Payloads + proof of work + BotID

Bypass Kasada Protection with a single API call

Generate valid /tl payloads, proof of work values, and Vercel BotID headers, all via simple API calls, no browser.

solve_kasada.py

from hyper_sdk import Session, KasadaPayloadInput

session = Session(api_key="your-api-key")

# Parse the 429 challenge, generate the /tl payload
result = session.generate_kasada_payload(
    KasadaPayloadInput(
        script=kasada_script,
        ips_link=ips_link,
        user_agent=ua,
        ip=proxy_ip,
        accept_language="en-US,en;q=0.9",
    )
)

tl_response = client.post(
    "https://www.target.com/tl",
    data=result.payload,
    headers=result.headers,
)

# read x-kpsdk-st and x-kpsdk-ct, then generate cd

200 OK · x-kpsdk validgenerated in 8ms

<10ms

Payload generation

1B+

Requests served / month

Auto

Updated on every Kasada release

<12h

Engineer support response

Understanding the challenge

What is Kasada protection?

Kasada is an advanced anti-bot system built around heavy client-side JavaScript and per-request proof of work. It fingerprints the runtime, demands signed x-kpsdk tokens, and re-challenges constantly.

Why it's hard to bypass

Kasada combines an obfuscated VM-style script with proof of work that changes on every request. Re-implementing it by hand breaks the moment Kasada ships a new build, and running the real script needs a full browser: slow, heavy and easy to fingerprint.

Our API generates the /tl payload, the x-kpsdk-cd proof of work value, and the BotID x-is-human value from simple HTTP calls. You send the script and session context, we return what you need.

Protection mechanisms

429 initial challenge

The first request returns a 429 carrying the ips.js script. Nothing works until you execute and post a valid payload.

x-kpsdk-ct token

Kasada expects a signed token. Missing, stale, or incorrectly bound tokens are rejected.

Proof of work

Protected requests need a fresh x-kpsdk-cd proof of work value computed from the current challenge.

TLS & header-order validation

JA3/JA4 and header ordering are checked alongside the JavaScript proof.

The traditional approach

Headless browsers & Puppeteer

Run the full ips.js VM in a real browser per session

Recompute proof of work in-browser on every request

Constantly patched as Kasada detects automation

Slow, memory-hungry and hard to scale

The Hyper Solutions approach

One unified API call

Sub-10ms payload generation from the page script

Instant proof of work for the x-kpsdk-cd header

Vercel BotID x-is-human generation included

Auto-updated by our team on every Kasada release

Full coverage

Every Kasada challenge, one API

Select a challenge type to see what it is, when it fires, and exactly how we resolve it.

Payload Generation

Core

POST /payload

429 challenge 200 OK

What it is

The core Kasada flow. The first request returns a 429 carrying the script and IPS link; Kasada expects a valid payload posted to /tl before it trusts you.

When it is triggered

On the first request to any Kasada-protected route, the 429 with a script reference and IPS link is the tell.

How our API solves it

Send userAgent, script, ipsLink, ip and acceptLanguage to the API. We return the payload and headers for the target /tl POST.

payload.py

result = session.generate_kasada_payload(
    KasadaPayloadInput(
        user_agent=ua,
        script=kasada_script,
        ips_link=ips_link,
        ip=proxy_ip,
        accept_language="en-US,en;q=0.9",
    )
)
client.post("/tl", data=result.payload, headers=result.headers)

Returns

payloadheaders

The workflow

How the bypass works

Generate the /tl payload first, then generate proof of work whenever a protected request needs a fresh x-kpsdk-cd. Most developers integrate in under 30 minutes.

Resolve the 429 challenge

Make the initial request and receive a 429 response carrying the script reference and IPS link.

GET target -> 429 + ipsLink

Fetch the script

Parse the page for the script path, keep the ipsLink, and fetch the obfuscated JavaScript challenge content.

session.parse_kasada_script_path(html)

Generate payload via our API

Send userAgent, script, ipsLink, ip and acceptLanguage to /payload. It returns the target /tl payload and headers.

session.generate_kasada_payload(...)

POST to /tl and generate cd

Submit the payload to /tl, read x-kpsdk-st and x-kpsdk-ct, then call /cd for a fresh x-kpsdk-cd value.

POST /tl -> POST /cd

request timeline · kasada token validation

you->GET https://www.target.com/

site<-429 challenge · script reference + ipsLink

you->GET Kasada script and keep ipsLink

site<-200 · obfuscated Kasada script

you->POST Hyper API · /payload userAgent + script + ipsLink + ip + acceptLanguage

hyper<-200 · payload + headers · 8ms

1 · payload API round trip · <10ms

you->POST /tl with payload + returned headers

site<-200 · x-kpsdk-st + x-kpsdk-ct returned

you->POST Hyper API · /cd st + ct + domain

hyper<-200 · payload · x-kpsdk-cd

2 · proof of work API round trip

you->GET protected route with x-kpsdk-ct + x-kpsdk-cd

site<-200 OK request allowed

Full walkthrough with code in every SDK -> examples repo

The case for an API

API vs browser automation

Headless browsers can technically run Kasada's VM until the next build, or until proof of work overhead crushes throughput. Here's how a managed API compares on the metrics teams actually feel.

