What is Seraph
Seraph is a headless Pixel Worlds bot host. The Seraph team handles every piece of plumbing that's annoying or risky to write yourself — authentication, network protocol, packet shapes, world parsing, anti-AFK, world redirects, version gates — and exposes a small Lua surface where you write the automation logic.
You write Lua. Seraph drives the rest.
If you've ever tried to bot Pixel Worlds before, you know the frustrating part isn't deciding what to do — it's keeping the connection alive across world reboots, surviving PlayFab IP-fraud edges, decoding undocumented BSON shapes, and chasing protocol breaks every time the game ships an update. Seraph absorbs all of that.
What Seraph ships
| Layer | What's inside |
|---|---|
| Auth | PlayFab LoginWithEmailAddress / LoginWithAndroidDeviceID / LoginWithSteam + sclfrst token exchange + auto-relay (PlayFab IP-ban bypass). |
| Protocol | 1:1 BSON packet builders verified against the live Android client (VChk / GPd / mP / Gw / TTjW / DD / KErr / GWC / Lv / OoIP / Rez / Di / HB / …). |
| World engine | Live tile + collectable + enemy state, minimap, pathfinder, anti-AFK, world-redirect handling, OoIP failover, ServerFull retry. |
| Account creator | mailtm-driven fresh-guest factory with verified email + nickname/password/AID export. |
| Tutorial automation | Full Rust state machine: TUTORIAL2 join → CharC → spawn pods → exit to PIXELSTATION. |
| Lua runtime | mlua Luau VM per bot, sandboxed, with your bindings (see API reference). |
| REST + SSE bridge | Local HTTP API for external tooling — see HTTP API. |
| Auto-updater | Signed releases, Ed25519-validated, automatic on next launch. |
What you write
Just Lua. Idiomatic, small, and focused on what you want the bot to do:
-- Mine every farmable wall block in the current world,
-- skipping anything we'd be too low-level for.
for _, tile in ipairs(world:tiles()) do
if tile.farmability and bot:level() >= (tile.levelReq or 0) then
bot:walkTo(tile.x, tile.y)
bot:punchTile(tile.x, tile.y)
task.wait(0.3)
end
end
You won't see PlayFab tokens, BSON encoding, or sclfrst JWTs in
your scripts — those are settled before the runtime even hands you a
bot handle.
Where to start
- New here? → Quickstart — spawn a bot and run your first Lua script in under a minute.
- Need to look up a binding? → API reference — every Lua-exposed method, auto-extracted from the Rust source at build time. Always in sync with the running binary.
- Wiring Seraph into another tool? → HTTP REST API —
port
8090mirror of the Tauri command surface (PIN-bearer auth + SSE event stream). - Curious about the wire? → Protocol notes — packet shapes the bindings are built on top of. Not required reading; the Lua API is enough for most jobs.
Download
Latest stable: 0.8.28 (Windows x64)
- ZIP: seraph_0.8.28_win_x64.zip
- SHA-256:
0537bf331bf55b29103759445854a3fd51a251b34b2ec173ed77e8c67d7cc126 - Manifest (auto-update feed): latest.json
Already running an older build? The bundled updater pulls the new version on next launch — no manual re-download needed.
Why Lua, why not X?
Lua is small, fast to learn, sandboxes cleanly per-bot, and has a
mature embedded runtime (Luau via mlua). You don't need to install
anything to write a script — open the in-app editor or upload a .lua
file and the runtime executes it against any bot you point at it.
If you're more comfortable in Python / TypeScript / shell, you can drive the same surface from outside the app via the HTTP REST API. The Lua surface is just the most convenient way to get bots doing things.
License + safety
Seraph runs scripts in a sandboxed Luau VM — os.execute, raw file
I/O, and unrestricted network access aren't exposed by default. The
allowed surface (HTTP, JSON, regex, scoped storage, etc.) is listed
under API reference. External integrations go through the
PIN-gated HTTP API; sensitive commands ride encrypted dispatch.
The licensing layer (Ed25519-signed leases) is verified locally — if the licensing server is unreachable, an existing valid lease keeps working through its grace window before the client locks down.