Is there a Bearer-token API?

Not yet. Current API is session-cookie + CSRF based, identical to the web flow. An agent signs up via /auth-api.php, persists the PHPSESSID cookie + CSRF token, and uses them on all subsequent calls. A Bearer-token endpoint is on the roadmap.

Can an agent really buy a server with zero human intervention?

Yes for VPS (instant after balance debit). For domains, DOMAIN_AUTO_REGISTER is currently off — the order is captured in 1 API call but registration is human-finalized within 24h.

How does an agent pay?

Crypto top-up to balance. POST /topup-api.php creates a deposit address; the agent sends the exact crypto amount on-chain; on confirmation the balance auto-credits (with bonus from $100). All subsequent purchases debit balance — no per-purchase blockchain wait.

Will my agent be rate-limited?

The public /domain-check-api.php endpoint is Redis-cached 1h per (sld,tld); within-cache calls are essentially free. Authenticated endpoints have no documented rate limit yet — operate respectfully.

Agentes IA en NoKycVPS · Claude, GPT, MCP

§1

TL;DR — one curl gets you started

Public read endpoints return JSON without authentication. The check below is safe to call from any agent context with no setup — it lists 12 popular TLDs with availability and our prices for whatever name you pass.

GET live availability across 12 TLDs · no auth, Redis-cached 1h

curl -s 'https://nokycvps.com/domain-check-api.php?q=mybrand' \
  -H 'Accept: application/json' | jq .

From there: authenticate, fund a balance, then deploy a server or register a domain — all from your agent.

§2

What's purchasable

product

VPS · KVM

3 plans: s1 (2vCPU/4GB), s2 (4vCPU/16GB), s3 (8vCPU/32GB)
4 regions: par rek zrh otp
10+ OS images: debian-12/13, ubuntu-22/24, rocky-9, alma-9, alpine-3.19, arch, freebsd-14, fedora-41
Billing: 1, 3, 6, 12 months (cycle discounts apply)
From $5/mo

product

Dedicated · bare-metal

3 plans: r1 (Ryzen 9), r2 (EPYC 9354), r3 (EPYC 9654)
4 regions: par rek zrh otp
NVMe Gen5 RAID, ECC DDR5, 10 Gbps unmetered
From $85/mo

product

Domain · 26 TLDs

Tier 1: .com .net .org .io .me .co .xyz .app .dev .ai .fr .de
Tier 2: .is .li .ch .pw .nl .uk .info .biz .tech .pro .site .online .cc .tv
Free WHOIS privacy, custom NS or default ns1/ns2.nokycvps.com
Same price at renewal — no promo-year bait
From $7.99/yr

The canonical price/spec matrix lives in /includes/catalogue.php and /includes/domains_data.php on the server. For machine access, use the endpoint reference in §6.

§3

Authentication

Current implementation: session-cookie + CSRF. Identical to the web flow. An agent persists the PHPSESSID cookie and a _token CSRF value across the lifetime of its session.

step	request	persists
1. fetch CSRF	`GET /csrf.php`	cookie `PHPSESSID`, body `{"csrf": "<hex>"}`
2. sign up	`POST /auth-api.php` with `action=signup&email=...&password=...&password_confirm=...&_token=<csrf>`	same cookie, redirects to `/account`
3. sign in (alt)	`POST /auth-api.php` with `action=login&email=...&password=...&_token=<csrf>`	same cookie
4. probe state	`GET /me.php`	`{ok, logged_in, email, balance, id}`
5. sign out	`POST /auth-api.php` with `action=logout&_token=<csrf>`	cookie invalidated

Roadmap: a Bearer-token endpoint (POST /api/v1/account) returning { account_token: "AAAA-BBBB-CCCC-DDDD" } is planned. The current session-based API works today without it. When Bearer lands, all session endpoints will also accept Authorization: Bearer <token> as an alternative auth.

curl end-to-end signup · reuses a cookie jar + grabs CSRF

JAR=/tmp/nkv.jar
# 1. get a session + CSRF
CSRF=$(curl -sc $JAR https://nokycvps.com/csrf.php | jq -r .csrf)

# 2. create the account (no email verification)
curl -sb $JAR -c $JAR https://nokycvps.com/auth-api.php \
  -d "action=signup" \
  -d "email=a$(date +%s)@nokycvps.com" \
  -d "password=Sup3rH4rdP4ssword!" \
  -d "password_confirm=Sup3rH4rdP4ssword!" \
  -d "_token=$CSRF" | jq .

