Imperva Token Solving
Bypass Imperva Incapsula anti-bot protections and obtain valid clearance cookies for protected web endpoints. Our solver handles the full JavaScript challenge execution and browser fingerprinting verification flow, returning cookies that are ready to use in subsequent requests.
Imperva (formerly known as Incapsula) is an enterprise-grade web application firewall that uses
multi-layered JavaScript challenge execution and browser fingerprinting to detect and block automated
traffic. When a visitor fails these checks, Imperva serves a challenge page and withholds access to the
protected resource. Our solver executes the full Imperva challenge flow in a real browser environment,
including the reese84 sensor data generation and session cookie initialization, and returns
all resulting cookies as a plain key-value object. These cookies must be forwarded exactly as received
to gain access to the protected site.
Captcha Type
Use the following captcha type identifier in your API requests:
"type": "IMPERVA_TOKEN"Using a proxy is strongly recommended for Imperva solving. Imperva tracks IP reputation and request patterns across sessions. Solving the challenge from a datacenter IP while making requests from a different IP will result in immediate re-challenges. Use the same residential or ISP proxy for both the solving request and all subsequent requests to the protected site.
Request Format
Request Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
auth.token |
string | required | Your API key |
captcha.type |
string | required | Must be "IMPERVA_TOKEN" |
captcha.metadata.siteUrl |
string | required | The full URL of the page protected by Imperva |
captcha.payload.incapsulaScriptUrl |
string | optional | The URL of the Imperva JavaScript challenge script (typically contains _Incapsula_Resource in the path). Providing this accelerates the solving process. |
captcha.payload.incapsulaCookie |
string | optional | Initial Incapsula session cookies received from the server on the first blocked request. Pass these to improve solving accuracy. |
captcha.payload.reese84Endpoint |
string | optional | The endpoint URL where the site sends reese84 sensor data. Found in network traffic as a POST request containing encoded browser telemetry. |
captcha.payload.userAgent |
string | optional | Your browser user agent string. Using your actual user agent ensures the solved cookies are compatible with your session. |
captcha.payload.proxy |
object | recommended | Proxy configuration object. Highly recommended for Imperva solving — the solved cookies are tied to the proxy IP. |
captcha.payload.proxy.protocol |
string | required* | Proxy protocol: "http", "https", "socks4", or "socks5" |
captcha.payload.proxy.host |
string | required* | Proxy IP address or hostname |
captcha.payload.proxy.port |
number | required* | Proxy port number |
captcha.payload.proxy.username |
string | optional | Proxy authentication username |
captcha.payload.proxy.password |
string | optional | Proxy authentication password |
* Required only if the parent object (proxy) is provided
To find the incapsulaScriptUrl and reese84Endpoint values, open your
browser developer tools and visit the protected page. In the Network tab, look for requests
containing _Incapsula_Resource in their URL (this is the script URL) and POST
requests with encoded sensor data payloads (this is the reese84 endpoint). Providing these
values significantly improves solving reliability.
Example Request
{
"auth": {
"token": "YOUR_API_KEY"
},
"context": {
"source": "api",
"version": "1.0.0"
},
"captcha": {
"type": "IMPERVA_TOKEN",
"metadata": {
"siteUrl": "https://example.com/protected-page"
},
"payload": {
"incapsulaScriptUrl": "https://example.com/_Incapsula_Resource?SWJIYLWA=5022&__vtrv=1",
"reese84Endpoint": "https://example.com/api/r/d",
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36",
"proxy": {
"protocol": "http",
"host": "1.2.3.4",
"port": 8080,
"username": "proxyuser",
"password": "proxypass"
}
}
}
}const response = await fetch('https://solver-api.mydisct.com/createTask', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'apikey': 'YOUR_API_KEY'
},
body: JSON.stringify({
auth: {
token: 'YOUR_API_KEY'
},
context: {
source: 'api',
version: '1.0.0'
},
captcha: {
type: 'IMPERVA_TOKEN',
metadata: {
siteUrl: 'https://example.com/protected-page'
},
payload: {
