Fleeca Bank — Full Documentation

Complete reference for the Fleeca Bank web system and FiveM bridge.

Last updated: March 12, 2026

Overview

Fleeca Bank is a full-featured roleplay banking system composed of two independent products that work together:

Product	Description	Stack
Web System	The main banking platform hosted on a web server. Clients, bankers, and admins manage accounts, loans, savings, invoices, and more through a browser interface.	PHP 8.1+, MySQL, cPanel
FiveM Bridge	A FiveM resource that connects ATMs and NPCs in-game to the web system. Players can deposit, withdraw, and transfer money directly from GTA V.	Lua, FiveM, ESX / QBCore / Standalone

ℹ️

The two products are sold and deployed separately. The web system works fully without the FiveM bridge. The bridge requires the web system to be installed and accessible via HTTPS.

Requirements

Web System

Requirement	Minimum	Notes
PHP	8.1	8.2+ recommended. Extensions: PDO, pdo_mysql, json, mbstring, openssl
MySQL	5.7	MariaDB 10.4+ also supported
Hosting	Shared cPanel	Any host with PHP + MySQL access
HTTPS	Required	Required for FiveM bridge communication

FiveM Bridge

Requirement	Details
FiveM server	Build 5562 or higher
Framework	ESX, QBCore, or Standalone (config-driven)
ox_target	Optional but recommended for ATM interaction. Falls back to proximity E-key if not present.
Web system	Must be installed and accessible via HTTPS before the bridge can function.

Architecture

The following diagram shows how the two systems communicate:

┌─────────────────────────────────────────────────────────┐
│                     BROWSER (Player)                    │
│  ┌─────────────────────────────────────────────────┐   │
│  │            Fleeca Bank Web Dashboard             │   │
│  │  Login / Accounts / Loans / Savings / Invoices  │   │
│  └──────────────────────┬──────────────────────────┘   │
└─────────────────────────┼───────────────────────────────┘
                          │ HTTPS
┌─────────────────────────▼───────────────────────────────┐
│                   WEB SERVER (cPanel)                   │
│  ┌─────────────┐  ┌─────────────┐  ┌────────────────┐  │
│  │  config.php │  │  api/*.php  │  │  admin/*.php   │  │
│  └─────────────┘  └──────┬──────┘  └────────────────┘  │
│                          │ PDO                           │
│  ┌───────────────────────▼───────────────────────────┐  │
│  │                MySQL Database                     │  │
│  └───────────────────────────────────────────────────┘  │
└──────────────────────────┬──────────────────────────────┘
                           │ HTTPS + X-Fleeca-Key
┌──────────────────────────▼──────────────────────────────┐
│                  FIVEM SERVER (txAdmin)                 │
│  ┌────────────────────────────────────────────────────┐ │
│  │              fleeca-fivem resource                 │ │
│  │  ┌──────────┐  ┌──────────┐  ┌─────────────────┐  │ │
│  │  │config.lua│  │server/   │  │ client/ + html/  │  │ │
│  │  └──────────┘  │main.lua  │  │ NUI Interface    │  │ │
│  │                └──────────┘  └─────────────────┘  │ │
│  └────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────┘

All sensitive operations (token generation, banking actions) go through the server-side Lua scripts, which call the web API using PerformHttpRequest. The NUI (client-side) never talks to the web server directly.

Web System — Installation

Upload files
Upload the fleeca-bank/ folder to your hosting via cPanel File Manager or FTP. Recommended path: public_html/fleeca-bank/

Create the database
In phpMyAdmin, create a new database (e.g. fleeca_bank), then import sql/fleeca_bank_install.sql. This creates all required tables.

Edit config.php
Open config.php and fill in your database credentials, JWT secret, and APP_URL. See the Configuration section below.

Create the admin account
Visit https://your-site.com/fleeca-bank/index.php — if no admin exists the system will prompt you to create one.

Set up the cron job
In cPanel → Cron Jobs, add a weekly job to run loan interest and salary processing. See the Cron section for the exact command.

