The only captcha solving API that handles Kasada. Full KPSDK bootstrap with x-kpsdk-ct, x-kpsdk-cd, and x-kpsdk-cr headers. Works on Foot Locker, Twitch, and every Kasada-protected site.
Kasada's KPSDK is one of the hardest bot protection systems to bypass. It uses a bytecode virtual machine (ips.js) that requires a real browser environment to execute. The VM performs device fingerprinting, proof-of-work challenges, and generates cryptographic tokens that are bound to the session.
No other API service solves Kasada. We do. Our solver handles the full bootstrap flow: /fp page load, ips.js bytecode VM execution, and CT/CD header generation. You get back the headers you need to make authenticated API requests.
import requests, time API = "https://api.pentium.sh" KEY = "PTM-your-api-key" # Solve Kasada for Foot Locker task = requests.post(f"{API}/createTask", json={ "clientKey": KEY, "task": { "type": "AntiKasadaTask", "websiteURL": "https://www.footlocker.com", "pageURL": "https://www.footlocker.com/api/..." } }).json() # Poll (Kasada takes ~35s) while True: result = requests.post(f"{API}/getTaskResult", json={ "clientKey": KEY, "taskId": task["taskId"] }).json() if result["status"] == "ready": break time.sleep(5) # Use the headers for your API requests sol = result["solution"] headers = { "x-kpsdk-ct": sol["x-kpsdk-ct"], "x-kpsdk-cd": sol["x-kpsdk-cd"], "x-kpsdk-cr": sol["x-kpsdk-cr"], } # Now make your authenticated request r = requests.get( "https://www.footlocker.com/api/products", headers=headers, cookies=sol["cookies"] )
const API = "https://api.pentium.sh"; const KEY = "PTM-your-api-key"; const { taskId } = await fetch(`${API}/createTask`, { method: "POST", headers: { "Content-Type": "application/json" }, body: JSON.stringify({ clientKey: KEY, task: { type: "AntiKasadaTask", websiteURL: "https://www.footlocker.com", pageURL: "https://www.footlocker.com/api/..." } }) }).then(r => r.json()); // Poll for result let solution; while (!solution) { await new Promise(r => setTimeout(r, 5000)); const res = await fetch(`${API}/getTaskResult`, { method: "POST", headers: { "Content-Type": "application/json" }, body: JSON.stringify({ clientKey: KEY, taskId }) }).then(r => r.json()); if (res.status === "ready") solution = res.solution; } // Use headers in your requests console.log(solution["x-kpsdk-ct"]);
Kasada KPSDK requires real browser execution. Here's why the others can't do it.
Kasada's ips.js contains a custom bytecode virtual machine that performs device fingerprinting and proof-of-work. It requires full DOM APIs, canvas, WebGL, and audio context. No headless shortcut works.
The CT token is cryptographically bound to the browser fingerprint generated during bootstrap. You can't fake the fingerprint separately -- it must come from the same execution context.
Kasada detects Puppeteer, Playwright, and Selenium through dozens of signals. We use custom browser configurations that pass all detection checks.
Kasada tokens work cross-domain. Bootstrap on one origin, use the headers on another. We handle the full flow including cookie chaining and header rotation.
| Parameter | Type | Required | Description |
|---|---|---|---|
| type | string | Yes | AntiKasadaTask |
| websiteURL | string | Yes | The base URL of the Kasada-protected site |
| pageURL | string | No | Specific API endpoint URL (for CT header targeting) |
{ "errorId": 0, "status": "ready", "solution": { "x-kpsdk-ct": "03aGd8...", "x-kpsdk-cd": "b64payload...", "x-kpsdk-cr": "02ref...", "cookies": { "_kpsdk_ct_": "...", "_kpsdk_cd_": "..." }, "userAgent": "Mozilla/5.0 ..." } }