Server-Side Strings & File Delivery: Eliminating Hardcoded Secrets
Home/Blog/Server-Side Strings & File Delivery: Eliminating Hardcoded Secrets
Developer GuideApril 12, 20268 min read

Server-Side Strings & File Delivery: Eliminating Hardcoded Secrets

PapelShip TeamPapelShip Team
qPapel Licence ManagementServer-SideAPI IntegrationSecurity

Why Server-Side Storage Matters

Hardcoding sensitive values like memory offsets, API endpoints, or configuration strings directly in your client binary is a security risk. Every time a value changes, you'd need to push a new binary update. PapelShip's server-side systems solve this by letting you manage dynamic data from your dashboard and deliver it to authenticated clients at runtime.

Server-Side Strings

Navigate to /dashboard/api-integrations/serverside-strings to access the String Library. Each record has the following properties:

Access ID — A unique 12-character identifier automatically generated when you create a string. Your client application uses this ID to fetch the value from the API.

String Types:

  • String — Plain text values. Store API URLs, configuration JSON, version numbers, or any arbitrary text content.
  • Offset — Memory offsets formatted as module + address. The dashboard provides an Offset Calculator with fields for Base Module (e.g., client.dll) and Offset Address (e.g., 0x123456). The stored value becomes client.dll + 0x123456.
  • Function — Mathematical expressions or formulas. The Equation Builder lets you construct expressions like (base_addr * 0x4) + 0x100 with hex/add/multiply helpers.

Product Scoping

Each string can be scoped to specific products or left as Global (accessible by all products). This is controlled by the Target Products selector, where you pick one or more products by their internal cheat_value identifier.

Force Key Check

When the Force Key Check toggle is enabled on a string, the API endpoint requires a valid, active license key to be presented alongside the access ID. Without a valid key, the server returns an authorization error. This prevents users with expired or banned licenses from accessing critical data like memory offsets.

Server-Side Files

The file management system at /dashboard/api-integrations/file-management works similarly to strings but delivers binary files instead of text values. Use cases include:

  • DLL injection payloads — Deliver the latest compiled DLL to authenticated clients
  • Configuration archives — Push JSON/XML config packs
  • Asset bundles — Distribute encrypted game assets or model files
  • Patch files — Deliver incremental binary patches

Files are uploaded through the dashboard with chunked upload support for large files. Each file gets its own access ID and can be scoped to specific products.

Integration Example

Here's the conceptual flow for fetching a server-side string from your C++ client:

1.Authenticate — Your loader validates the license key with the qPapel API
2.Request String — Call GetServerString(access_id) with the 12-character ID
3.Receive Value — The server returns the current string value (e.g., an offset)
4.Apply — Your client uses the offset at runtime without it being hardcoded

For files, the flow is identical but uses GetServerFile(access_id) which returns the binary content.

Security Best Practices

1.Always enable Force Key Check for sensitive strings like offsets or injection URLs
2.Scope strings to specific products rather than using Global — principle of least privilege
3.Rotate offsets regularly — When game/software updates change memory layouts, update your string values from the dashboard without pushing a new client build
4.Use the Status toggle to temporarily disable strings during maintenance. Setting a string to Inactive makes it return an error to clients without deleting the record.

Dashboard Workflow

  • Create — Click "New String", fill in label, select type, configure product scope and security
  • Edit — Click the edit icon on any row to modify the value or settings
  • Search — Filter by label, access ID, or string value using the search bar
  • Copy Access ID — One-click copy button for easy integration into your code
  • Delete — Permanently remove a string record (requires confirmation)

Set up your first server-side string →

More from the blog