Skip to content
../products
F5 Distributed Cloud Bot DefenseAntiF5ShapeTaskproxy required

F5 Distributed Cloud Bot Defense, solved in 12.0s.

F5 Distributed Cloud Bot Defense (formerly Shape Security) — the VM-bytecode telemetry challenge on high-value airline, retail and banking flows. We drive the real Shape VM and return the live telemetry header set + cleared cookie jar + User-Agent.

Proxy required for F5 Distributed Cloud Bot Defense

Tokens are bound to the solving IP. Use AntiF5ShapeTask with proxyAddress + userAgent. The *TaskProxyLess variant returns ERROR_PROXY_REQUIRED at no charge.

$25.00per 1,000
~12.0savg solve
99%+success
5/mthroughput
type: AntiF5ShapeTask…0.00s
POST/createTask type=AntiF5ShapeTask
taskId tsk_kdrsqpox
POLL/getTaskResult status=processing
status ready
token 0xb438bb1843e88...
type: AntiF5ShapeTask● running on production solvers

What is F5 Distributed Cloud Bot Defense?

F5 Distributed Cloud Bot Defense — formerly Shape Security — protects high-value flows (airline, retail, and banking login / checkout) with deep client-side signal collection. An obfuscated JavaScript VM runs bytecode to gather device + behavioral telemetry and stamps a dynamic, per-request signed header set on the page's protected requests (named x-<prefix>-a / -b / -c, plus a -d version constant that varies per deployment), scored server-side by ML. This is a SEPARATE product from F5 BIG-IP Advanced WAF (the bobcmn / TS-cookie challenge). Because the VM mints that header fresh for every request, there is no static token — the working artifact is the live header set the VM produces during a real session.

How it works

1

Send Task

POST your AntiF5ShapeTask with the target URL and sitekey to our API. We'll queue it instantly.

2

We Solve

We drive a real browser through your proxy, let the genuine Shape VM bootstrap and collect signals under human-like interaction, and capture the artifacts a protected request needs: the live telemetry header set (name -> value, minted by the VM during the solve), the cleared-session cookie jar, and the User-Agent the artifacts were minted under. You send those on your protected request from the same proxy IP + User-Agent. The telemetry header is single-use and IP + UA bound — it is minted for the request fired during the solve, so use it immediately for one protected request; on GET(Document) interstitial deployments the returned cookie carries the session instead.

3

Get Token

Poll getTaskResult — when status is 'ready', the solution contains the token to inject into the target page.

Quick integration

solve.py
import requests, time

API = "https://api.capzy.ai"
KEY = "capzy_your_key_here"

# Step 1: Create task
task = requests.post(f"{API}/createTask", json={
    "clientKey": KEY,
    "task": {
        "type": "AntiF5ShapeTask",
        "type": "AntiF5ShapeTask",
        "proxyPort": "10001",
        "proxyType": "http",
        "proxyLogin": "your-proxy-username",
        "websiteURL": "https://www.example.com/login",
        "proxyAddress": "gw.your-proxy-provider.com",
        "proxyPassword": "your-proxy-password"
    }
}).json()

task_id = task["taskId"]
print(f"Task created: {task_id}")

# Step 2: Poll for result
while True:
    result = requests.post(f"{API}/getTaskResult", json={
        "clientKey": KEY,
        "taskId": task_id
    }).json()

    if result["status"] == "ready":
        print("Solved!", result["solution"])
        break
    elif result["status"] == "failed":
        print("Failed:", result.get("errorDescription"))
        break

    time.sleep(1)

Using the result

use_result.py
# Step 3: Use the result — set every cookie on a session jar
sol = result["solution"]
session = requests.Session()
for c in sol["cookies"]:
    session.cookies.set(c["name"], c["value"], domain=c.get("domain"), path=c.get("path", "/"))
session.headers["User-Agent"] = sol.get("userAgent", "")
# IMPORTANT: route through the SAME proxy you supplied at solve time
resp = session.get("https://target.example.com/", proxies={
    "http":  "http://USER:PASS@PROXY_HOST:PORT",
    "https": "http://USER:PASS@PROXY_HOST:PORT",
})
print(resp.status_code, len(resp.text), "bytes")