⚠️

Change JWT_SECRET, DB_PASS, and APP_URL before going live. Never leave the default placeholder values in production.

Web System — Configuration

All configuration lives in config.php at the root of the installation.

Database

// config.php
define('DB_HOST', 'localhost');
define('DB_NAME', 'fleeca_bank');    // Your MySQL database name
define('DB_USER', 'fleeca_user');    // Your MySQL username
define('DB_PASS', 'YOUR_PASSWORD');  // ← Change this

Security

define('JWT_SECRET', '64_random_characters_minimum'); // ← Change this
define('JWT_EXPIRY', 3600 * 8);  // Session duration: 8 hours
define('APP_URL',    'https://your-site.com/fleeca-bank'); // ← Change this

Banking limits

define('PERSONAL_WEEKLY_LIMIT',     10000.00);  // Personal accounts: $10k/week
define('PROFESSIONAL_WEEKLY_LIMIT', 500000.00); // Professional: $500k/week
define('PROFESSIONAL_TAX_PERCENT',      5.15); // % fee on pro transactions
define('MAX_LOAN_AMOUNT',           500000);    // Global max loan
define('MIN_LOAN_AMOUNT',             1000);    // Global min loan
define('MAX_LOAN_WEEKS',               52);    // Max repayment duration
define('INTEREST_RATE_DEFAULT',         1.5);    // % weekly loan interest

Language

define('LANG', 'en'); // 'en' | 'fr' | 'de' | 'es'

FiveM integration

define('FIVEM_SECRET',       'your_shared_secret'); // Must match Config.SecretKey in config.lua
define('FIVEM_TOKEN_EXPIRY', 30);     // One-time token validity (seconds)
define('FIVEM_MAX_DEPOSIT',  500000); // Max deposit per transaction
define('FIVEM_MAX_WITHDRAW', 50000);  // Max withdrawal per transaction
define('FIVEM_MAX_TRANSFER', 100000); // Max transfer per transaction

Discord webhooks

define('DISCORD_WEBHOOK_ENABLED',  true);
define('DISCORD_WEBHOOK_MAIN',     'https://discord.com/api/webhooks/...'); // General events
define('DISCORD_WEBHOOK_TRANSFERS','https://discord.com/api/webhooks/...'); // Transfers only
define('DISCORD_WEBHOOK_SECURITY', 'https://discord.com/api/webhooks/...'); // Login / security
define('DISCORD_WEBHOOK_CRON',     'https://discord.com/api/webhooks/...'); // Cron reports

Web System — File Structure

fleeca-bank/
├── config.php ← Main configuration (edit this)
├── index.php ← Login page
├── link-fivem.php ← FiveM account linking page
├── client/
│ └── dashboard.php ← Client interface
├── admin/
│ ├── dashboard.php ← Admin / banker interface
│ ├── employees.php
│ └── export_transactions.php
├── api/ ← All API endpoints
│ ├── fivem_auth.php ← FiveM token + bank actions
│ ├── fivem_link.php ← Account linking codes
│ ├── accounts.php
│ ├── transfers.php
│ ├── loans.php
│ ├── savings.php
│ ├── invoices.php
│ ├── salaries.php
│ └── notifications.php
├── langs/ ← Translation files
│ ├── en.php fr.php de.php es.php
├── cron/
│ └── process.php ← Weekly interest + salaries
├── assets/ ← CSS, JS, images
└── sql/ ← Database schemas
├── fleeca_bank_install.sql ← Main install (run first)
├── fivem_migration.sql ← FiveM bridge tables
└── fivem_link_codes.sql ← Link code table

Web System — Roles & Permissions

Role	Access	Notes
admin	Full access to everything — account management, loan approval, employee management, transaction export, all dashboards.	Created on first install
banker / employee	Can view and manage client accounts, approve/deny loans, manage invoices. Cannot access system settings.	Created by admin
client	Personal dashboard only — view balance, make transfers, request loans, manage savings, send invoices.	Self-registration or created by banker

Web System — Features

Accounts

Each client has one bank account with a unique IBAN (format: FLEECA-XXXXXX). Accounts can be typed as personal or professional, each with different transfer limits and fee rules. Admins can freeze or unfreeze any account.

