Why is the User-Agent returned alongside the cookies?

_abck and bm_sz are cryptographically tied to the User-Agent used during generation — a single mismatch invalidates the cookie on the very next request. Always pair the returned cookies with the returned UA in your subsequent HTTP requests.

How long does the _abck cookie last?

Akamai sessions are typically valid for 30-60 minutes of active use. Cookies invalidate sooner if you switch IP, switch User-Agent, or trigger any of bmak's re-validation triggers.

Should I use ProxyLess or the proxied variant?

Use the proxied variant in nearly all real-world cases — your subsequent requests will come from a specific IP, and the _abck cookie is IP-bound, so it must be generated from that same IP.

What's the difference between this and Akamai BMP (Mobile)?

This page covers the desktop / browser variant (_abck cookie via bmak JS bundle). Akamai BMP (Mobile) covers native iOS/Android apps that emit X-acf-sensor-data as an HTTP header instead of a cookie — different solver (AntiAkamaiBMPTask), different price ($0.003 vs $0.05).

I used to use AntiAkamaiBMPTask for desktop sites — what changed?

On 2026-06-09 the AntiAkamaiBMPTask name was reclaimed for the actual mobile BMP solver (matches industry naming — BMP is Akamai's mobile SDK). If you were using AntiAkamaiBMPTask against desktop sites (the historical misnaming), switch to AntiAkamaiWebTask — the implementation is unchanged, just the public name. Affected users received an email notification.

Why does my task fail with ERROR_PROXY_REJECTED on the proxied variant?

The target site's CDN or edge layer 403'd your proxy IP BEFORE bmak loaded. Akamai's challenge never ran, so there's nothing for us to solve. Switch to a less-flagged residential IP (different ASN, different session).

Akamai Bot Manager (Web) Captcha Solver — Fast Proxyless API for Scraping & Automation

Before you submit — these must be correct

If any of these are wrong, your token may be accepted by our solver but rejected or scored poorly by the target site. We can’t detect these mismatches for you.

Cookies are IP-bound. Akamai cross-checks every request against the IP that earned the cookie — use the same proxy for the solve AND for the subsequent calls, or the cookies are rejected immediately. With `AntiAkamaiBMPTaskProxyLess` you don't see the issuing IP, so use the ProxyLess variant only when you'll replay the request through Capzy on your behalf; otherwise use `AntiAkamaiBMPTask` with your own proxy.
Use the userAgent we return. Akamai correlates UA with the TLS fingerprint that produced the cookie. Pin the value from the response into your HTTP client — UA mismatch invalidates the session.
Use a Chrome-compatible TLS stack on replay. Default Python urllib/requests TLS fails Akamai's Phase-1 check before the cookies are even evaluated. curl_cffi, tls-client, or a real browser work.

What is Akamai Bot Manager (Web)?

Akamai Bot Manager (Web) is the desktop browser variant of Akamai's enterprise bot detection. When a request triggers the protection, Akamai injects an obfuscated JavaScript bundle called "bmak" that collects 100+ device + behavioral signals — mouse movement, keyboard events, screen properties, WebGL fingerprint, TLS fingerprint, focus events, scroll patterns, timing data. The bundle packs the telemetry via "superpack", encrypts it with per-script PRNG seeds, and POSTs it as sensor_data to a per-deployment dynamic path. The server then sets the _abck cookie — when its second tilde-segment is "~0~", the session is validated and protected endpoints become accessible. This page covers the WEB / DESKTOP variant. For the native MOBILE app variant (BMP — Bot Manager Premier — which uses the X-acf-sensor-data HTTP header instead of cookies), see the separate Akamai BMP (Mobile) page.

How It Works

Send Task

POST your AntiAkamaiWebTaskProxyLess with the target URL and sitekey to our API. We'll queue it instantly.

We Solve

We use a real browser (CloakBrowser pool) so bmak executes naturally — every signal Akamai collects is genuinely there, not synthesized. Typical solve: 1. Customer submits a websiteURL pointing at an Akamai-protected page. 2. A pooled browser (warm, residential-routed) navigates to the URL. 3. bmak executes and emits 1-3 sensor_data POSTs. Akamai sets _abck progressively until the second segment validates with ~0~. 4. We harvest the full cookie set (_abck, bm_sz, ak_bmsc, secondaries) + the User-Agent that was used to generate them. These must travel together — the cookies are cryptographically tied to the UA. 5. Customer pastes the cookie string into their HTTP client and continues with the protected request. Notes: - _abck is IP-bound. The ProxyLess variant uses our residential pool. If you need the cookie tied to YOUR IP (most real-world cases), use the proxied variant and pass your own residential proxy. - Datacenter IPs almost universally return _abck with ~-1~ (server-rejected), regardless of fingerprint quality. This is Akamai's ASN-based pre-filter and we have no way to bypass it from a DC IP — residential is the only reliable path.

