Pixel Anticheat requires:
• FiveM server (FXServer) — build 6683 or newer
• A valid anticheat license (obtainable from the dashboard after purchasing a plan)
• (Optional but strongly recommended) screenshot-basic resource — enables screenshot evidence & OCR detection

No external database resource is required. Pixel Anticheat manages its own internal data and does not depend on oxmysql or any other database bridge.

1. Purchase a plan and redeem your activation code from the dashboard → Redeem page.
2. Go to dashboard → Download and download the latest pxac release (.zip).
3. Extract the pxac folder into your server's resources/[scripts]/ directory.
4. (Optional) Place screenshot-basic into resources/[scripts]/ as well.
5. Open your server.cfg and add the following lines:

     ensure screenshot-basic   # optional but strongly recommended
     ensure pxac

6. Open pxac/data/config.lua and paste your license key:
     Config.license = "PXAC-XXXX-XXXX-XXXX"
7. Start or restart your server.

After the server boots, open the FXServer console and look for:

  [ PXAC ] License validated. Pixel Anticheat is active.

Common startup issues:
• "License invalid" — double-check the key in config.lua; ensure there are no extra spaces.
• "License expired" — renew your plan from the dashboard.
• "Cannot reach validation server" — the FXServer needs outbound HTTPS access.
• pxac crashes on start — verify you are on FXServer build 6683 or newer.

1. In Admin → Releases, upload the new .zip through the dashboard.
2. Navigate to dashboard → Download and download the new zip.
3. Stop your server.
4. Replace the old pxac folder with the new one (keep your config.lua, do not overwrite it).
5. Restart the server — no SQL imports needed.

All configuration lives in pxac/data/config.lua. You can also edit it live from the dashboard → Config page.

Key fields:
  Config.license          -- Your license key (required)
  Config.safe             -- Master on/off switch (true = anticheat active)
  Config.player_protection -- Enable all player-detection modules at once

Every detection module has an active flag. Set it to false to disable that module completely:

  Config.ocr                  = { active = true,  ... }
  Config.crasher_protection   = { active = true,  ... }
  Config.weapons.blacklisted  = { active = true,  ... }
  Config.bypass_resources     = { active = true,  ... }

Disabling a module at the top level is safer than commenting the entire block out — it preserves your settings.

Every offense in config.lua has a detection field that controls what happens when a player triggers it:

  0  (or "log")          — Log to console & Discord webhook only. No action taken.
  1  (or "kick")         — Kick the player with a reason message.
  2  (or "ban")          — Permanent ban. Player's identifiers are stored in the ban table.
  "temp_ban_Xh"          — Temporary ban for X hours (e.g. "temp_ban_24h").

Example:
  Config.weapons.blacklisted = {
      active    = true,
      detection = 2,     -- permanent ban
  }

Config.connecting controls who is allowed to join your server:

  require_discord = false  -- Block players without a Discord identifier
  require_steam   = false  -- Block players without a Steam identifier
  block_vpn       = false  -- Block connections from VPN / proxy IP ranges
  block_local_ips = false  -- Block LAN IPs (192.168.x.x, 127.x.x.x)
  max_connections_per_ip   = 5   -- Max connection attempts per IP per 5 minutes
  max_connections_per_hwid = 3   -- Max connection attempts per hardware ID per 10 minutes

Set block_vpn = true to significantly reduce cheater entry via VPN IP rotation.

Configure individual Discord webhook URLs for each event type. Leave a field as "" to disable that notification.

  Config.webhooks.ban            -- Fired on every ban action
  Config.webhooks.kick           -- Fired on every kick action
  Config.webhooks.connect        -- Player connect / disconnect events
  Config.webhooks.warning        -- Detection logged (log-only offenses)
  Config.webhooks.backdoor       -- Backdoor scan alerts
  Config.screenshot.discord_webhook  -- Screenshot & OCR evidence images

Screenshots are sent as file attachments directly from the server — no external service or storage is needed.

You can whitelist specific player identifiers so they are never sanctioned (e.g. developers):

  Config.connecting.whitelist = {
      "steam:110000112345678",
      "license:abcdef1234567890",
  }

Whitelisted players still appear in logs but receive no kick or ban.

• Blacklisted weapon hash blocking — define weapon names/hashes in Config.weapons.blacklisted.list
• Give-weapon event interception — server-side hook catches attempts to give banned weapons
• Framework inventory validation — cross-checks with vRP/ESX player inventory when available
• Weapon damage modifier detection — flags suspiciously high outgoing damage multipliers
• Aimbot pattern detection — monitors lock-on range and rapid target-switching frequency

• Blacklisted vehicle model blocking — configured in Config.vehicles.blacklisted.list
• Blacklisted license plate strings — catches common cheat-menu injected plate tags
• Speed hack detection — server-side velocity check against configurable max speed thresholds
• Invisible vehicle detection — flags vehicles with opacity < threshold
• Entity spawn rate limiting — prevents flooding the server with rapid entity creation

• God mode / invincibility detection — server-side health delta monitoring
• Shield exploit detection — abnormal armour regeneration patterns
• Invisible player detection — periodic alpha/visible-state validation
• Tiny skin (exploit mesh) detection — model scale check
• Super jump detection — vertical velocity spike monitoring
• Spectate exploit detection — checks for unauthorized spectate natives

• Night vision blocking — detects and disables unauthorized night-vision activation
• Thermal vision blocking — same for thermal goggles
• Weather / time sync manipulation — server enforces authoritative weather/time, client overrides are reverted

Screenshots are taken using screenshot-basic (or FiveM's built-in RequestScreenshot as fallback) and sent directly to your configured Config.screenshot.discord_webhook as file attachments.

