Kasada Token Solving
Bypass Kasada bot protection and generate valid tokens for protected web applications. Our solver replicates the Kasada client-side challenge execution flow and returns the cryptographic token required to access Kasada-protected endpoints.
Kasada is a modern bot protection platform used extensively by gaming, ticketing, and retail
organizations to prevent credential stuffing, scalping, and automated abuse. Kasada works by
loading an obfuscated JavaScript challenge (the Kasada SDK) that performs deep browser
environment interrogation, collecting signals about the runtime environment, hardware capabilities,
and behavioral patterns. The collected telemetry is encoded into a cryptographic payload and
submitted to Kasada's validation service. If validated, the site receives a time-limited token
(typically stored in the x-kpsdk-ct header or as a cookie) that authorizes
subsequent requests. Our solver executes this challenge in a fully instrumented browser
environment and returns a valid token along with the associated session cookies.
Captcha Type
Use the following captcha type identifier in your API requests:
"type": "KASADA_TOKEN"A valid proxy is required for Kasada token solving. Kasada embeds IP information into the cryptographic challenge token, so the token generated during solving is bound to the originating IP. If you submit the token from a different IP, Kasada's server-side validation will reject it. Use residential or mobile proxies for the best acceptance rates.
Request Format
Request Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
auth.token |
string | required | Your API key |
captcha.type |
string | required | Must be "KASADA_TOKEN" |
captcha.metadata.siteUrl |
string | required | The full URL of the Kasada-protected page |
captcha.payload.cdnUrl |
string | optional | The URL of the Kasada SDK script. Found in the page source as a script tag loading from a Kasada CDN path (e.g., /149e9513-01fa-4fb0-aad4-566afd725d1b/2d206a39-8ed7-437e-a3be-862e0f06eea3/p.js). |
captcha.payload.userAgent |
string | optional | Your browser user agent. Kasada embeds the user agent into its token — use a consistent, realistic value. |
captcha.payload.proxy |
object | required | Proxy configuration object. Required — Kasada tokens are IP-bound. |
captcha.payload.proxy.protocol |
string | required* | Proxy protocol: "http", "https", "socks4", or "socks5" |
captcha.payload.proxy.host |
string | required* | Proxy IP address or hostname |
captcha.payload.proxy.port |
number | required* | Proxy port number |
captcha.payload.proxy.username |
string | optional | Proxy authentication username |
captcha.payload.proxy.password |
string | optional | Proxy authentication password |
* Required only if the parent object (proxy) is provided
To find the Kasada SDK URL, view the HTML source of the protected page and look for a script
tag with a long UUID-style path. The path typically looks like
/149e9513-01fa-4fb0-aad4-566afd725d1b/2d206a39-8ed7-437e-a3be-862e0f06eea3/p.js.
This path is specific to each Kasada customer deployment. Providing it as cdnUrl
speeds up solving and improves compatibility.
Example Request
{
"auth": {
"token": "YOUR_API_KEY"
},
"context": {
"source": "api",
"version": "1.0.0"
},
"captcha": {
"type": "KASADA_TOKEN",
"metadata": {
"siteUrl": "https://example.com/protected-page"
},
"payload": {
"cdnUrl": "https://example.com/149e9513-01fa-4fb0-aad4-566afd725d1b/2d206a39-8ed7-437e-a3be-862e0f06eea3/p.js",
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36",
"proxy": {
"protocol": "http",
"host": "1.2.3.4",
"port": 8080,
"username": "proxyuser",
"password": "proxypass"
}
}
}
}const response = await fetch('https://solver-api.mydisct.com/createTask', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'apikey': 'YOUR_API_KEY'
},
body: JSON.stringify({
auth: {
token: 'YOUR_API_KEY'
},
context: {
source: 'api',
version: '1.0.0'
},
captcha: {
type: 'KASADA_TOKEN',
metadata: {
siteUrl: 'https://example.com/protected-page'
},
payload: {
cdnUrl: 'https://example.com/149e9513-01fa-4fb0-aad4-566afd725d1b/2d206a39-8ed7-437e-a3be-862e0f06eea3/p.js',
userAgent: 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36',
proxy: {
protocol: 'http',
host: '1.2.3.4',
port: 8080,
username: 'proxyuser',
password: 'proxypass'
}
}
}
})
});
const data = await response.json();
console.log('Task ID:', data.task.id);import requests
response = requests.post(
'https://solver-api.mydisct.com/createTask',
headers={
'Content-Type': 'application/json',
'apikey': 'YOUR_API_KEY'
},
json={
'auth': {'token': 'YOUR_API_KEY'},
'context': {'source': 'api', 'version': '1.0.0'},
