A custom obfuscator is an HTTP callback. When you upload or edit a Kryptic Vault script and choose your custom obfuscator, the vault sends a single POST request to your API URL with the Lua source in the JSON body, then uses the Lua your endpoint returns as the obfuscated script body. Nothing else changes — the loader, telemetry, validation library and Panda Token economy all behave exactly as they do with the built-in engines.

Go to Settings → Integrations → Custom Obfuscators and click Add Custom Obfuscator. Each entry has three fields:

You can save up to 10 obfuscators. Once saved, the obfuscator is reusable across all your scripts — update its URL or parameters here and the change applies the next time a script that references it is (re)obfuscated.

In the Kryptic Vault Upload form (or the Edit modal), the Main-script obfuscator selector now includes a Custom (BYO) card, and the Init (2nd) script selector includes a Custom option. Choose it and a dropdown of your saved obfuscators appears — select the one to use. If you haven't saved any yet, the form links you back to Settings.

The Main and Init scripts are independent: you can obfuscate the Main script with Luraph and the Init script with your custom callback, or any other combination.

Your endpoint receives a JSON POST. The body is your saved Parameters object with two fields added by Kryptic:

Example request body Kryptic sends:

{
  "script": "print('hello from my script')",
  "source": "print('hello from my script')",
  "apiKey": "your-saved-token",
  "preset": "max"
}

Your endpoint must respond with the obfuscated Lua. Two response shapes are accepted:

• Raw Lua — return the obfuscated script as the plain response body (any content type).
• JSON — return an object with the Lua in any one of these keys: obfuscated, result, code, output, or source.

• HTTPS only — plain http:// URLs are rejected.
• No redirects — a 3xx response is treated as a failure (it can't be followed to an internal host).
• Port 443 only — the standard HTTPS port.
• Timeout — your endpoint must respond within ~30 seconds.
• Response size — the returned Lua is capped at ~5 MB.
• Non-empty, changed output — see the note above.

A minimal obfuscator that prepends a marker comment. Replace the body with your real transformation; the request/response shape is all that matters.

import express from "express";
const app = express();
app.use(express.json({ limit: "40mb" }));

app.post("/obfuscate", (req, res) => {
  // Authenticate using a value from your saved Parameters object.
  if (req.body.apiKey !== process.env.MY_SECRET) {
    return res.status(401).json({ error: "bad key" });
  }

  const source = req.body.script || req.body.source || "";
  if (!source) return res.status(400).json({ error: "no script" });

  // ...run your real obfuscation here...
  const obfuscated = "-- obfuscated by my-obfuscator\n" + source;

  res.json({ obfuscated });
});

app.listen(8080);

Because the URL is user-supplied, Kryptic makes the outbound request through a hardened client that defends against SSRF (server-side request forgery):

• The hostname is resolved and every resolved IP is checked — private, loopback, link-local and cloud-metadata ranges (e.g. 127.0.0.0/8, 10.0.0.0/8, 169.254.169.254) are blocked.
• The validated IP is pinned for the connection, so a DNS record that flips to an internal address after the check can't be exploited (no DNS-rebind / TOCTOU window).
• Redirects are not followed; only HTTPS on port 443 is allowed.
• Your API URL and Parameters are never logged — only the request host and response length are recorded.