# 3. confirm we're logged in
curl -sb $JAR https://nokycvps.com/me.php | jq .

§4

Buy flow — VPS or dedicated

Top up balance. POST /topup-api.php with action=create&amount=100&coin=XMR&_token=<csrf> → returns order_ref.
Open the invoice. GET /pay/<order_ref> returns HTML with the deposit address, exact amount, optional memo. For programmatic flow, the same data is on GET /topup-status.php?ref=<order_ref>.
Send crypto. Exactly the deposit_amount to deposit_address on the matching network. Bonus from $100 (+30%) up to $1000 (+70%). The bonus is auto-credited on confirmation.
Wait for confirmation. Poll GET /topup-status.php?ref=<order_ref> until status=confirmed. The simsms hub pushes the webhook to /network-api/payment_status.php — usually 1–3 confirmations on the source chain.
Deploy a server. POST /deploy-api.php with product=vps|dedi&plan=s1|s2|s3|r1|r2|r3&region=par|rek|zrh|otp&os=debian-12&billing=1&root_password=<12+chars>&_token=<csrf>. Balance is debited atomically. Response includes server_id and the new balance.

curl deploy a VPS once balance is sufficient

curl -sb $JAR -c $JAR https://nokycvps.com/deploy-api.php \
  -d "product=vps" \
  -d "plan=s2" \
  -d "region=par" \
  -d "os=debian-13" \
  -d "billing=3" \
  -d "root_password=$(openssl rand -base64 18 | tr -d '/+=')" \
  -d "_token=$CSRF" | jq .

# Insufficient balance? Response includes the deficit:
# { ok:false, error:"insufficient_balance", have:X, need:Y, deficit:Y-X, topup:"/topup" }

§5

Buy flow — domain

Check availability. GET /domain-check-api.php?q=<sld>. Public, no auth. Returns { results: [{ tld, available, premium, price_usd, market_usd, discount_pct, badge, featured }] }. Pass q=name.fr to surface .fr first.
Authenticate (see §3) and ensure balance ≥ price.
Create the order. POST /domain-order?domain=<sld>.<tld> with years=1&privacy=1&_token=<csrf>&_submitted=1. Returns 302 redirect to /domain-pay?id=<order_id>.
Pay from balance. POST /domain-pay-api.php with action=pay_balance&order_id=<n>&_token=<csrf>. Balance debits atomically. Order moves to paid.
Registration finalization. Currently human-finalized within 24h (DOMAIN_AUTO_REGISTER=false). Order transitions paid → active when registry confirms.

curl end-to-end domain purchase · assumes session + funded balance

# 1. probe availability
curl -s 'https://nokycvps.com/domain-check-api.php?q=mybrand' | jq '.results[]
  | select(.available==true)
  | {domain, price_usd, discount_pct}'

# 2. create the order (returns 302 → /domain-pay?id=N)
curl -sb $JAR -c $JAR -i -X POST \
  'https://nokycvps.com/domain-order?domain=mybrand.com' \
  -d "years=1&privacy=1&_submitted=1&_token=$CSRF" | grep -i location

# 3. pay it
curl -sb $JAR -c $JAR https://nokycvps.com/domain-pay-api.php \
  -d "action=pay_balance&order_id=42&_token=$CSRF" -i

§6

Endpoint reference

method	path	auth	note
GET	`/domain-check-api.php?q=<sld>&tier=1\|2\|all`	none	Availability + retail price across TLDs. Redis-cached 1h.
GET	`/csrf.php`	none	Issue session cookie + CSRF token. Required before any POST.
POST	`/auth-api.php`	cookie	`action=signup\|login\|logout`. Body params: email, password, password_confirm, _token.
GET	`/me.php`	cookie	Probe auth state. Returns email + balance.
POST	`/topup-api.php`	cookie	`action=create\|cancel`. Returns `order_ref` for the deposit invoice.
GET	`/topup-status.php?ref=<order_ref>`	cookie	Poll invoice status. Webhook-driven server-side, no rate-limit concern.
GET	`/pay/<order_ref>`	cookie	HTML invoice page with deposit data. Use `/topup-status` for JSON.
POST	`/deploy-api.php`	cookie	Create a server. Atomic balance debit. Returns `server_id` + new balance.
GET	`/domain-order?domain=<d>`	cookie	Configure a domain order (HTML preview + form). Same URL handles POST below.
POST	`/domain-order?domain=<d>`	cookie	Create the order row. 302 redirect to `/domain-pay?id=<n>`.
POST	`/domain-pay-api.php`	cookie	`action=pay_balance&order_id=<n>`. Atomic debit + status → paid.
POST	`/account-api.php`	cookie	`action=change_password`. Body: current_password, new_password.