Loans

Clients submit loan requests specifying amount and duration (in weeks). Bankers approve or deny. Once approved, the amount is credited to the account and weekly repayments are processed automatically by the cron job. Interest rate defaults to INTEREST_RATE_DEFAULT (configurable per loan by bankers). Overdue loans incur an additional LATE_PENALTY_RATE per week.

Savings Accounts

Clients can open savings sub-accounts with a configurable interest rate and lock period. The cron job applies interest weekly. Savings balances are separate from the main account and cannot be used for transfers until the lock expires.

Invoices

Clients and bankers can create invoices sent to other accounts by IBAN. The recipient receives a notification and can pay directly from their dashboard. Invoices support custom line items, due dates, and PDF export.

Employee Salaries

Admins can register employees and configure their weekly salary. The cron job automatically credits salaries every week on the configured SALARY_DAY.

Translations (i18n)

The system supports English, French, German, and Spanish. The active language is set in config.php:

define('LANG', 'en'); // 'en' | 'fr' | 'de' | 'es'

Translation strings live in langs/en.php, langs/fr.php, etc. To add or modify strings, edit the corresponding file. Use __t('key') in templates for escaped output and __tr('key') for raw HTML.

Web System — Cron Jobs

Add the following job in cPanel → Cron Jobs. Set it to run once per week (e.g. every Sunday at midnight):

0 0 * * 0  php /home/YOUR_CPANEL_USER/public_html/fleeca-bank/cron/process.php

The cron script handles:

Task	Details
Loan interest	Applies `INTEREST_RATE_DEFAULT` to all active loans. Adds `LATE_PENALTY_RATE` if overdue.
Loan repayments	Automatically debits weekly repayment installments from borrower accounts.
Savings interest	Credits interest to all active savings accounts.
Employee salaries	Credits configured salary to each employee on `SALARY_DAY`.
Discord report	Posts a summary to `DISCORD_WEBHOOK_CRON` if enabled.

Web System — Discord Webhooks

Set DISCORD_WEBHOOK_ENABLED to true and fill in the webhook URLs. Each channel is independent — you can use the same webhook for all or separate channels per event type.

Constant	Triggered by
`DISCORD_WEBHOOK_MAIN`	Account creation, loan approval/denial, account freeze
`DISCORD_WEBHOOK_TRANSFERS`	Every transfer above a threshold
`DISCORD_WEBHOOK_SECURITY`	Login, failed login attempts, suspicious activity
`DISCORD_WEBHOOK_CRON`	Weekly cron job summary report

FiveM Bridge — Installation

Import SQL migrations in phpMyAdmin in this exact order:
1. sql/fivem_migration.sql — adds fivem_license column and token table
2. sql/fivem_link_codes.sql — creates the 6-digit link code table

Upload the resource — copy the fleeca-fivem/ folder into your FiveM server's resources/ directory.

Edit config.lua — set your framework, WebURL, and SecretKey. See Configuration below.

Add to server.cfg:
ensure fleeca-fivem

Restart the resource via txAdmin or restart fleeca-fivem in the server console.

🚨

FIVEM_SECRET in config.php and Config.SecretKey in config.lua must be identical. If they differ, all FiveM API calls will return 401 Unauthorized.

FiveM Bridge — Configuration

All bridge configuration is in config.lua at the root of the resource.

