The Practical Guide to API Key Generator Automation (No Fluff)

If you’ve spent any time looking at LobeChat-based white-label platforms, you know the drill: they offer "free" credits to lure users, usually tied to a wallet signature. Most people see these as simple sign-up bonuses. A few of us see them as an automated API key farm. The Free-BAI project is a masterclass in reverse engineering these platforms, specifically targeting the BankOfAI implementation.

Here is how you actually build a scalable API key generator for these types of services.

The core of the operation isn't just hitting an endpoint; it’s bypassing the anti-sybil checks. BankOfAI requires a wallet to have on-chain activity on the Base L2 network before it grants the 500,000 credit bonus. If you try to register a fresh, empty wallet, the claimSignupBonus call fails every time. The solution is a "dust" funding strategy. By sending a trivial 10M wei (roughly $0.0000000001) to each new wallet, you satisfy the platform's balance check for pennies.

The registration pipeline is a six-step dance. You generate a random EVM wallet, fund it with dust, sign a SIWE-style message to authenticate, and then forge the AES-encrypted token required for the claim. The hardcoded AES key found in their frontend JS is the "skeleton key" here. Once you have that, you can automate the entire flow:

1. Generate wallet.
2. Execute dust transfer.
3. Sign login message.
4. Perform next-auth callback.
5. Sign claim message and forge token.
6. Request API key creation.

Most guides get this wrong by trying to do this sequentially from a single IP. You’ll get rate-limited before you hit your tenth account. You need a robust proxy rotation strategy to handle the IP-based limits on the claim endpoint. The Free-BAI architecture uses a StickyProxyPool to ensure each claim request appears to come from a unique source.

The real efficiency, however, comes from the "Relay Mode." Instead of funding every single wallet from a central source, you fund a "seed" wallet with a small amount of ETH (around 0.00002 ETH). This seed wallet then performs a chain of hops, funding subsequent wallets just enough to cover their gas and dust requirements. This reduces your total gas expenditure to roughly $0.017 per generated key.

Why does this matter? Because it turns a manual, tedious process into a background daemon. By running an AutoFillWorker, you keep your pool of keys topped up without lifting a finger. If you’re wondering how to fix these vulnerabilities as a platform owner, the answer is simple: stop relying on client-side signatures and hardcoded AES keys for sensitive credit claims. Move your validation to a server-side oracle that checks for genuine, non-dust transaction history.

If you’re building or auditing these systems, look closely at how the trpc calls are authenticated. If the frontend holds the keys to the kingdom, it’s only a matter of time before someone automates the entire lifecycle. Try this analysis on a local testnet today and share what you find in the comments.