diff --git a/.env b/.env
new file mode 100644
index 0000000..5a9d502
--- /dev/null
+++ b/.env
@@ -0,0 +1,2 @@
+PATH=/var/www/spamhasi
+DB_PATH=/var/www/spamhasi/spamhasi.db
\ No newline at end of file
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..c6d105c
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+spamhasi.db
\ No newline at end of file
diff --git a/api/api.php b/api/api.php
new file mode 100644
index 0000000..9d070fc
--- /dev/null
+++ b/api/api.php
@@ -0,0 +1,100 @@
+<?php
+ini_set("display_errors", 1);
+ini_set("display_startup_errors", 1);
+error_reporting(E_ALL);
+
+class spamhasiApi {
+    private $api_keys;
+
+    public function getConf() {
+        $env = parse_ini_file(__DIR__ . "/../.env");
+        return $env;
+    }
+
+    public function getDB() {
+        $config = $this->getConf();
+
+        $db = new PDO("sqlite:" . $config["DB_PATH"]);
+        $db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
+
+        return $db;
+    }
+
+    public function checkAuth() {
+        if ($this->checkLogin()) {
+            return true;
+        }elseif (isset($_SERVER["HTTP_X_API_KEY"])) {
+            $key = $_SERVER["HTTP_X_API_KEY"];
+
+            $db = $this->getDB();
+
+            $sql = "SELECT * FROM api_keys WHERE key = :key";
+
+            $stmt = $db->prepare($sql);
+
+            $stmt->execute([":key" => $key]);
+
+            $result = $stmt->fetch(PDO::FETCH_ASSOC);
+
+            if ($result) {
+                $user_id = $result["user_id"];
+
+                $sql = "SELECT username FROM users WHERE id = :id";
+                $stmt = $db->prepare($sql);
+
+                $stmt->execute([":id" => $user_id]);
+                $result = $stmt->fetch(PDO::FETCH_ASSOC);
+
+                $username = $result["username"];
+
+                $this->api_keys[$key] = $username;
+
+                return true;
+            }else{
+                return false;
+            }
+        }else{
+            return false;
+        }
+    }
+
+    public function getUser() {
+        if ($this->checkLogin()) {
+            return $_COOKIE["username"];
+        }elseif (isset($_SERVER["HTTP_X_API_KEY"])) {
+            $key = $_SERVER["HTTP_X_API_KEY"];
+            if (isset($this->api_keys[$key])) {
+                return $this->api_keys[$key];
+            }
+        }
+    }
+
+    public function checkLogin() {
+        if (!isset($_COOKIE["session_id"]) || !isset($_COOKIE["device_id"]) || !isset($_COOKIE["username"])) {
+            return false;
+        }
+
+        $config = $this->getConf();
+
+        $json = json_decode(file_get_contents($config["PATH"] . "/tmp/user_sessions/" . $_COOKIE["username"] . ".json"), true);
+
+        if (!isset($json[$_COOKIE["device_id"]])) {
+            return false;
+        }
+
+        $device = $json[$_COOKIE["device_id"]];
+
+        if ($device["session_id"] !== $_COOKIE["session_id"]) {
+            return false;
+        }
+
+        return true;
+    }
+
+    public function generateSessionID() {
+        $num = rand(1, 999999);
+        $hash = hash("sha256", $num);
+
+        return $hash;
+    }
+}
\ No newline at end of file
diff --git a/api/opfer/list.php b/api/opfer/list.php
new file mode 100644
index 0000000..f588419
--- /dev/null
+++ b/api/opfer/list.php
@@ -0,0 +1,35 @@
+<?php
+require "../api.php";
+
+$api = new spamhasiApi;
+
+if (!$api->checkAuth()) {
+    die('{"status":500, "error":"Unauthorized"}');
+}
+
+$db = $api->getDB();
+
+$sql = "SELECT * FROM opfer";
+$stmt = $db->query($sql);
+$result = $stmt->fetchAll(PDO::FETCH_ASSOC);
+
+$all_opfer = [];
+
+if ($result) {
+    foreach ($result as $opfer_res) {
+        $opfer["name"] = $opfer_res["name"];
+        $opfer["mail"] = $opfer_res["mail"];
+        $opfer["number"] = $opfer_res["number"];
+
+        $all_opfer[] = $opfer;
+    }
+
+    $json["servers"] = $all_opfer;
+}else{
+    $json["servers"] = [];
+}
+
+$json["status"] = 200;
+
+die(json_encode($json));
+?>
\ No newline at end of file