Config.Framework = 'ESX'         -- 'ESX' | 'QBCore' | 'Standalone'
Config.WebURL    = 'https://your-site.com'  -- No trailing slash
Config.SecretKey = 'your_shared_secret'     -- Must match FIVEM_SECRET in config.php

Config.MaxDeposit  = 500000   -- Server-side cap per deposit
Config.MaxWithdraw = 50000    -- Server-side cap per withdrawal
Config.MaxTransfer = 100000   -- Server-side cap per transfer

Config.NotifyStyle         = 'esx'  -- 'esx' | 'qbcore' | 'ox' | 'standalone'
Config.InteractionDistance = 2.0   -- Meters to trigger ATM interaction
Config.TokenExpiry         = 30    -- One-time auth token validity (seconds)

FiveM Bridge — File Structure

fleeca-fivem/
├── fxmanifest.lua ← Resource manifest
├── config.lua ← Configuration (edit this)
├── client/
│ ├── main.lua ← NUI open/close, events, balance refresh
│ ├── zones.lua ← ATM/Ped spawn, existing ATM scan, proximity
│ └── frameworks/
│ ├── esx.lua ← Bridge.getPlayerName, Bridge.notify
│ ├── qbcore.lua
│ └── standalone.lua
├── server/
│ ├── main.lua ← Token generation, bank actions, /linkbank
│ └── frameworks/
│ ├── esx.lua ← Bridge.getPlayerLicense, Bridge.getPlayerName
│ ├── qbcore.lua
│ └── standalone.lua
└── html/ ← NUI interface
├── index.html ← NUI layout
├── app.js ← NUI logic + Lua communication
└── style.css ← NUI styles

FiveM Bridge — Frameworks

The bridge uses a Bridge object pattern. The active framework file populates it before main.lua runs. You only need to set Config.Framework — no other changes required.

Function	Description
`Bridge.getPlayerName()`	Client-side. Returns the player's character name from ESX/QBCore, or the FiveM display name in Standalone.
`Bridge.notify(msg, type)`	Client-side. Shows an in-game notification. Type: `'success'` / `'error'` / `'info'`. Routes to ESX, QBCore, ox_lib, or native GTA feed.
`Bridge.getPlayerLicense(source)`	Server-side. Returns the Steam `license:` identifier for the given player source.
`Bridge.getPlayerName(source)`	Server-side. Returns the player's name from the server side.

FiveM Bridge — ATM & Access Points

Access points are defined in Config.AccessPoints. Three types are supported:

type = 'atm' — Spawn a new ATM prop

{
    type   = 'atm',
    coords = vector4(149.5, -1042.7, 29.4, 340.0),
    label  = '🏧 Fleeca ATM',
    model  = 'prop_fleeca_atm',  -- optional, overrides Config.ATMModel
},

type = 'ped' — Spawn a banker NPC

{
    type     = 'ped',
    coords   = vector4(151.2, -1041.5, 29.4, 160.0),
    label    = '🏦 Fleeca Banker',
    model    = 'mp_m_freemode_01',
    animDict = 'WORLD_HUMAN_STAND_IMPATIENT',
    animName = 'BASE',
},

type = 'existing' — Auto-detect map ATMs

{
    type  = 'existing',
    label = '🏧 Fleeca ATM',
},

Scans all objects loaded by GTA every second using GetGamePool("CObject") and matches them against Config.ATMModels. Detected ATMs are registered as interactive automatically — no coordinates needed. Works with MLOs and any prop placed by other scripts.

ATM Models

Model	Description
`prop_atm_01`	Generic white freestanding ATM
`prop_atm_02`	Generic grey freestanding ATM
`prop_atm_03`	Wall-mounted ATM
`prop_fleeca_atm`	Fleeca branded ATM (green logo) — found in front of Fleeca branches

Interaction

If ox_target is present, interactions are registered via exports.ox_target:addLocalEntity. Otherwise, the bridge falls back to a proximity loop that shows a "Press E" hint and listens for key input.

FiveM Bridge — Account Linking

Before a player can use ATMs, their FiveM Steam license must be linked to their Fleeca Bank web account.

Linking flow

Player types /linkbank in the FiveM chat

Server generates a 6-digit code (valid 10 minutes) and shows it on screen via the NUI overlay

Player visits https://your-site.com/fleeca-bank/link-fivem.php in their browser

Player logs in (or is already logged in) and enters the 6-digit code

The Steam license is bound to their account. ATMs now work automatically.

To unlink, the player can return to link-fivem.php and click Unlink, or an admin can clear the license from the web admin panel.