incapsulaScriptUrl: 'https://example.com/_Incapsula_Resource?SWJIYLWA=5022&__vtrv=1',
reese84Endpoint: 'https://example.com/api/r/d',
userAgent: 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36',
proxy: {
protocol: 'http',
host: '1.2.3.4',
port: 8080,
username: 'proxyuser',
password: 'proxypass'
}
}
}
})
});
const data = await response.json();
console.log('Task ID:', data.task.id);import requests
response = requests.post(
'https://solver-api.mydisct.com/createTask',
headers={
'Content-Type': 'application/json',
'apikey': 'YOUR_API_KEY'
},
json={
'auth': {'token': 'YOUR_API_KEY'},
'context': {'source': 'api', 'version': '1.0.0'},
'captcha': {
'type': 'IMPERVA_TOKEN',
'metadata': {
'siteUrl': 'https://example.com/protected-page'
},
'payload': {
'incapsulaScriptUrl': 'https://example.com/_Incapsula_Resource?SWJIYLWA=5022&__vtrv=1',
'reese84Endpoint': 'https://example.com/api/r/d',
'userAgent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36',
'proxy': {
'protocol': 'http',
'host': '1.2.3.4',
'port': 8080,
'username': 'proxyuser',
'password': 'proxypass'
}
}
}
}
)
data = response.json()
print('Task ID:', data['task']['id'])curl -X POST https://solver-api.mydisct.com/createTask \
-H "Content-Type: application/json" \
-H "apikey: YOUR_API_KEY" \
-d '{
"auth": {"token": "YOUR_API_KEY"},
"context": {"source": "api", "version": "1.0.0"},
"captcha": {
"type": "IMPERVA_TOKEN",
"metadata": {
"siteUrl": "https://example.com/protected-page"
},
"payload": {
"incapsulaScriptUrl": "https://example.com/_Incapsula_Resource?SWJIYLWA=5022",
"reese84Endpoint": "https://example.com/api/r/d",
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36",
"proxy": {
"protocol": "http",
"host": "1.2.3.4",
"port": 8080,
"username": "proxyuser",
"password": "proxypass"
}
}
}
}'Response Format
Create Task Response (Processing)
{
"success": true,
"service": "MyDisct Solver",
"message": "Captcha task created successfully",
"task": {
"id": "MyDisctSolver_abc123",
"status": "processing"
}
}Fetch Result Response (Processing)
{
"success": true,
"service": "MyDisct Solver",
"message": "Captcha is being processed",
"task": {
"id": "MyDisctSolver_abc123",
"status": "processing"
}
}Fetch Result Response (Completed)
{
"success": true,
"service": "MyDisct Solver",
"message": "Imperva challenge solved successfully",
"task": {
"id": "MyDisctSolver_abc123",
"status": "completed",
"result": {
"token": "PqRsTuVwXyZaBcDeF...",
"cookies": {
"reese84": "3:AbCdEfGhIjKlMnOpQrStUvWxYz...",
"incap_ses_1234_5678": "XyZaBcDeFgHiJkLmNo...",
"visid_incap_5678": "PqRsTuVwXyZaBcDeF...",
"_raw_cookie_string": "reese84=3:AbCdEfGhIjKlMnOpQrStUvWxYz...;incap_ses_1234_5678=XyZaBcDeFgHiJkLmNo..."
},
"user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36",
"timestamp": "2025-10-10T12:00:00.000Z"
}
}
}Response Fields
| Field | Type | Description |
|---|---|---|
result.token |
string | The primary Imperva clearance value — the visid_incap_* cookie value extracted for quick access. |
result.cookies |
object | Plain key-value object of all browser cookies captured during the Imperva challenge bypass. Each key is the cookie name and each value is the cookie value string. Also contains a _raw_cookie_string field with all cookies pre-formatted as a ready-to-use Cookie header value. |
result.cookies.reese84 |
string | Primary Imperva clearance cookie containing encoded browser telemetry. Required for access to the protected resource. |
result.cookies.incap_ses_* |
string | Imperva session identifier cookie. The key name varies per site and session. |
result.cookies.visid_incap_* |
string | Imperva visitor identifier cookie. The key name varies per site. |
result.cookies._raw_cookie_string |
string | Convenience field containing all captured cookies pre-formatted as a Cookie header string (e.g. reese84=...;incap_ses_1234_5678=...). Can be used directly as the value of the Cookie HTTP header. |
result.user_agent |
string | The exact user agent used during challenge solving. Must be used in all subsequent requests alongside the cookies. |
Imperva uses multiple cookies together to maintain session trust. The reese84 cookie
contains encoded browser telemetry and is the primary clearance credential. The
incap_ses_* cookies are session identifiers and must be renewed periodically. The
visid_incap_* cookie is a visitor identifier. All of these must be included in
your requests — omitting any one of them can trigger a new challenge.