Metric

Hyper Solutions

Puppeteer / Playwright

Payload generation

<10ms

5-9 seconds

Proof of work

<1 ms

100-300 ms

Memory usage

<1 MB per call

200-500 MB per session

Maintenance

Zero, auto-updated by our team

Breaks on every Kasada build

Detection rate

Low, native header generation

High, framework fingerprinted

Scalability

Millions of solves, horizontally

Hundreds of concurrent solves

* Performance comparison based on real-world testing of airline award availability scraping. Browser automation metrics include full page loads with all resources. Results may vary based on target website, network conditions, and implementation.

Pricing

Pay for requests, not browsers

One account covers Akamai, Kasada, DataDome and Incapsula. Start self-serve, then move to a monthly bundle for a lower per-request rate. Every challenge type is included on every plan.

Pay as you go

Self-serve. Top up a balance and pay only for the requests you generate.

€3/ 1k requests

flat rate · every Kasada challengeStart free trial

All four products and every challenge type

Payloads, proof of work and BotID included

Auto-updated against every Kasada release

Sub-10ms payload generation

Community Discord support

Integration support not included

Outputs & example payloads

What the API returns, what the target server validates, and exactly what a Kasada token request and response look like on the wire.

Fields and where they come from

userAgentyou provide

The browser user-agent used for the target request and payload submission.

scriptyou provide

The Kasada script content fetched from the target page.

ipsLinkparsed

The IPS link obtained from the Kasada block page. Required for /payload.

ipyou provide

The IP used to post sensor data to the target site. It must match the target request egress IP.

acceptLanguageyou provide

The Accept-Language header from the same session.

stserver-set

Timestamp from the x-kpsdk-st response header of the /tl request. Required for /cd.

ctserver-set

Value from the x-kpsdk-ct response header of the /tl request. Required for /cd.

domainyou provide

The domain of the p.js URL. Required for /cd.

workTimeoptional

Custom workTime value when generating proof of work in advance.

fcoptional

Only used on specific sites that make a GET request to /mfc.

POST https://kasada.hypersolutions.co/payload

{
  "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)",
  "script": "function ...",
  "ipsLink": "https://www.target.com/ips.js?...",
  "ip": "203.0.113.10",
  "acceptLanguage": "en-US,en;q=0.9"
}

SDKs

In your language.

MIT-licensed, on npm / PyPI / GitHub. Challenge parsing, payload generation, proof of work, and BotID support in every SDK, or skip them and hit the HTTP API directly.

Nodenpm i hyper-sdk-js

Pythonpip install hyper-sdk

Gogo get github.com/Hyper-Solutions/hyper-sdk-go/v2

Read the docs

FAQ

Kasada bypass questions

Anything not covered here, including whether your exact target is supported, gets a faster answer in Discord than anywhere else.

Ask in Discord

How do I know which Kasada flow my site uses?

Make one request and look at the response. A 429 carrying a script reference and IPS link means the classic x-kpsdk flow. BotID-specific challenge headers from Vercel mean you also need the BotID endpoint.

Do I need to generate x-kpsdk-cd for every request?

Yes. The x-kpsdk-cd proof of work value is single-use. Call /cd with st, ct and domain rather than reusing a value.

What is the /tl endpoint for?

The /tl endpoint is where you submit the payload and headers returned by /payload. Its response gives you x-kpsdk-st and x-kpsdk-ct, which are used to generate x-kpsdk-cd through /cd.

What is Vercel BotID and when do I need it?

Vercel BotID is a deep bot-protection product powered by Kasada. If you see BotID challenge headers, send userAgent, script, ip and acceptLanguage to /botid and attach the returned x-is-human value.

Does this work with all Kasada-protected sites?

Yes. The API targets Kasada itself rather than any single site, so it works across retail, ticketing, travel and finance targets. New Kasada releases are covered automatically by our update pipeline.

Why do I keep getting blocked even with valid tokens?

Usual culprits are a reused x-kpsdk-cd, an IP mismatch, or a rotated user-agent. Keep proof of work fresh and match the IP and UA you generated with.

Ready to bypass Kasada protection?

Drop in an official SDK and clear your first challenge in minutes. Pay-as-you-go to start, with subscription bundles when you scale.

Create account Read the docs

self-serve · pay per call · no minimums