'captcha': {
'type': 'KASADA_TOKEN',
'metadata': {
'siteUrl': 'https://example.com/protected-page'
},
'payload': {
'cdnUrl': 'https://example.com/149e9513-01fa-4fb0-aad4-566afd725d1b/2d206a39-8ed7-437e-a3be-862e0f06eea3/p.js',
'userAgent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36',
'proxy': {
'protocol': 'http',
'host': '1.2.3.4',
'port': 8080,
'username': 'proxyuser',
'password': 'proxypass'
}
}
}
}
)
data = response.json()
print('Task ID:', data['task']['id'])curl -X POST https://solver-api.mydisct.com/createTask \
-H "Content-Type: application/json" \
-H "apikey: YOUR_API_KEY" \
-d '{
"auth": {"token": "YOUR_API_KEY"},
"context": {"source": "api", "version": "1.0.0"},
"captcha": {
"type": "KASADA_TOKEN",
"metadata": {
"siteUrl": "https://example.com/protected-page"
},
"payload": {
"cdnUrl": "https://example.com/149e9513-01fa.../p.js",
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36",
"proxy": {
"protocol": "http",
"host": "1.2.3.4",
"port": 8080,
"username": "proxyuser",
"password": "proxypass"
}
}
}
}'Response Format
Create Task Response (Processing)
{
"success": true,
"service": "MyDisct Solver",
"message": "Captcha task created successfully",
"task": {
"id": "MyDisctSolver_abc123",
"status": "processing"
}
}Fetch Result Response (Completed)
{
"success": true,
"service": "MyDisct Solver",
"message": "Kasada challenge solved successfully",
"task": {
"id": "MyDisctSolver_abc123",
"status": "completed",
"result": {
"token": "x-kpsdk-ct:AbCdEfGhIjKlMnOpQrStUvWxYz1234567890...",
"cookies": {
"x-kpsdk-ct": "AbCdEfGhIjKlMnOpQrStUvWxYz...",
"x-kpsdk-cd": "PqRsTuVwXyZaBcDeF..."
},
"user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36",
"timestamp": "2025-10-10T12:00:00.000Z"
}
}
}Response Fields
| Field | Type | Description |
|---|---|---|
result.token |
string | The Kasada cryptographic challenge token. Pass this as the x-kpsdk-ct header value in protected requests. |
result.cookies |
object | Plain key-value object of session cookies set by the Kasada SDK. Each key is the cookie name and each value is the cookie value string. |
result.cookies["x-kpsdk-ct"] |
string | Kasada cryptographic challenge cookie. Must be sent as both a cookie and a request header. |
result.cookies["x-kpsdk-cd"] |
string | Kasada client data cookie. Must be included alongside x-kpsdk-ct. |
result.user_agent |
string | The exact user agent used during solving. Must be forwarded in all requests alongside the token and cookies. |
Kasada tokens are typically passed as the value of the x-kpsdk-ct request header.
Some sites also expect it as a cookie. Always also include the x-kpsdk-cd cookie
from the cookies object. Both values must be submitted together with the same user agent and
from the same IP address that was used during solving.
Implementation Guide
Complete JavaScript Implementation
async function solveKasadaToken(siteUrl, options = {}) {
const payload = {
userAgent: options.userAgent || 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36'
};
if (options.cdnUrl) payload.cdnUrl = options.cdnUrl;
if (options.proxy) payload.proxy = options.proxy;
const createResponse = await fetch('https://solver-api.mydisct.com/createTask', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'apikey': 'YOUR_API_KEY'
},
body: JSON.stringify({
auth: { token: 'YOUR_API_KEY' },
context: { source: 'api', version: '1.0.0' },
captcha: {
type: 'KASADA_TOKEN',
metadata: { siteUrl },
payload
}
})
});
const createData = await createResponse.json();
if (!createData.success) throw new Error(createData.error.message);
const taskId = createData.task.id;
while (true) {
await new Promise(resolve => setTimeout(resolve, 5000));
const resultResponse = await fetch('https://solver-api.mydisct.com/fetchResult', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'apikey': 'YOUR_API_KEY'
},
body: JSON.stringify({ taskId })
});
const resultData = await resultResponse.json();
if (resultData.task.status === 'completed') {
return resultData.task.result;
} else if (resultData.task.status === 'failed') {
throw new Error('Kasada token solving failed');
}
}
}
function buildCookieHeader(cookies) {
return Object.entries(cookies)
.map(([name, value]) => `${name}=${value}`)
.join('; ');
}
async function makeKasadaRequest(url, method, body, solverResult) {
const cookieHeader = buildCookieHeader(solverResult.cookies);
const kpsdkCt = solverResult.cookies['x-kpsdk-ct'] || solverResult.token;
const response = await fetch(url, {
method,
headers: {
'Content-Type': 'application/json',
'User-Agent': solverResult.user_agent,
'Cookie': cookieHeader,
'x-kpsdk-ct': kpsdkCt,