Get Token

Poll getTaskResult — when status is 'ready', the solution contains the token to inject into the target page.

Quick Integration

solve.py

import requests, time

API = "https://api.capzy.ai"
KEY = "capzy_your_key_here"

# Step 1: Create task
task = requests.post(f"{API}/createTask", json={
    "clientKey": KEY,
    "task": {
        "type": "AntiAkamaiWebTaskProxyLess",
        "type": "AntiAkamaiWebTask",
        "proxyPort": "8080",
        "proxyType": "http",
        "proxyLogin": "user",
        "websiteURL": "https://www.example.com/protected-path",
        "proxyAddress": "your-residential-proxy.example.com",
        "proxyPassword": "pass"
    }
}).json()

task_id = task["taskId"]
print(f"Task created: {task_id}")

# Step 2: Poll for result
while True:
    result = requests.post(f"{API}/getTaskResult", json={
        "clientKey": KEY,
        "taskId": task_id
    }).json()

    if result["status"] == "ready":
        print("Solved!", result["solution"])
        break
    elif result["status"] == "failed":
        print("Failed:", result.get("errorDescription"))
        break

    time.sleep(1)

# Step 3: Use the result — set every cookie on a session jar
sol = result["solution"]
session = requests.Session()
for c in sol["cookies"]:
    session.cookies.set(c["name"], c["value"], domain=c.get("domain"), path=c.get("path", "/"))
session.headers["User-Agent"] = sol.get("userAgent", "")
# IMPORTANT: route through the SAME proxy you supplied at solve time
resp = session.get("https://target.example.com/", proxies={
    "http":  "http://USER:PASS@PROXY_HOST:PORT",
    "https": "http://USER:PASS@PROXY_HOST:PORT",
})
print(resp.status_code, len(resp.text), "bytes")

Using Your Own Proxy

Use AntiAkamaiWebTask instead of AntiAkamaiWebTaskProxyLess to route the solve through your own proxy. This is useful when the target site checks the IP that solved the captcha matches the IP submitting the form.

solve_proxy.py

import requests, time

API = "https://api.capzy.ai"
KEY = "capzy_your_key_here"

# Step 1: Create task
task = requests.post(f"{API}/createTask", json={
    "clientKey": KEY,
    "task": {
        "type": "AntiAkamaiWebTask",
        "type": "AntiAkamaiBMPTask",
        "proxyPort": "8080",
        "proxyType": "http",
        "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36",
        "proxyLogin": "user",
        "websiteURL": "https://example.com/",
        "proxyAddress": "123.45.67.89",
        "proxyPassword": "pass"
    }
}).json()

task_id = task["taskId"]
print(f"Task created: {task_id}")

# Step 2: Poll for result
while True:
    result = requests.post(f"{API}/getTaskResult", json={
        "clientKey": KEY,
        "taskId": task_id
    }).json()

    if result["status"] == "ready":
        print("Solved!", result["solution"])
        break
    elif result["status"] == "failed":
        print("Failed:", result.get("errorDescription"))
        break

    time.sleep(1)

# Step 3: Use the result — set every cookie on a session jar
sol = result["solution"]
session = requests.Session()
for c in sol["cookies"]:
    session.cookies.set(c["name"], c["value"], domain=c.get("domain"), path=c.get("path", "/"))
session.headers["User-Agent"] = sol.get("userAgent", "")
# IMPORTANT: route through the SAME proxy you supplied at solve time
resp = session.get("https://target.example.com/", proxies={
    "http":  "http://USER:PASS@PROXY_HOST:PORT",
    "https": "http://USER:PASS@PROXY_HOST:PORT",
})
print(resp.status_code, len(resp.text), "bytes")

additional proxy parameters

fieldtyperequireddescription

proxyTypetypestringreqyesProxy protocol: http or https

proxyAddresstypestringreqyesProxy IP address or hostname

proxyPorttypenumberreqyesProxy port number

proxyLogintypestringreqnoProxy username (if auth required)

proxyPasswordtypestringreqnoProxy password (if auth required)

userAgenttypestringreqyesUser-Agent string to use. Must match the UA you use when submitting the token

task parameters.