OCR (Optical Character Recognition) runs inside the player's NUI using Tesseract.js. It periodically scans screenshots for known cheat software names and UI strings.

Configuration:
  Config.ocr = {
      active       = true,
      detection    = 2,          -- punishment on detection (0 = log, 1 = kick, 2 = ban)
      start_delay  = 60000,      -- ms before first scan (default: 60 seconds after join)
      interval     = 300000,     -- ms between scans (default: 5 minutes)
  }

When a cheat UI is found:
  1. A screenshot is captured as evidence and sent to the webhook.
  2. The player is sanctioned per the detection level.

Monitors network state bag sizes on every replication tick. If any bag value exceeds the configured byte threshold it is classified as a crash attempt.

  Config.crasher_protection = {
      active    = true,
      detection = 2,
      max_bytes = 4096,  -- state bag value size limit in bytes
  }

Players who trigger this are permanently banned (or punished per detection level).

At startup the server generates a per-session XOR key and sends a signed challenge to every connecting client. Each client must respond with the correct hashed answer derived from the resource contents.

A mismatched or missing response indicates the resource files have been tampered with (dumped) and the player receives an automatic sanction.

  Config.anti_dump = {
      active    = true,
      detection = 2,
  }

Intercepts all client → server network events and blocks known exploit triggers (clearPedTasks, task network clones, cheat-menu native names, etc.).

  Config.event_protection = {
      active    = true,
      detection = 2,    -- 0 = log, 1 = kick, 2 = ban
      whitelist = {},   -- event names that should always be allowed through
  }

If you get false positives from a legitimate resource, add its event name to the whitelist array.

Additional protection layers built into Pixel Anticheat:

• **Anti Silent Aim** — Compares raycast direction from weapon barrel vs camera direction. If they diverge, firing is blocked. Prevents silent aim without false positives.
• **Infinite Health Detection** — Monitors player health and sanctions anyone whose current HP exceeds their ped model's maximum + 10.
• **Anti Fire Protection** — Automatically extinguishes fires placed on the player by cheaters through damage events.
• **Anti Freeze Protection** — Detects when a player is remotely frozen by a cheater and immediately unfreezes them.
• **Vehicle Exploit Protection** — Three sub-modules:
  - Anti Kill Engine: Re-enables the vehicle engine if it was remotely disabled
  - Anti Kill Wheels: Repairs tyres burst by remote cheater exploits
  - Anti Flying Vehicle: Prevents non-aircraft vehicles from gaining abnormal vertical velocity
• **Anti Void** — Saves the last known safe position and teleports the player back if they fall through the ground (z < -100).

Some cheat menus inject themselves as FiveM resources to evade detection. This module compares the resource list reported by each client against a trusted whitelist. Any unlisted resource triggers the configured punishment.

  Config.bypass_resources = {
      active    = true,
      detection = 2,
      list = {
          "pxac",
          "vrp",
          "screenshot-basic",
          -- add ALL legitimate resource names here
      },
  }

Tip: run "pxac scan_resources" in the server console to get a ready-made list of all currently loaded resources you can paste directly into the whitelist.

Scans all loaded resource .lua files on server start (and on demand) for known backdoor patterns: remote code execution, suspicious HTTP requests, loadstring/eval chains, and obfuscated byte-array execution.

Results are sent to Config.webhooks.backdoor. The scanner does not modify any files — use the pxac backdoorfix command (see Console Commands) to auto-patch a detected file.

All pxac commands must be run from the FXServer console (not from in-game chat). They require no additional permissions setup.

  pxachelp
      List all available pxac commands with a short description.

  pxac antidump
      Manually trigger an anti-dump challenge on all currently connected players.

  pxac scanbackdoors
      Re-run the backdoor scanner on all loaded resource files.

  pxac backdoorfix <resource_name>
      Attempt to auto-patch a detected backdoor in the specified resource.
      Example: pxac backdoorfix my_broken_resource

  pxac eventprotect
      Reload and re-apply event protection hooks without restarting the full resource.

  pxac scan_resources
      Print a list of all currently loaded resource names formatted for Config.bypass_resources.list.

  pxac unban <identifier>
      Remove a ban for the given identifier (e.g. license:abc123).
      Example: pxac unban steam:110000112345678

Certain commands are available inside the game to players with the admin role:

  /pxac players         — List connected players with their identifiers.
  /pxac ban <id>        — Manually ban a player by their server ID.
  /pxac kick <id>       — Manually kick a player by their server ID.
  /pxac info <id>       — Show identifier info for a connected player.

