Change authentication of panel from HTTP Auth to Form or cookie auth based


The reason that I’m asking for that is because steam browser simply doesn’t support HTTP Auth. WHAT? Yes, it doesn’t support HTTP Auth.

If we change authentication method of panel to a simple web page with authentication form we will be able to access panel from steam overlay. In my case, this means that I will be enable to control my stream without leave my game with alt + tab and without open phantom bot in other device.


Unfortunately, this will not work. We use the HTTP Authentication mechanism provided by Java to provide security to the pages. Pages are set behind context objects from within the HTTP(S) server objects provided by Java. In non-technical terms, everything is handled from within the lightweight webserver.

We do not support any other browser than Chrome; although we try to support Edge, Firefox, and Safari as best as we can.

The one thing you could try is changing your URL that you use to connect:

http://username:[email protected]/path

That sends over the authentication information automatically and doesn’t require the pop-up.


Hi, sorry for replying to this old post but this is exact my problem:

If i get it right:

http://username:[email protected]:25000/panel
should load the Bot Panel and

http://username:[email protected]:25000/ytplayer
should load the Youtube Player,

each without asking for Username and Password.

But the Browser still asks for login credentials. What am i doing wrong?


It appears that Chrome has dropped support for this. I still do it with web services (not PhantomBot) via applications like Curl that still support it which is why I assumed it was still supported:

I read there may be a plugin for Chrome that works around this being removed but, I didn’t try it.

I am also assuming other browsers dropped support.


Ok, so my only workaround to this is to remove the bot panel login username and password because when this is gone, the browser doesn’t ask and the site launches fully automatically.

In addition, i will have to remove my audiences’ access to the wishlist (for them to see which songs come next) because for this to work, they need all the webports forwarded and without a password, they could control the whole bot.

Since there seems no other solution, i`m going to remove the user/pass, revert the forwarded ports and remove the option to get the music wishlist.

Maybe the Bot could output the Wishlist as a text file that i can share via google sync (i would take care of the syncing myself)? I will make a feature request for this.

Is it possible to restrict the bot to accept logins only from whitelisted IPs?


What is the ‘wishlist’ ? Is that the ‘song request list?’

The only way to change this is to change the Core. You are correct in that once that is done, everything is unprotected.

Your other option may be to try a proxy in front of the bot. Firewall off the ports the bot uses. Use a program to redirect to the internal port. Only allow your IP to access the Control Panel.


Well thanks, in the feature request i opened, someone showed me the exact playlist commands i need so i can simply shut down the port forwarding and that’s it.


Bad luck, every time i remove the panelpassword and paneluser from botlogin.txt (commenting it out, removing it or leaving it blank after the = it always does the same) phantombot fills it back with panel as standard password.

Found another solution, re-enabling the embedded credentials at least for chromium based browsers.
Simply add
to the browser launching string.

Don`t know for how long this will work but for now it’s good.