import javax.crypto.Cipher
import javax.crypto.spec.IvParameterSpec
import javax.crypto.spec.SecretKeySpec
import java.security.MessageDigest
import java.util.Base64

object Crypto {

    fun decrypt(data: String, key: String): String {
        val keyBytes = MessageDigest.getInstance("SHA-256").digest(key.toByteArray())
        val combined = Base64.getDecoder().decode(data)
        val iv = combined.copyOfRange(0, 16)
        val ciphertext = combined.copyOfRange(16, combined.size)
        
        val cipher = Cipher.getInstance("AES/CBC/PKCS5Padding")
        cipher.init(Cipher.DECRYPT_MODE, SecretKeySpec(keyBytes, "AES"), IvParameterSpec(iv))
        
        return String(cipher.doFinal(ciphertext))
    }
}


const crypto = require('crypto');

function decrypt(data, key) {
    const keyBuf = crypto.createHash('sha256').update(key).digest();
    const combined = Buffer.from(data, 'base64');
    const iv = combined.subarray(0, 16);
    const ciphertext = combined.subarray(16);
    
    const decipher = crypto.createDecipheriv('aes-256-cbc', keyBuf, iv);
    let plaintext = decipher.update(ciphertext);
    plaintext = Buffer.concat([plaintext, decipher.final()]);
    
    return plaintext.toString('utf8');
}


/*
Add dependencies to your pubspec.yaml:
dependencies:
  encrypt: ^5.0.1
  crypto: ^3.0.1
*/

import 'dart:convert';
import 'dart:typed_data';
import 'package:crypto/crypto.dart';

String decrypt(String data, String key) {
  final keyBytes = sha256.convert(utf8.encode(key)).bytes;
  final combined = base64.decode(data);
  final iv = IV(Uint8List.fromList(combined.sublist(0, 16)));
  final ciphertext = Encrypted(Uint8List.fromList(combined.sublist(16)));
  
  final encrypter = Encrypter(AES(Key(Uint8List.fromList(keyBytes)), mode: AESMode.cbc));
  return encrypter.decrypt(ciphertext, iv: iv);
}
Important Implementation Notes
Critical Requirements for ActiveCode
  1. Device ID (mac) is MANDATORY: Must be included in every single URL when using ActiveCode subscriptions
  2. Consistency is Key: Use the same Device ID across all requests for a given device
  3. Application Lock: If you use the appname parameter, it must be included in ALL URLs consistently
  4. Streaming URLs: Don't forget to add authentication parameters to streaming URLs, not just API endpoints
  5. M3U Playlists: When generating or using M3U playlists, ensure the mac parameter is included
Common Mistakes to Avoid
  • Forgetting to add mac parameter to streaming URLs
  • Using different Device IDs for API calls and streaming URLs
  • Not including appname consistently across all URLs when it's configured
  • Hardcoding authentication parameters instead of dynamically adding them
  • Not URL-encoding the parameters when building URLs
Best Practices
  • Store the Device ID securely and persistently on the device
  • Create a central function to append authentication parameters to all URLs
  • Test your implementation with both API endpoints and streaming URLs
  • Monitor failed authentication attempts to detect potential security issues
  • Keep your Load Balancing Key secure and never expose it in client-side code