Login
Reseller API · v1

Reseller API

Buy accounts, activate them and download loaders straight from your own code. Every purchase is charged to your wallet at your wholesale reseller price — up to 20% below shop prices.

Selling on SellAuth? Wire up fully-automatic delivery with no code — see the reseller setup guide.

Overview

The reseller API lets you check stock, buy accounts, activate them and handle warranty swaps from your own scripts. Responses are JSON, shaped as { "status": "success" | "error", ... }.

How it works

  1. 1

    Become a reseller (a €25 deposit unlocks it), then create an API key in your reseller dashboard.

  2. 2

    Top up your wallet — every purchase draws from your balance.

  3. 3

    Call /buy to get activation key(s) — up to 15 at once; anything out of stock is refunded.

  4. 4

    Call /activate on a key to claim the account and download its loader.

Base URL
https://nfas.win/api/v1

Rate limits

Reads (balance, accounts, stock, key)120 / min
Buy, activate, replace30 / min

Exceeding a limit returns 429 with a Retry-After header.

Authentication

Every request carries your rsk_ API key. Send it any of three ways — pick whichever fits your client.

HeaderX-Api-Key: rsk_...
HeaderAuthorization: Bearer rsk_...
Query string?key=rsk_...
The API requires reseller access — unlock it with a €25 deposit. Create and revoke keys in your reseller dashboard; keys are shown once and stored hashed — if one leaks, revoke it and the old key stops working immediately.

Decoding the loader

/activate returns the loader as base64 in exe_base64 with its name in exe_filename. Decode it to a file and run it — it logs into the account for you, no password needed.

Node.js
const buf = Buffer.from(res.exe_base64, "base64");
require("fs").writeFileSync(res.exe_filename, buf);
Python
import base64
with open(res["exe_filename"], "wb") as f:
    f.write(base64.b64decode(res["exe_base64"]))

SellAuth automatic delivery

Selling on a SellAuth store? You don't need to write any code. Wire your store's dynamic delivery straight to us and every sale is fulfilled automatically, charged to your wallet at wholesale.

  1. 1

    In your reseller dashboard, generate your delivery URLs and paste each one into the matching SellAuth product's dynamic-delivery field. The URL carries your token and the account type, e.g. /api/sellauth/deliver?token=sdk_…&type=cs2_prime.

  2. 2

    Copy your SellAuth shop webhook secret (Storefront → Configure → Miscellaneous) into the dashboard. We verify it on every sale with X-Signature (HMAC-SHA256), so a leaked URL can never spend your wallet. Delivery stays off until this is set.

  3. 3

    On each sale we charge your wallet at the wholesale price and return one nfas.win/redeemlink per unit. Your customer opens it to activate the account and download the loader — activation is too slow (up to 2 minutes) to run inside SellAuth's webhook, so it happens there, one click later.

Retries are safe — SellAuth's idempotency keys mean a retried webhook never double-charges. Keep your wallet topped up; if it runs dry a sale returns a retryable error and surfaces in your dashboard. Full click-by-click setup is in the reseller guide.

Deliver in your own store

Running a custom store, or any platform where you control the backend? Skip the redeem link entirely — call the API from your own “order paid” handler and serve the loader to your customer in-store. Nothing points back to us.

Your store's order-paid handler
const API = "https://nfas.win/api/v1";
const KEY = process.env.NFAS_KEY; // your rsk_ reseller key

// 1) Buy the account — instant, charged to your wallet at wholesale.
const buy = await fetch(API + "/buy", {
  method: "POST",
  headers: { "X-Api-Key": KEY, "Content-Type": "application/json",
             "Idempotency-Key": orderId },
  body: JSON.stringify({ type: "cs2_prime", quantity: 1 }),
}).then(r => r.json());

// 2) Activate it — builds the loader. Allow up to ~2 minutes.
const act = await fetch(API + "/activate", {
  method: "POST",
  headers: { "X-Api-Key": KEY, "Content-Type": "application/json" },
  body: JSON.stringify({ activation_key: buy.keys[0] }),
}).then(r => r.json());

// 3) Decode act.exe_base64 to act.exe_filename and hand it to your
//    customer on your own page — done, fully white-label.
/activatecan take up to two minutes, so run this as a background job and show the customer a brief “preparing your account” step. Pass a unique Idempotency-Key on /buyso a retry never charges twice. On a platform we haven't documented? It almost certainly works the same way — reach out and we'll help.

Deliver from a Discord bot

Selling in Discord instead of SellAuth? Run a bot on your API key and deliver the account right in your server — it builds the loader and sends the .exe as an attachment. The deferred reply handles the ~2-minute build cleanly.

