Flow 1: Initial Block Page
This flow applies to websites like Hyatt.com where Kasada blocks you immediately when you first access the site with a 429 status code.
Overview
When you make your first GET request to the website, you'll receive a 429 status code with an HTML response containing a Kasada script reference. You must solve this challenge before you can access any content on the site.
Initial Request
The response will be a 429 status code with HTML that looks like this:
<!DOCTYPE html>
<html>
<head></head>
<body>
<script>window.KPSDK={};KPSDK.now=typeof performance!=='undefined'&&performance.now?performance.now.bind(performance):Date.now.bind(Date);KPSDK.start=KPSDK.now();</script>
<script src="/149e9513-01fa-4fb0-aad4-566afd725d1b/2d206a39-8ed7-437e-a3be-862e0f06eea3/ips.js?tkrm_alpekz_s1.3=0ZhprgzXdlDhhn0esTCQPfWjA2AeaGW50gpHSJVGSjRUPSrKJRQmsSZjTK8HhAmopVcLq2dfwum0SJmpM0Kz5j2DupTTI4OB1PLl7dhhJIVFAKsCsEoeL4hVm2tQjyFkyPUu42RgZ0dutvGd2xxDbpRLCWjV9MlMysNPzGvUTyg8CBX&x-kpsdk-im=AAIHh6ySRFXhFWAJcYSdsr-BStey6j5sKkK9HXfcJJ2BnB2_eCdWiiJjVu0OEOBEhsIFyZ4CgRIcu6EDyMf-WS88HRSC8PKJm2lZpq0ZTummEHy855H_HBuLSiiUmGQSiPUbJ74rXDFbWw"></script>
</body>
</html>Step 1: Parse the Script Path
You need to extract the script path from the HTML response. The script URL will look like:
/149e9513-01fa-4fb0-aad4-566afd725d1b/2d206a39-8ed7-437e-a3be-862e0f06eea3/ips.js?...You can parse this using our SDKs:
scriptPath, err := kasada.ParseScriptPath(reader)
if err != nil {
// Handle the error
}
// scriptPath will look like: /149e9513-01fa-4fb0-aad4-566afd725d1b/2d206a39-8ed7-437e-a3be-862e0f06eea3/ips.js?...Step 2: Fetch the ips.js Script
Make a GET request to the script path you parsed. Make sure to:
Use the full URL:
https://www.example.com{scriptPath}Match browser headers exactly
Maintain the same header order as Chrome
Save the JavaScript response body as you'll need it for the next step.
Step 3: Generate Payload via API
Now you'll use the Hyper Solutions API to generate the payload and headers needed for the /tl request.
Refer to the Kasada and the SDK documentation for accurate fields.
payload, headers, err := session.GenerateKasadaPayload(ctx, &hyper.KasadaPayloadInput{
// Kasada payload configuration
})
if err != nil {
// Handle the error
}
// payload and headers are ready for the /tl requestThe payload returned by the API is base64-encoded. You must decode it before posting to /tl.
Step 4: POST to /tl Endpoint
POST the decoded payload to the /tl endpoint:
https://www.example.com/149e9513-01fa-4fb0-aad4-566afd725d1b/2d206a39-8ed7-437e-a3be-862e0f06eea3/tlCritical requirements:
Content-Type must be
application/octet-streamInclude all headers returned by the API (
x-kpsdk-im,x-kpsdk-ct,x-kpsdk-dt)Match browser header order exactly
POST the decoded (binary) payload
Step 5: Parse /tl Response
A successful response will return 200 status code with:
Response body:
{
"reload": true
}Critical response headers to save:
x-kpsdk-ct: Token for subsequent requests (also in cookies)x-kpsdk-st: Timestamp value needed for generating POW (x-kpsdk-cd) headersset-cookie: Kasada cookies (e.g.,tkrm_alpekz_s1.3,tkrm_alpekz_s1.3-ssn)
Example response headers:
x-kpsdk-ct: 02Rrkf95YyBbq2lGyws6SFVp...
x-kpsdk-st: 1759149934586
set-cookie: tkrm_alpekz_s1.3=02Rrkf95YyBbq2lGyws6SFVp...; Max-Age=86400; Path=/; HttpOnly
set-cookie: tkrm_alpekz_s1.3-ssn=02Rrkf95YyBbq2lGyws6SFVp...; Max-Age=86400; Path=/; HttpOnly; Secure; SameSite=NoneStep 6: Retry Original Request
Now retry your original request to the website with the Kasada cookies. The site should no longer serve you a 429 block page.
Make sure to:
Include all Kasada cookies in your request
Maintain proper headers and header order
Summary
The complete flow:
✅ Initial GET → Receive 429 with block page
✅ Parse script path from HTML
✅ GET request to ips.js script
✅ Generate payload via Hyper Solutions API
✅ POST decoded payload to /tl endpoint
✅ Parse response headers and cookies
✅ Retry original request with cookies
You have now successfully bypassed Kasada's initial block page challenge!
Last updated