Task parameters

Proxy fields below are required for this captcha — userAgent must match the one you’ll use when submitting the resulting token.
typetypestringreqyesAntiF5ShapeTask (with your proxy) or AntiF5ShapeTaskProxyLess (we route it).
websiteURLtypestringreqyesA Shape-armed page on the target (e.g. the login or a page that fires the protected request).
userAgenttypestringreqnoOverride the User-Agent used during solve. If you override it, replay with the same UA — the header + cookies bind to the (IP, UA) pair.
proxyTypetypestringreqnohttp, https, or socks5.
proxyAddresstypestringreqyesProxy host (IP or hostname). Required — the solve is IP-bound.
proxyPorttypeintegerreqyesProxy port.
proxyLogintypestringreqnoProxy username, if your proxy needs auth.
proxyPasswordtypestringreqnoProxy password, if your proxy needs auth.

Solution response

headerstypeobjectThe live Shape telemetry header set, name -> value, minted by the VM during the solve. Send these on your protected request. Single-use.
telemetrySignaturetypearrayThe subset of `headers` that form the Shape signature (the x-<prefix>-a / -b / -c set), so you can tell the telemetry headers from incidental ones.
cookiestypearrayCleared-session cookie jar {name, value, domain, path}. Set every returned cookie on your client — on interstitial deployments this carries the session.
userAgenttypestringThe exact User-Agent the artifacts were minted under. Reuse it verbatim.
ipBoundtypebooleanAlways true — replay through the same proxy IP you solved from.
singleUsetypebooleanAlways true — the telemetry header is good for one protected request; don't cache it.
protectedEndpointstypearrayEndpoints observed carrying the Shape telemetry during the solve (diagnostic).
domaintypestringHost the artifacts were minted for (host of websiteURL).
shapeDetectedtypebooleanWhether the Shape telemetry signature and/or a _shapesec_ trust cookie was confirmed.

Example response

Full getTaskResult response shape. The fields in the table above describe what's inside solution — the outer envelope (errorId, status) is identical for every captcha type.

{
  "errorId": 0,
  "status": "ready",
  "solution": {
    "domain": "www.example.com",
    "cookies": [
      {
        "name": "_shapesec_session",
        "path": "/",
        "value": "<value>",
        "domain": ".example.com"
      }
    ],
    "headers": {
      "ee30zvqlwf-a": "<telemetry value, minted this solve>",
      "ee30zvqlwf-c": "<telemetry value, minted this solve>",
      "ee30zvqlwf-d": "1"
    },
    "ipBound": true,
    "singleUse": true,
    "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36",
    "shapeDetected": true,
    "telemetrySignature": [
      "ee30zvqlwf-a",
      "ee30zvqlwf-c"
    ]
  }
}

Error response

Failures use the same envelope with errorId: 1 plus errorCode + errorDescription. See the error-code reference for the full list.

{
  "errorId": 1,
  "errorCode": "ERROR_CAPTCHA_UNSOLVABLE",
  "errorDescription": "Solver gave up — automatically refunded."
}

Pending response

While the solver is still working, getTaskResult returns status: "processing". Poll every 1–2 seconds until ready or failed.

{
  "errorId": 0,
  "status": "processing"
}

Features

Returns the live Shape telemetry header set (name -> value) + cleared cookie jar + User-Agent
Drives the genuine Shape VM in a real browser through your proxy
IP + UA coherent — replay from the same egress
Distinct from F5 BIG-IP Advanced WAF (TS/TSPD cookies)

task types

required: AntiF5ShapeTask

Frequently asked questions

start solving f5 distributed cloud bot defense.

$0.10 in free credits — no card. ~250 free solves to test before you spend.