Getting started

This page covers the different Kasada implementation flows you may encounter.

If you're already familiar with Kasada and wish to implement the API handling yourself, you can skip this and head directly to the API Reference.

As with any other antibot, make sure you use a working TLS client that mimics the latest version of Google Chrome, match the headers and header-order 1:1 with browser and make sure you are using an up-to-date User-Agent.

Understanding Kasada Flows

Kasada can be implemented in two different ways depending on the website. It's important to identify which flow you're dealing with:

Flow 1: Initial Block Page (429 on Homepage)

Some sites, like Hyatt.com, serve a Kasada challenge immediately when you first access the website. You'll receive a 429 status code with an HTML block page containing a reference to the ips.js script.

Identifying characteristics:

First GET request to the website returns 429 status code
Response body contains: <script src="/149e9513-01fa-4fb0-aad4-566afd725d1b/2d206a39-8ed7-437e-a3be-862e0f06eea3/ips.js?..."></script>
You must solve the challenge before accessing any content on the site

When to use this flow:

Site blocks you immediately on homepage access
You see 429 status code with Kasada script reference
Site reloads after posting /tl

Read the detailed guide →

Flow 2: Fingerprint Endpoint (/fp)

Most sites implement Kasada by having the browser make a request to the /fp (fingerprint) endpoint in the background. This is the standard Kasada implementation.

Identifying characteristics:

Browser makes GET request to /149e9513-01fa-4fb0-aad4-566afd725d1b/2d206a39-8ed7-437e-a3be-862e0f06eea3/fp
This request returns 429 with the ips.js script reference
You can often access the site initially, but need to solve Kasada for protected endpoints
May require x-kpsdk-cd header on subsequent requests

When to use this flow:

You can access the homepage but get challenged on specific endpoints
Browser makes background request to /fp endpoint
You need to maintain x-kpsdk-ct token for ongoing requests

Read the detailed guide →

Next Steps

Choose the appropriate flow based on what you observe:

Getting 429 immediately on homepage? → Flow 1: Initial Block Page
Browser making /fp requests? → Flow 2: Fingerprint Endpoint

Both flows share the same core process of fetching the script, generating a payload, and posting to /tl. The main difference is when and where the challenge is triggered.

Complete Example

For a full working implementation with proper TLS client setup, header ordering, and cookie handling, see our examples repository:

GitHub - Hyper-Solutions/hypersolutions-examples: Hyper Solutions SDK Examples — Working code examples in Go, Python, and Node.js for integrating the Hyper Solutions API to automate bot protection challenges (Akamai, DataDome, Incapsula, Kasada) with browser-accurate TLS and HTTP fingerprinting.GitHub

PreviousInterstitial NextFlow 1: Initial Block Page

Last updated 4 months ago