fieldtyperequireddescription

typetypestringreqyesAntiAkamaiWebTaskProxyLess (we supply the upstream IP) or AntiAkamaiWebTask (you supply a proxy).

websiteURLtypestringreqyesFull URL of the Akamai-protected page. Use a real protected URL on the target host — landing pages without bmak don't issue a validated _abck.

userAgenttypestringreqnoOptional override. If omitted we use the pool's slot UA; the response always returns the UA that was actually used so you know what to send.

proxyAddresstypestringreqnoProxied variant only. Your residential / mobile proxy host.

proxyPorttypeintegerreqnoProxied variant only.

proxyTypetypestringreqnoProxied variant only. http or socks5.

proxyLogintypestringreqnoProxied variant only.

proxyPasswordtypestringreqnoProxied variant only.

solution response.

fieldtypedescription

cookiestypearrayCookie objects in the form `{name, value, domain, path}`. Always includes `_abck` (containing ~0~), `bm_sz`, and any other Akamai cookies the deployment set (`ak_bmsc`, `bm_sv`, `bm_mi`, `bm_so`, `sbsd_o`). Set every cookie on your HTTP client before the next request.

userAgenttypestringExact User-Agent the browser used while earning the cookies. MUST be reused verbatim on subsequent requests — Akamai correlates UA with the TLS fingerprint that produced the cookie.

ipBoundtypebooleanAlways `true` for this task type. Cookies are bound to the IP that solved the challenge — reuse the same proxy for both solve and replay.

domaintypestringThe hostname the cookies were validated against (host of `websiteURL`). Cookies are scoped to this domain — set them on a different host and Akamai ignores them.

sensorPoststypenumberNumber of bmak sensor_data POSTs the solver fired during the validated session. Diagnostic — under normal conditions this is 1–3. Above that suggests the deployment is borderline and the cookies may have a shorter useful life.

Example response

Full getTaskResult response shape. The fields in the table above describe what's inside solution — the outer envelope (errorId, status) is identical for every captcha type.

{
  "errorId": 0,
  "status": "ready",
  "solution": {
    "cookies": [
      {
        "name": "_abck",
        "path": "/",
        "value": "...~0~...",
        "domain": ".example.com"
      },
      {
        "name": "bm_sz",
        "path": "/",
        "value": "...",
        "domain": ".example.com"
      },
      {
        "name": "ak_bmsc",
        "path": "/",
        "value": "...",
        "domain": ".example.com"
      }
    ],
    "ipBound": true,
    "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 ..."
  }
}

Error response

Failures use the same envelope with errorId: 1 plus errorCode + errorDescription. See the error-code reference for the full list.

{
  "errorId": 1,
  "errorCode": "ERROR_CAPTCHA_UNSOLVABLE",
  "errorDescription": "Solver gave up — automatically refunded."
}

Pending response

While the solver is still working, getTaskResult returns status: "processing". Poll every 1–2 seconds until ready or failed.

{
  "errorId": 0,
  "status": "processing"
}

Features

Returns the validated _abck cookie (with ~0~) plus the full secondary cookie set (bm_sz, ak_bmsc, bm_sv, bm_mi where issued)

User-Agent + cookies returned as a matched pair — paste both into your HTTP client for direct session reuse

Real-browser sensor_data generation — natural mouse, keyboard, focus, and scroll signals flow into bmak's payload

Pixel-challenge (~3~) and rejected-session (~-1~) detection — fast-fail with a refund instead of grinding the timeout

Pre-flight edge-block detection on the proxied variant — if your proxy IP is 403'd before bmak loads, we bail in 5s with ERROR_PROXY_REJECTED instead of timing out at 35s

ProxyLess Task Type

AntiAkamaiWebTaskProxyLess

With Proxy

AntiAkamaiWebTask

Frequently Asked Questions

start solving akamai bot manager (web).

$0.10 in free credits — no card. ~250 free solves to test before you spend.

get free api key read docs

Akamai Bot Manager (Web) Solver, solved in 14.0s.