Getting started

This page covers the different Kasada implementation flows you may encounter.

If you're already familiar with Kasada and wish to implement the API handling yourself, you can skip this and head directly to the API Reference.

As with any other antibot, make sure you use a working TLS client that mimics the latest version of Google Chrome, match the headers and header-order 1:1 with browser and make sure you are using an up-to-date User-Agent.

Understanding Kasada Flows

Kasada can be implemented in two different ways depending on the website. It's important to identify which flow you're dealing with:

Flow 1: Initial Block Page (429 on Homepage)

Some sites, like Hyatt.com, serve a Kasada challenge immediately when you first access the website. You'll receive a 429 status code with an HTML block page containing a reference to the ips.js script.

Identifying characteristics:

  • First GET request to the website returns 429 status code

  • Response body contains: <script src="/149e9513-01fa-4fb0-aad4-566afd725d1b/2d206a39-8ed7-437e-a3be-862e0f06eea3/ips.js?..."></script>

  • You must solve the challenge before accessing any content on the site

When to use this flow:

  • Site blocks you immediately on homepage access

  • You see 429 status code with Kasada script reference

  • Site reloads after posting /tl

Read the detailed guide →

Flow 2: Fingerprint Endpoint (/fp)

Most sites implement Kasada by having the browser make a request to the /fp (fingerprint) endpoint in the background. This is the standard Kasada implementation.

Identifying characteristics:

  • Browser makes GET request to /149e9513-01fa-4fb0-aad4-566afd725d1b/2d206a39-8ed7-437e-a3be-862e0f06eea3/fp

  • This request returns 429 with the ips.js script reference

  • You can often access the site initially, but need to solve Kasada for protected endpoints

  • May require x-kpsdk-cd header on subsequent requests

When to use this flow:

  • You can access the homepage but get challenged on specific endpoints

  • Browser makes background request to /fp endpoint

  • You need to maintain x-kpsdk-ct token for ongoing requests

Read the detailed guide →

Next Steps

Choose the appropriate flow based on what you observe:

Both flows share the same core process of fetching the script, generating a payload, and posting to /tl. The main difference is when and where the challenge is triggered.

PreviousInterstitialNextFlow 1: Initial Block Page

Last updated