Implementation Guide
Step 1: Detect Imperva Challenge
function isImpervaChallenge(responseStatus, responseBody, responseHeaders) {
const xIidHeader = responseHeaders.get('x-iinfo');
const serverHeader = responseHeaders.get('server') || '';
if (xIidHeader || serverHeader.toLowerCase().includes('incapsula')) {
return true;
}
if (responseStatus === 403 || responseStatus === 200) {
return (
responseBody.includes('_Incapsula_Resource') ||
responseBody.includes('incapsula') ||
responseBody.includes('reese84') ||
responseBody.includes('visid_incap')
);
}
return false;
}
async function checkForImpervaChallenge(url) {
const response = await fetch(url);
const body = await response.text();
if (isImpervaChallenge(response.status, body, response.headers)) {
console.log('Imperva challenge detected at:', url);
return true;
}
return false;
}Step 2: Solve Imperva Challenge
async function solveImpervaChallenge(siteUrl, options = {}) {
const payload = {
userAgent: options.userAgent || 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36'
};
if (options.incapsulaScriptUrl) payload.incapsulaScriptUrl = options.incapsulaScriptUrl;
if (options.reese84Endpoint) payload.reese84Endpoint = options.reese84Endpoint;
if (options.incapsulaCookie) payload.incapsulaCookie = options.incapsulaCookie;
if (options.proxy) payload.proxy = options.proxy;
const createResponse = await fetch('https://solver-api.mydisct.com/createTask', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'apikey': 'YOUR_API_KEY'
},
body: JSON.stringify({
auth: { token: 'YOUR_API_KEY' },
context: { source: 'api', version: '1.0.0' },
captcha: {
type: 'IMPERVA_TOKEN',
metadata: { siteUrl },
payload
}
})
});
const createData = await createResponse.json();
if (!createData.success) throw new Error(createData.error.message);
const taskId = createData.task.id;
while (true) {
await new Promise(resolve => setTimeout(resolve, 5000));
const resultResponse = await fetch('https://solver-api.mydisct.com/fetchResult', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'apikey': 'YOUR_API_KEY'
},
body: JSON.stringify({ taskId })
});
const resultData = await resultResponse.json();
if (resultData.task.status === 'completed') {
return resultData.task.result;
} else if (resultData.task.status === 'failed') {
throw new Error('Imperva challenge solving failed');
}
}
}
const result = await solveImpervaChallenge('https://example.com/protected-page', {
incapsulaScriptUrl: 'https://example.com/_Incapsula_Resource?SWJIYLWA=5022&__vtrv=1',
reese84Endpoint: 'https://example.com/api/r/d',
proxy: {
protocol: 'http',
host: '1.2.3.4',
port: 8080,
username: 'proxyuser',
password: 'proxypass'
}
});
console.log('Cookies received:', Object.keys(result.cookies));
console.log('User agent:', result.user_agent);Step 3: Make Requests with Imperva Cookies
function buildCookieHeader(cookies) {
return Object.entries(cookies)
.map(([name, value]) => `${name}=${value}`)
.join('; ');
}
async function makeRequestWithImpervaClearance(url, clearanceResult) {
const cookieHeader = buildCookieHeader(clearanceResult.cookies);
const response = await fetch(url, {
headers: {
'User-Agent': clearanceResult.user_agent,
'Cookie': cookieHeader,
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate, br',
'Connection': 'keep-alive'
}
});
return response;
}
const clearanceResult = await solveImpervaChallenge('https://example.com/protected-page', {
incapsulaScriptUrl: 'https://example.com/_Incapsula_Resource?SWJIYLWA=5022',
proxy: {
protocol: 'http',
host: '1.2.3.4',
port: 8080,
username: 'proxyuser',
password: 'proxypass'
}
});
const protectedResponse = await makeRequestWithImpervaClearance(
'https://example.com/api/data',
clearanceResult
);
console.log('Status:', protectedResponse.status);Python Example
import requests
import time
def solve_imperva_challenge(site_url, api_key, incapsula_script_url=None,
reese84_endpoint=None, incapsula_cookie=None,
proxy_config=None):
payload_data = {
'userAgent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36'
}
if incapsula_script_url:
payload_data['incapsulaScriptUrl'] = incapsula_script_url
if reese84_endpoint:
