AntiBot SDK v3

Self-hosted bot detection for PHP applications. Protect any page on your own server with Eximus antibot technology.

Overview

The AntiBot SDK v3 is a downloadable PHP package that adds self-hosted bot detection to any PHP application. It collects browser fingerprints, sends them to the Eximus detection API, and takes action based on the result — all with as little as two lines of code.

Quick Start

Get up and running in three steps:

1

Configure

Set your license key in config.php.

2

Include

Add require_once and eximus_protect() at the top of any page you want to protect.

3

Done

Bots get a 403 response. Humans pass through and see your page normally.

// config.php define('EXIMUS_LICENSE_KEY', 'your-license-key-here');
// your-page.php require_once '/path/to/antibot.php'; eximus_protect(); // Your protected content below...

Installation

Extract eximus_antibot_v3.0.zip to your server. The package contains:

File Description
antibot.php Main detection engine — include this in your pages
config.php Configuration constants — set your license key and options here
stats.php Visitor statistics dashboard — open in a browser to view logs
README.html Bundled documentation and quick-start guide
logs/ Empty directory for visitor JSON logs (must be writable)

Set write permissions on the logs/ directory so the SDK can store visitor data:

chmod 755 logs/

Configuration Reference

Edit config.php to customize SDK behavior. All options are PHP constants defined with define().

Constant Type Default Description
EXIMUS_LICENSE_KEY string 'your-license-key-here' Your Eximus license key (required). Found in Dashboard → Profile.
EXIMUS_API_URL string 'https://rpc.eximus.io/v3/' API endpoint base URL. Do not change unless instructed.
EXIMUS_LOG_ENABLED bool true Enable or disable local visitor logging.
EXIMUS_LOG_FILE string __DIR__ . '/logs/visitors.json' Path to the visitor log file used by stats.php.
EXIMUS_TIMEOUT int 10 API request timeout in seconds.
EXIMUS_FAIL_OPEN bool true If true, visitors are allowed through when the API is unreachable. If false, they are blocked.
EXIMUS_BOT_ACTION string '403' Default action for bots. Options: "403", "redirect", "exit".
EXIMUS_BOT_REDIRECT_URL string 'https://google.com' URL to redirect bots to when EXIMUS_BOT_ACTION is set to "redirect".
<?php // Eximus AntiBot SDK v3 Configuration define('EXIMUS_LICENSE_KEY', 'your-license-key-here'); define('EXIMUS_API_URL', 'https://rpc.eximus.io/v3/'); define('EXIMUS_LOG_ENABLED', true); define('EXIMUS_LOG_FILE', __DIR__ . '/logs/visitors.json'); define('EXIMUS_TIMEOUT', 10); define('EXIMUS_FAIL_OPEN', true); define('EXIMUS_BOT_ACTION', '403'); define('EXIMUS_BOT_REDIRECT_URL', 'https://google.com'); ?>

Usage Guide

Basic Protection (One-Liner)

The simplest way to protect a page. Bots receive a 403 response; humans see the page normally.

require_once 'antibot.php'; eximus_protect();

Redirect Bots

Send detected bots to a different URL instead of showing a 403 page.

eximus_protect([ 'bot_action' => 'redirect', 'bot_redirect' => 'https://google.com', ]);

Silent Exit

Terminate the script silently for bots with no output.

eximus_protect(['bot_action' => 'exit']);

Custom Callbacks

Use on_bot and on_human callbacks for full control over the response.

eximus_protect([ 'on_bot' => function($result) { header('Location: https://example.com/blocked'); exit; }, 'on_human' => function($result) { error_log("Human from {$result['country']}, score: {$result['score']}"); }, ]);

Manual Detection (Advanced)

Use eximus_detect() for full control over the detection flow and result handling.

require_once 'antibot.php'; $result = eximus_detect(); if ($result === null) exit; // First visit - verification in progress if ($result['is_human']) { echo "Welcome! Score: {$result['score']}/{$result['threshold']}"; } else { http_response_code(403); die("Blocked: {$result['reason']}"); }