All authenticated endpoints accept the same CSRF mechanism: include _token as POST body, or X-CSRF-Token as header. The token is fetched once via /csrf.php and persists for the session lifetime.

§7

Deep links & pre-fills

If a human is briefly in the loop (approval, confirmation), surface these URLs — they pre-fill the web flow with the agent's prior decision. No re-entry needed.

`GET /domains?q=mybrand`	Lands on the search page with the SLD probed.
`GET /domain-order?domain=mybrand.com&years=2&privacy=1`	Pre-configures the domain order; only the final click is human.
`GET /order/vps/s2?region=zrh`	VPS configuration page pre-filled with plan + region.
`GET /order/dedi/r2?region=otp`	Same, dedicated.
`GET /topup?need=50`	Top-up page with the amount pre-set to the deficit.
`GET /account?tab=topup`	Direct entry into the top-up dashboard view.
`GET /account?tab=domains`	List of the user's domains, with pending-payment actions inline.

§8

Operating constraints

CSRF on every POST. Fetch /csrf.php once per session; include the value as _token in body or X-CSRF-Token header.
Session cookies must persist. Use a cookie jar (curl -b/-c, Python requests.Session(), etc.). Without persistence, every call is a fresh anonymous session.
Idempotency. Balance credits are idempotent via credit_applied=1. Re-deploying with the same parameters creates a new server — there is no de-dup on deploy keys yet. Use your own client-side dedup if needed.
Webhook timing. Topup confirmation is push-based from the simsms hub. Median ~3 min for BTC (1 conf), ~30 s for XMR. Poll /topup-status.php with a 5–10s interval.
Top-up bounds (server-enforced): minimum $30, maximum $10,000 per invoice. Values outside this range return ok:false with error:'amount_too_low' or 'amount_too_high' — do NOT rely on client-side validation. Bonus tier starts at $100 (+30%) and caps at +70% beyond $1000.
Server root passwords must be 12–64 chars. Stored AES-256-CBC encrypted at rest, decryptable only by the provisioner.
DOMAIN_AUTO_REGISTER is currently off. Paid domain orders move to paid; operator finalizes registration within 24h.
i18n prefix. URLs accept an optional language prefix (/fr/account, /de/domains). For agents, the bare path is canonical.

§9

Policy boundaries

An agent driving this API binds the same user to the same operating rules a human would. Read these once and encode the constraints in your agent's reasoning:

/terms-of-service — what we will and won't act on (judicial orders only, with notice).
/acceptable-use — what you can run (the policy is "if it's legal somewhere"). One hard line: no CSAM.
/privacy-notice — what we collect (an email, a password hash, your balance, your server config), what we don't (names, addresses, fingerprints, analytics).
/abuse-policy — network-level abuse only (spam, scanning, amplification). Not content-based suspension.

Agents are welcome. We don't differentiate between an account opened by a human and one opened by an autonomous client. The rules of the road are the same.

§10

Machine-readable resources

spec

openapi.json

OpenAPI 3.1 schema. Drop into a code generator for typed clients.

/openapi.json primer

llms.txt

Short text primer following the llms.txt convention. Pre-prompt your model with it.

/llms.txt discovery

agent.json

Well-known discovery document. Links to spec, primer, contact, and capabilities.

/.well-known/agent.json

MCP server: planned. The current REST surface above covers the same actions. Once the MCP endpoint ships, it will be advertised at /.well-known/agent.json#mcp and via the x-mcp-server extension in openapi.json.

Buy infrastructure without a human.

TL;DR — one curl gets you started

What's purchasable

VPS · KVM

Dedicated · bare-metal

Domain · 26 TLDs

Authentication

Buy flow — VPS or dedicated

Buy flow — domain

Endpoint reference

Deep links & pre-fills

Operating constraints

Policy boundaries

Machine-readable resources

openapi.json

llms.txt

agent.json

Iniciar sesión

Crear cuenta