Game chat commands require the player's account to have the admin role set in the dashboard → Users.

The FiveM resource connects to the web dashboard via Socket.IO for live data streaming.

In config.lua, set your dashboard URL:
  Config.web_panel = {
      url     = "https://your-domain.com",
      enabled = true,
  }

The resource authenticates using your license key and streams player data and logs in real time. No additional API key is needed beyond your license.

The Home page shows at a glance:
• Number of active players on your server
• Recent detections and bans (last 24 hours)
• Live server connection status
• Quick links to the most used sections

The Players page lists every currently connected player with their identifiers, ping, and active plan status.

The Logs page shows a timestamped feed of all detections, kicks, bans, and other anticheat events. You can filter logs by type (ban / kick / warning / connect) and by player identifier or name.

All bans are listed in the Bans page. Each entry includes:
• Player name and identifiers
• Reason / detection type
• Ban date and expiry (for temp bans)
• Which admin/detection triggered it

From this page you can manually unban a player by clicking the unban button next to their entry.

Every setting from config.lua can be edited directly in the browser from the dashboard → Config page. Changes are written back to disk immediately.

• Use the Export button to download a JSON backup of your current config.
• Use Import to restore from a previously exported JSON file.
• Click Save after making changes — then restart the pxac resource for changes to take effect.

Roles available:
  user   — Regular dashboard user (sees their own license/plan info only)
  staff  — Can view players, logs, and bans; cannot change config or manage releases
  admin  — Full access to all dashboard pages including Admin panel

Admins can set user roles from Admin → Users by searching the user and changing their role from the dropdown.

Players can submit an IP change request from dashboard → IP Requests when their IP address changes (e.g. after moving or ISP change).

Admins review pending requests in Admin → IP Requests:
• Approve — updates the player's authorized IP immediately
• Deny — rejects the request; player keeps their current IP

One pending request per account at a time. Unreviewed requests expire after 30 days.

Go to Admin → Releases. Drag and drop your .zip onto the upload zone.

Before uploading you can select .lua files inside the ZIP to obfuscate them (recommended for production). The processed ZIP is stored server-side and set as the active download automatically. Players who visit dashboard → Download will always get the latest active release.

Admins can generate redeem codes in Admin → Codes:

• Choose a plan (Monthly / Quarterly / Semi-Annual / Yearly)
• Set how many codes to generate (1–50)
• Optionally set a "Valid for X days" override — codes will grant exactly that many days of access regardless of the plan's default duration. Leave empty to use the plan's default.

Generated codes are displayed as cards and can be copied to clipboard. Used codes show who redeemed them.

Ensure there are no leading/trailing spaces in your Config.license key. The FXServer needs outbound HTTPS access to reach the validation endpoint. Check your firewall rules if the server is on a restricted host.

Set Config.screenshot.discord_webhook to a valid Discord webhook URL (create one in your Discord channel settings → Integrations). Ensure screenshot-basic is started before pxac in server.cfg. Look for "Screenshot Discord webhook error" in the FXServer console.

Confirm Config.ocr.active = true and Config.ocr.interval is set (default 300000 ms = 5 minutes). OCR waits Config.ocr.start_delay ms after player join before the first scan. Open the F8 console in-game and check for Tesseract.js errors. Ensure screenshot-basic is running.

Lower threshold values or set detection = 0 (log only) for the offending module while you investigate. Whitelist the affected player's identifier in Config.connecting.whitelist temporarily. Check the Logs page for the exact detection that triggered.

Verify the URL in Config.web_panel.url exactly matches your deployed website URL (no trailing slash, correct protocol). The FXServer needs outbound WebSocket (WSS) access on port 443. Check your VPS/hosting firewall.

Run "pxac scan_resources" in the server console to get a list of all loaded resources. Add any missing ones to Config.bypass_resources.list in config.lua, then restart pxac.

Add the triggering event name to Config.event_protection.whitelist, or temporarily set detection = 0 to identify all false-positive events before deciding which to whitelist.

Each code can only be used once. If you believe it was used in error, an admin can verify the "used_by" field in Admin → Codes. Contact support if the code was stolen.

Go to Admin → Users, search for the user by email or username, and change their role dropdown to "admin". They need to re-login for the change to take effect.

Check the FXServer console for the Lua error trace. Most common causes: outdated FXServer build (minimum 6683), syntax error in config.lua (extra comma, missing bracket), or a resource the config references that is not started.

Yes. Pixel Anticheat works with vRP, ESX, QBCore, and standalone servers. Some modules (like inventory validation) automatically detect the active framework and adapt. No extra configuration is needed.

Each license is valid for one FiveM server. If you operate multiple servers, you need a separate license (and plan) for each one. Contact support for multi-server discounts.

Pixel Anticheat is optimized for minimal footprint. All heavy operations (OCR, backdoor scanning) run asynchronously and are throttled by configurable intervals. Under normal operation the anticheat adds less than 1 ms per server tick.

Submit an IP change request from dashboard → IP Requests. An admin will review and approve the new IP. Your license key stays the same — only the authorized IP is updated.