discord.js v14 — /redeem command
import { Client, GatewayIntentBits, AttachmentBuilder } from "discord.js";

const API = "https://nfas.win/api/v1";
const KEY = process.env.NFAS_KEY; // your rsk_ reseller key
const client = new Client({ intents: [GatewayIntentBits.Guilds] });

client.on("interactionCreate", async (i) => {
  if (!i.isChatInputCommand() || i.commandName !== "redeem") return;
  await i.deferReply({ ephemeral: true }); // building takes up to ~2 min

  const activation_key = i.options.getString("key", true);
  const res = await fetch(API + "/activate", {
    method: "POST",
    headers: { "X-Api-Key": KEY, "Content-Type": "application/json" },
    body: JSON.stringify({ activation_key }),
  }).then((r) => r.json());

  if (res.status !== "success") {
    return i.editReply("That key couldn't be redeemed — check it and retry.");
  }

  const loader = new AttachmentBuilder(
    Buffer.from(res.exe_base64, "base64"),
    { name: res.exe_filename ?? "loader.exe" },
  );
  await i.editReply({ content: "Your loader — run it to log in, no password.", files: [loader] });
});

client.login(process.env.DISCORD_TOKEN);
To sell on demand, call /buy first for a key, then /activatewith it. If a loader is ever larger than Discord's upload limit, send the customer their redeem link (https://nfas.win/redeem?k=…) instead of the file. Keep your rsk_key in the bot's environment, never in the client.

Your account

GET/api/v1/balance

Balance

Read the wallet balance (in euros) that funds your purchases. Top it up from your dashboard.

cURL
curl -H "X-Api-Key: rsk_your_key" "https://nfas.win/api/v1/balance"
Response
{
  "status": "success",
  "email": "[email protected]",
  "balance_eur": "42.50"
}

Catalog

GET/api/v1/accounts

Accounts

Every buyable account type with the price charged to your wallet. The `type` values here are what you pass to /buy.

cURL
curl -H "X-Api-Key: rsk_your_key" "https://nfas.win/api/v1/accounts"
Response
{
  "status": "success",
  "accounts": [
    { "type": "cs2_prime", "game": "CS2", "name": "Prime", "price_eur": "1.10" }
  ]
}
GET/api/v1/stock

Stock

Live stock counts per type, so you know exactly what is buyable before a large order. Reseller-only — the public site never shows counts.

cURL
curl -H "X-Api-Key: rsk_your_key" "https://nfas.win/api/v1/stock"
Response
{
  "status": "success",
  "stock": [
    { "type": "cs2_prime", "game": "CS2", "name": "Prime", "price_eur": "1.10", "in_stock": 2721 }
  ]
}

Buying & delivery

POST/api/v1/buy

Buy

Charge your wallet and get activation key(s). If only part of the order is in stock, you get what is available and the rest is refunded to your wallet automatically.

Parameters

type
Required
Account type id, e.g. cs2_prime. Get the full list from /accounts.
quantity
Required
How many to buy in one call (bulk). Between 1 and 15.
Send a unique Idempotency-Key header. If the request times out and you retry with the same key, you get the same order back instead of being charged twice.
cURL
curl -X POST "https://nfas.win/api/v1/buy" \
  -H "X-Api-Key: rsk_your_key" \
  -H "Idempotency-Key: order-8421" \
  -H "Content-Type: application/json" \
  -d '{"type":"cs2_prime","quantity":1}'
Response
{
  "status": "success",
  "order_id": "clx...",
  "keys": ["342219c5-0107-47ff-8f6d-7c2a6037f1a7"],
  "delivered": 1,
  "refunded_eur": "0.00"
}
POST/api/v1/activate

Activate

Activate a key: claims the account and builds the loader (.exe), returned base64. The loader logs in for you — there is no password.

Parameters

activation_key
Required
An activation key you received from /buy.
Activation compiles the loader live and can take up to 2 minutes — set your HTTP client timeout to at least 120s. Decode exe_base64 as shown in Decoding the loader.
cURL
curl -X POST "https://nfas.win/api/v1/activate" \
  -H "X-Api-Key: rsk_your_key" \
  -H "Content-Type: application/json" \
  -d '{"activation_key":"342219c5-0107-47ff-8f6d-7c2a6037f1a7"}'
Response
{
  "status": "success",
  "key_status": "ACTIVATED",
  "exe_filename": "loader.exe",
  "exe_base64": "TVqQAAMAAAAEAAAA...",
  "account": { "steamid64": "765...", "account_name": "..." }
}
GET/api/v1/key

Key status

Look up one of your keys. Works before and after activation; once activated, includes the account details.

Parameters

activation_key
Required
An activation key you received from /buy.
cURL
curl -H "X-Api-Key: rsk_your_key" \
  "https://nfas.win/api/v1/key?activation_key=342219c5-0107-47ff-8f6d-7c2a6037f1a7"
Response
{
  "status": "success",
  "type": "cs2_prime",
  "key_status": "UNACTIVATED",
  "created_at": "2026-06-27T19:00:00.000Z",
  "activated_at": null,
  "account": null
}
POST/api/v1/replace

Replace

Warranty: re-validate an account. Returns valid, replaced (with a fresh key issued to you), or invalid.

Parameters

activation_key
Required
An activation key you received from /buy.
Results
  • valid — the account still works, nothing changes.
  • replaced — a fresh key is issued in new_activation_key; activate it like any other.
  • invalid — contact support.
cURL
curl -X POST "https://nfas.win/api/v1/replace" \
  -H "X-Api-Key: rsk_your_key" \
  -H "Content-Type: application/json" \
  -d '{"activation_key":"342219c5-0107-47ff-8f6d-7c2a6037f1a7"}'
Response
{
  "status": "success",
  "result": "replaced",
  "new_activation_key": "9f1c..."
}