payload_data['reese84Endpoint'] = reese84_endpoint
if incapsula_cookie:
payload_data['incapsulaCookie'] = incapsula_cookie
if proxy_config:
payload_data['proxy'] = proxy_config
create_response = requests.post(
'https://solver-api.mydisct.com/createTask',
headers={
'Content-Type': 'application/json',
'apikey': api_key
},
json={
'auth': {'token': api_key},
'context': {'source': 'api', 'version': '1.0.0'},
'captcha': {
'type': 'IMPERVA_TOKEN',
'metadata': {'siteUrl': site_url},
'payload': payload_data
}
}
)
create_data = create_response.json()
if not create_data['success']:
raise Exception(create_data['error']['message'])
task_id = create_data['task']['id']
print(f'Task created: {task_id}')
while True:
time.sleep(5)
result_response = requests.post(
'https://solver-api.mydisct.com/fetchResult',
headers={
'Content-Type': 'application/json',
'apikey': api_key
},
json={'taskId': task_id}
)
result_data = result_response.json()
if result_data['task']['status'] == 'completed':
return result_data['task']['result']
elif result_data['task']['status'] == 'failed':
raise Exception('Imperva challenge solving failed')
print('Waiting for solution...')
def make_request_with_imperva_clearance(url, clearance_result):
cookies = clearance_result['cookies']
response = requests.get(
url,
headers={
'User-Agent': clearance_result['user_agent'],
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language': 'en-US,en;q=0.5'
},
cookies=cookies
)
return response
clearance_result = solve_imperva_challenge(
site_url='https://example.com/protected-page',
api_key='YOUR_API_KEY',
incapsula_script_url='https://example.com/_Incapsula_Resource?SWJIYLWA=5022',
reese84_endpoint='https://example.com/api/r/d',
proxy_config={
'protocol': 'http',
'host': '1.2.3.4',
'port': 8080,
'username': 'proxyuser',
'password': 'proxypass'
}
)
print(f'Cookies received: {list(clearance_result["cookies"].keys())}')
print(f'User agent: {clearance_result["user_agent"]}')
protected_response = make_request_with_imperva_clearance(
'https://example.com/api/data',
clearance_result
)
print(f'Protected page status: {protected_response.status_code}')Best Practices
- Provide Script URL: Always include the
incapsulaScriptUrlwhen you can extract it — it significantly improves solving success rate and speed - Provide reese84 Endpoint: Supplying the
reese84Endpointallows the solver to replicate the sensor data submission flow accurately - IP Consistency: Use the same proxy for both solving and all subsequent requests — Imperva ties cookies to the originating IP
- User Agent Forwarding: Always forward the exact
user_agentfrom the result — never substitute it with your own - All Cookies Required: Include every cookie from the returned object —
reese84,incap_ses_*, andvisid_incap_*all need to be present - Residential Proxies: Use residential or ISP proxies for Imperva solving — datacenter IPs are often pre-blocked by Imperva
- Cookie Refresh: Imperva session cookies expire. If a challenge reappears after some time, re-solve to get fresh cookies
- Polling Interval: Use 5-second polling intervals — Imperva challenges typically take 10 to 30 seconds to complete
Common Issues
Solution: Verify that you are using the same proxy IP for requests as the one used
during solving. Also ensure all cookies from the object are included — not just reese84.
Missing any cookie causes Imperva to re-challenge the session.
Solution: Try providing the incapsulaScriptUrl and
reese84Endpoint parameters. These values give the solver the information it needs
to complete the challenge accurately. Extract them by inspecting the network traffic of the
protected page in your browser.
Solution: Imperva maintains IP reputation databases and often pre-blocks known datacenter IP ranges. Switch to residential or ISP proxies for significantly better success rates with Imperva-protected sites.
Solution: Imperva incap_ses_* cookies have short lifespans and are
tied to active sessions. Implement a cookie refresh mechanism that re-solves the challenge when
a 403 response is received, then retries the original request with the new cookies.