✅

Codes are single-use and expire after 10 minutes. A player can only have one active code at a time — generating a new one invalidates the previous.

FiveM Bridge — NUI Interface

The NUI is a dark-themed single-page interface that opens when a player interacts with an ATM or banker NPC. It displays:

Section	Description
Balance	Current account balance and IBAN, updated in real time after each transaction
Deposit	Cash deposit — amount validated server-side against `Config.MaxDeposit`
Withdraw	Cash withdrawal — validated against `Config.MaxWithdraw`
Transfer	Bank transfer by IBAN — validated against `Config.MaxTransfer`
History	Last 7 transactions with description, date, and amount (credit/debit colored)

The NUI closes with the ✕ button, the Escape key, or automatically after a successful transaction (1.8s delay). Mouse focus is fully released on close.

FiveM Bridge — Events Reference

Client → Server

Event	Payload	Description
`fleeca:requestToken`	—	Requests a one-time auth token. Triggers when a player opens an ATM.
`fleeca:bankAction`	`{ action, amount, to_iban?, description? }`	Executes a deposit, withdrawal, or transfer.
`fleeca:getBalance`	—	Background refresh — called on spawn and resource start.

Server → Client

Event	Payload	Description
`fleeca:receiveToken`	`{ token, license, balance, iban, transactions }`	Response to token request. Opens the NUI with initial data.
`fleeca:actionResult`	`{ success, message?, error?, balance?, transactions? }`	Result of a banking action. Updates NUI balance and history.
`fleeca:balanceData`	`{ balance, iban, transactions }`	Background balance data. Updates NUI state silently.
`fleeca:showLinkCode`	`{ code, expires_in, webUrl }`	Shows the 6-digit link code overlay in the NUI.
`fleeca:notify`	`(message, type)`	Shows a notification via the framework bridge.

NUI Callbacks (JS → Lua)

Callback	Triggered by
`closeBank`	✕ button or Escape key in the NUI
`bankAction`	Deposit / Withdraw / Transfer button click
`closeLinkCode`	Close button on the link code overlay

API — fivem_auth.php

Called by the FiveM server scripts via PerformHttpRequest. All requests must include the header X-Fleeca-Key: {FIVEM_SECRET}.

POST — request_token POST

Generates a one-time auth token for a player. Returns account data.

// Request
{
  "action":  "request_token",
  "license": "license:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
  "secret":  "your_shared_secret"
}

// Response 200
{
  "token":        "abc123...",
  "balance":      15420.50,
  "iban":         "FLEECA-000042",
  "transactions": [ ... ]
}

// Response 401 — bad secret
{ "error": "Unauthorized." }

// Response 404 — license not linked
{ "error": "No account found for this license." }

POST — bank_action POST

Executes a banking transaction.

// Request
{
  "action":      "bank_action",
  "bank_action": "deposit",   // "deposit" | "withdraw" | "transfer"
  "license":     "license:xxx",
  "amount":      5000,
  "to_iban":     "FLEECA-000007",  // required for transfer only
  "description": "Rent payment",   // optional
  "secret":      "your_shared_secret"
}

// Response 200
{
  "success":      true,
  "message":      "Deposit successful.",
  "balance":      20420.50,
  "transactions": [ ... ]
}

GET — get_data GET

Returns current balance and recent transactions for background refresh.

GET /api/fivem_auth.php?action=get_data&license=license:xxx&secret=your_secret

// Response 200
{
  "balance":      20420.50,
  "iban":         "FLEECA-000042",
  "transactions": [ ... ]
}

API — fivem_link.php

POST — generate POST

Called by the FiveM server when a player types /linkbank. Generates a 6-digit code.

{
  "action":  "generate",
  "license": "license:xxx",
  "secret":  "your_shared_secret"
}

// Response 200
{ "code": "483921", "expires_in": 600 }

POST — verify POST

Called by link-fivem.php when the player submits their code in the browser. Requires the player to be logged in (session).

