Before you submit — these must be correct
If any of these are wrong, your token may be accepted by our solver but rejected or scored poorly by the target site. We can’t detect these mismatches for you.
- The telemetry header is single-use and IP + UA bound — minted for the request the page fired during the solve. Use it immediately for one protected request; don't cache it.
- Replay from the SAME proxy IP + User-Agent used to solve, or the header and cookies are rejected.
- This is F5 Distributed Cloud Bot Defense (ex-Shape), NOT F5 BIG-IP Advanced WAF (TS/TSPD cookies) — pick the right product for your target.
What is F5 Distributed Cloud Bot Defense?
F5 Distributed Cloud Bot Defense — formerly Shape Security — protects high-value flows (airline, retail, and banking login / checkout) with deep client-side signal collection. An obfuscated JavaScript VM runs bytecode to gather device + behavioral telemetry and stamps a dynamic, per-request signed header set on the page's protected requests (named x-<prefix>-a / -b / -c, plus a -d version constant that varies per deployment), scored server-side by ML. This is a SEPARATE product from F5 BIG-IP Advanced WAF (the bobcmn / TS-cookie challenge). Because the VM mints that header fresh for every request, there is no static token — the working artifact is the live header set the VM produces during a real session.
How it works
Send Task
POST your AntiF5ShapeTask with the target URL and sitekey to our API. We'll queue it instantly.
We Solve
We drive a real browser through your proxy, let the genuine Shape VM bootstrap and collect signals under human-like interaction, and capture the artifacts a protected request needs: the live telemetry header set (name -> value, minted by the VM during the solve), the cleared-session cookie jar, and the User-Agent the artifacts were minted under. You send those on your protected request from the same proxy IP + User-Agent. The telemetry header is single-use and IP + UA bound — it is minted for the request fired during the solve, so use it immediately for one protected request; on GET(Document) interstitial deployments the returned cookie carries the session instead.
Get Token
Poll getTaskResult — when status is 'ready', the solution contains the token to inject into the target page.
Quick integration
import requests, time
API = "https://api.capzy.ai"
KEY = "capzy_your_key_here"
# Step 1: Create task
task = requests.post(f"{API}/createTask", json={
"clientKey": KEY,
"task": {
"type": "AntiF5ShapeTask",
"type": "AntiF5ShapeTask",
"proxyPort": "10001",
"proxyType": "http",
"proxyLogin": "your-proxy-username",
"websiteURL": "https://www.example.com/login",
"proxyAddress": "gw.your-proxy-provider.com",
"proxyPassword": "your-proxy-password"
}
}).json()
task_id = task["taskId"]
print(f"Task created: {task_id}")
# Step 2: Poll for result
while True:
result = requests.post(f"{API}/getTaskResult", json={
"clientKey": KEY,
"taskId": task_id
}).json()
if result["status"] == "ready":
print("Solved!", result["solution"])
break
elif result["status"] == "failed":
print("Failed:", result.get("errorDescription"))
break
time.sleep(1)
Using the result
# Step 3: Use the result — set every cookie on a session jar
sol = result["solution"]
session = requests.Session()
for c in sol["cookies"]:
session.cookies.set(c["name"], c["value"], domain=c.get("domain"), path=c.get("path", "/"))
session.headers["User-Agent"] = sol.get("userAgent", "")
# IMPORTANT: route through the SAME proxy you supplied at solve time
resp = session.get("https://target.example.com/", proxies={
"http": "http://USER:PASS@PROXY_HOST:PORT",
"https": "http://USER:PASS@PROXY_HOST:PORT",
})
print(resp.status_code, len(resp.text), "bytes")Task parameters
typetypestringreqyesAntiF5ShapeTask (with your proxy) or AntiF5ShapeTaskProxyLess (we route it).websiteURLtypestringreqyesA Shape-armed page on the target (e.g. the login or a page that fires the protected request).userAgenttypestringreqnoOverride the User-Agent used during solve. If you override it, replay with the same UA — the header + cookies bind to the (IP, UA) pair.proxyTypetypestringreqnohttp, https, or socks5.proxyAddresstypestringreqyesProxy host (IP or hostname). Required — the solve is IP-bound.proxyPorttypeintegerreqyesProxy port.proxyLogintypestringreqnoProxy username, if your proxy needs auth.proxyPasswordtypestringreqnoProxy password, if your proxy needs auth.Solution response
headerstypeobjectThe live Shape telemetry header set, name -> value, minted by the VM during the solve. Send these on your protected request. Single-use.telemetrySignaturetypearrayThe subset of `headers` that form the Shape signature (the x-<prefix>-a / -b / -c set), so you can tell the telemetry headers from incidental ones.cookiestypearrayCleared-session cookie jar {name, value, domain, path}. Set every returned cookie on your client — on interstitial deployments this carries the session.userAgenttypestringThe exact User-Agent the artifacts were minted under. Reuse it verbatim.ipBoundtypebooleanAlways true — replay through the same proxy IP you solved from.singleUsetypebooleanAlways true — the telemetry header is good for one protected request; don't cache it.protectedEndpointstypearrayEndpoints observed carrying the Shape telemetry during the solve (diagnostic).domaintypestringHost the artifacts were minted for (host of websiteURL).shapeDetectedtypebooleanWhether the Shape telemetry signature and/or a _shapesec_ trust cookie was confirmed.Example response
Full getTaskResult response shape. The fields in the table above describe what's inside solution — the outer envelope (errorId, status) is identical for every captcha type.
{
"errorId": 0,
"status": "ready",
"solution": {
"domain": "www.example.com",
"cookies": [
{
"name": "_shapesec_session",
"path": "/",
"value": "<value>",
"domain": ".example.com"
}
],
"headers": {
"ee30zvqlwf-a": "<telemetry value, minted this solve>",
"ee30zvqlwf-c": "<telemetry value, minted this solve>",
"ee30zvqlwf-d": "1"
},
"ipBound": true,
"singleUse": true,
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36",
"shapeDetected": true,
"telemetrySignature": [
"ee30zvqlwf-a",
"ee30zvqlwf-c"
]
}
}Error response
Failures use the same envelope with errorId: 1 plus errorCode + errorDescription. See the error-code reference for the full list.
{
"errorId": 1,
"errorCode": "ERROR_CAPTCHA_UNSOLVABLE",
"errorDescription": "Solver gave up — automatically refunded."
}Pending response
While the solver is still working, getTaskResult returns status: "processing". Poll every 1–2 seconds until ready or failed.
{
"errorId": 0,
"status": "processing"
}Features
task types
required: AntiF5ShapeTask