Protecting Downloads

Verify visitors are human before serving a file download.

require_once 'antibot.php'; $result = eximus_detect(); if ($result === null) exit; if (!$result['is_human']) { http_response_code(403); die('Access denied.'); } // Human verified — serve the file header('Content-Type: application/octet-stream'); header('Content-Disposition: attachment; filename="download.zip"'); readfile('/path/to/secret-file.zip');

API Response Reference

Both eximus_detect() and the on_human/on_bot callbacks receive a result array with the following fields:

Field Type Description
is_human bool true if the visitor passed detection, false otherwise.
status string Detection result. One of: "human", "bot", "blocked", "error".
reason string Reason for the result. See status values below.
score int Bot score from 0 (definitely bot) to 100 (definitely human).
threshold int Score threshold used for the human/bot decision (configurable via Antibot Control).
ip string Visitor's IP address.
country string ISO 3166-1 alpha-2 country code (e.g., "US").
country_name string Full country name (e.g., "United States").
city string City name.
isp string Internet Service Provider name.
org string Organization name associated with the IP.
asn int Autonomous System Number of the visitor's network.
timezone string Visitor's timezone (e.g., "America/New_York").

Status Values

Status Reason Description
human passed Visitor passed all detection checks.
bot bot_detected Fingerprint analysis detected a bot.
blocked blocked_ip IP is on the blocked list (configured in Antibot Control).
blocked blocked_country Country is blocked (configured in Antibot Control).
blocked blocked_asn ASN is on the blocked list (configured in Antibot Control).
error api_unreachable API could not be reached. Behavior depends on EXIMUS_FAIL_OPEN setting.

Visitor Dashboard

Access the built-in analytics dashboard at yoursite.com/path-to-sdk/stats.php.

The dashboard displays six summary stats:

Total Visitors

Total number of visitors processed by the SDK.

Humans

Visitors that passed bot detection.

Bots

Visitors detected as bots or blocked.

Bot Rate

Percentage of total visitors classified as bots.

Unique IPs

Distinct IP addresses observed.

Avg Score

Average bot score across all visitors.

Additional dashboard features:

Restrict access to stats.php in production. Use .htaccess authentication or server-level access controls to prevent unauthorized viewing of your visitor data.

How It Works

When a visitor hits a protected page, the SDK briefly shows a verification screen while it collects browser fingerprint data. The fingerprint is securely sent to the Eximus API, which returns a verdict (human or bot). Based on your configuration, the SDK then either lets the visitor through or blocks them.

The entire process takes less than a second for real visitors. Bots and automated tools are detected and handled according to your EXIMUS_BOT_ACTION setting.

Requirements

Your license key is found in Dashboard → Profile. It is automatically linked to your active subscription.

Troubleshooting

Issue Solution
Blank page after including antibot.php Ensure you call eximus_protect() or eximus_detect() after the require. If using eximus_detect(), add exit when it returns null (this is normal on the first page load).
All visitors blocked / 403 Check that your license key is valid and your subscription is active. Verify EXIMUS_FAIL_OPEN is set to true if the API may be temporarily unreachable.
Stats dashboard shows no data Confirm EXIMUS_LOG_ENABLED is true and the logs/ directory is writable by the web server (chmod 755 logs/).
cURL errors Ensure the PHP cURL extension is installed and enabled. Check that your server can reach rpc.eximus.io on port 443.
Infinite loading / spinner never finishes JavaScript must be enabled in the visitor's browser for the SDK verification to work.
API returns "error" status The API may be temporarily unavailable. When EXIMUS_FAIL_OPEN is true, visitors are allowed through during outages. Set it to false to block on errors instead.
License key not accepted Make sure you are on a paid plan (Standard, Business, or Enterprise). Trial accounts cannot use the SDK. Copy your key from Dashboard → Profile.