{
  "action":     "verify",
  "code":       "483921",
  "csrf_token": "..."
}

// Response 200
{ "success": true }

// Response 422 — invalid or expired code
{ "error": "Invalid or expired code." }

Database — Key Tables

Table	Description
`fleeca_users`	All users (clients, bankers, admins). Includes `fivem_license` column added by migration.
`fleeca_accounts`	Bank accounts — one per client. Stores IBAN, balance, account type, frozen status.
`fleeca_transactions`	All transaction records — deposits, withdrawals, transfers, fees, interest, salaries.
`fleeca_loans`	Loan requests and active loans with amount, rate, weeks, status.
`fleeca_savings`	Savings sub-accounts with balance, rate, lock period.
`fleeca_invoices`	Invoices with line items, status (pending/paid/overdue), and PDF export data.
`fleeca_fivem_tokens`	Short-lived one-time auth tokens generated for ATM interactions.
`fleeca_link_codes`	6-digit link codes with 10-minute expiry. One per player at a time.

Database — Migrations

If you already have the web system installed and are adding FiveM support, import only the FiveM migrations — do not re-run fleeca_bank_install.sql.

Import sql/fivem_migration.sql — adds fivem_license VARCHAR(60) to fleeca_users and creates fleeca_fivem_tokens

Import sql/fivem_link_codes.sql — creates fleeca_link_codes with unique index on code and license

Escrow / CFX

The FiveM bridge is designed for distribution via the CFX Asset Store or Tebex with optional escrow. The following files must remain unescrowd so buyers can configure the resource:

File	Reason
`config.lua`	Framework, WebURL, SecretKey, ATM models, access points
`fxmanifest.lua`	Required in plain text by FiveM
`html/index.html`	NUI labels (optional but recommended for customization)
`html/style.css`	Visual customization

Add to fxmanifest.lua:

escrow_ignore {
    'config.lua',
    'fxmanifest.lua',
    'html/index.html',
    'html/style.css',
}

Security Notes

🚨

Never expose config.php, FIVEM_SECRET, or JWT_SECRET publicly. These values should be unique per installation and changed from their defaults before going live.

Secret key

The FIVEM_SECRET / Config.SecretKey is the shared key between your web server and FiveM server. It is sent as the X-Fleeca-Key HTTP header on every API call. Use a long random string (32+ characters). Never commit it to a public repository.

Server-side validation

All amount and action validation happens server-side in Lua (server/main.lua) before calling the web API. The NUI never communicates with the web API directly — all NUI fetch calls go to the Lua callback system via https://{resource_name}/{callback}.

One-time tokens

Each time a player opens an ATM, the server generates a short-lived token (default 30 seconds). This token is used to authenticate the session. It cannot be reused and expires automatically.

Troubleshooting

Symptom	Cause	Fix
"Impossible to generate a code" in-game	`fleeca_link_codes` table missing, or wrong WebURL	Import `fivem_link_codes.sql`. Check `Config.WebURL` has no trailing slash.
ATMs not interactive	`type = 'existing'` not in AccessPoints, or WebURL wrong during setup	Add the `existing` block to `Config.AccessPoints`. Fix WebURL.
Mouse stuck after closing NUI	NUI callback fetch failed before `SetNuiFocus(false)` was called	Already fixed in v1.0 — ensure you have the latest `client/main.lua`.
Balance shows — after restart	Balance not loaded until first ATM interaction	Already fixed in v1.0 — `fleeca:getBalance` fires on spawn and resource start.
Transaction history empty	Lua empty table encoded as `{}` (object) not `[]` (array)	Already fixed in v1.0 — `app.js` normalizes the response.
401 Unauthorized on all API calls	`FIVEM_SECRET` and `Config.SecretKey` don't match	Make both values identical in `config.php` and `config.lua`.
HTTP 500 on web dashboard	Orphan PHP variable from removed feature (e.g. IRS)	Ensure you are using the latest `dashboard.php` from the full package.
"Failed to fetch" in F8 console	`GetParentResourceName()` called incorrectly	Already fixed in v1.0 — uses `window.GetParentResourceName()` natively.

Fleeca Bank Documentation — v1.0 · Generated for production release