'Accept': 'application/json, text/plain, */*',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate, br'
},
body: body ? JSON.stringify(body) : undefined
});
return response;
}
const kasadaResult = await solveKasadaToken('https://example.com/protected-page', {
cdnUrl: 'https://example.com/149e9513-01fa-4fb0-aad4-566afd725d1b/2d206a39-8ed7-437e-a3be-862e0f06eea3/p.js',
proxy: {
protocol: 'http',
host: '1.2.3.4',
port: 8080,
username: 'proxyuser',
password: 'proxypass'
}
});
const apiResponse = await makeKasadaRequest(
'https://example.com/api/checkout',
'POST',
{ item_id: '12345', quantity: 1 },
kasadaResult
);
console.log('API response status:', apiResponse.status);Python Implementation
import requests
import time
def solve_kasada_token(site_url, api_key, cdn_url=None, user_agent=None, proxy_config=None):
payload_data = {
'userAgent': user_agent or 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36'
}
if cdn_url:
payload_data['cdnUrl'] = cdn_url
if proxy_config:
payload_data['proxy'] = proxy_config
create_response = requests.post(
'https://solver-api.mydisct.com/createTask',
headers={
'Content-Type': 'application/json',
'apikey': api_key
},
json={
'auth': {'token': api_key},
'context': {'source': 'api', 'version': '1.0.0'},
'captcha': {
'type': 'KASADA_TOKEN',
'metadata': {'siteUrl': site_url},
'payload': payload_data
}
}
)
create_data = create_response.json()
if not create_data['success']:
raise Exception(create_data['error']['message'])
task_id = create_data['task']['id']
print(f'Task created: {task_id}')
while True:
time.sleep(5)
result_response = requests.post(
'https://solver-api.mydisct.com/fetchResult',
headers={
'Content-Type': 'application/json',
'apikey': api_key
},
json={'taskId': task_id}
)
result_data = result_response.json()
if result_data['task']['status'] == 'completed':
return result_data['task']['result']
elif result_data['task']['status'] == 'failed':
raise Exception('Kasada token solving failed')
print('Waiting for solution...')
def make_kasada_request(url, solver_result, method='GET', json_body=None):
cookies = solver_result['cookies']
kpsdk_ct = cookies.get('x-kpsdk-ct', solver_result.get('token', ''))
response = requests.request(
method,
url,
headers={
'User-Agent': solver_result['user_agent'],
'x-kpsdk-ct': kpsdk_ct,
'Content-Type': 'application/json',
'Accept': 'application/json, text/plain, */*',
'Accept-Language': 'en-US,en;q=0.5'
},
cookies=cookies,
json=json_body
)
return response
kasada_result = solve_kasada_token(
site_url='https://example.com/protected-page',
api_key='YOUR_API_KEY',
cdn_url='https://example.com/149e9513-01fa-4fb0-aad4-566afd725d1b/2d206a39-8ed7-437e-a3be-862e0f06eea3/p.js',
proxy_config={
'protocol': 'http',
'host': '1.2.3.4',
'port': 8080,
'username': 'proxyuser',
'password': 'proxypass'
}
)
print(f'Token: {kasada_result["token"][:50]}...')
api_response = make_kasada_request(
'https://example.com/api/checkout',
kasada_result,
method='POST',
json_body={'item_id': '12345', 'quantity': 1}
)
print(f'API response: {api_response.status_code}')Best Practices
- Provide the SDK URL: Extract and provide the
cdnUrlvalue from the page source — it is unique to each Kasada deployment and ensures accurate solving - IP-Bound Tokens: Kasada tokens are cryptographically bound to the originating IP — always use the same proxy for generating the token and making all subsequent requests
- Residential Proxies: Kasada's risk scoring heavily penalizes datacenter IP ranges — use residential or mobile proxies for the best acceptance rates
- User Agent Consistency: The user agent is embedded in the Kasada token payload — always forward the exact
user_agentfrom the result - Include All Cookies: Forward both
x-kpsdk-ctandx-kpsdk-cdcookies along with the token header - Token Expiry: Kasada tokens have a short validity window (typically a few minutes). If a request fails with 429 or 403, generate a fresh token
- Avoid Reuse Across Sessions: Do not reuse a Kasada token for more requests than it was designed for — each token typically covers a single action or a limited session
Common Issues
Solution: Confirm that the same proxy IP is used for both token generation and
the request. Also verify that the x-kpsdk-ct header is being sent and that the
user_agent from the result matches the request headers exactly.
Solution: Provide the cdnUrl parameter. Without it, the solver
must discover the correct Kasada SDK URL from the page, which adds extra time. Extracting and
providing the URL directly reduces solving time significantly.
Solution: Kasada maintains extensive IP reputation databases. Datacenter IPs are pre-flagged in many deployments. Switch to residential or mobile proxies.