Looking for an overview? See the Akamai product page

Resolving Akamai 403/428 Errors

Akamai Bot Manager protects websites using sensor data collection and cryptographic challenges. When requests lack valid _abck cookies or fail SEC-CPT verification, servers return 403 or 428 errors. MeshPrivacy generates valid session tokens by executing Akamai's challenge logic server-side.

Error Codes

Code	Meaning	Resolution
403	Invalid or missing `_abck` cookie	Generate valid sensor data via API
429	Rate limit + failed sensor validation	Reduce request frequency, validate cookies
428	SEC-CPT precondition required	Solve SEC-CPT challenge first

Cookies & Headers

Session Cookies

_abck - Primary bot detection token

bm_sz - Session tracking cookie

sec_cpt - SEC-CPT challenge token

bm_sc - Behavior score cookie

_bm_sv - Sensor version tracking

Success Indicators

Valid _abck with sensor data

sec_cpt contains ~3~

Proper bm_sz format present

Consistent header ordering

Service Variants

akamai Primary

Standard Akamai Bot Manager protection using _abck cookies. Handles sensor data collection and submission.

sec_cpt (428 Challenge)

Akamai's cryptographic or behavioral challenge for critical operations. Returns 428 status requiring proof-of-work or sensor submission.

sbsd / bm_sc

Score-based detection variant. Uses behavioral scoring to determine access. Score ranges from 0-100 with higher values indicating human-like behavior.

Integration Example

// Submit Akamai task to MeshPrivacy
const response = await fetch('https://api.meshprivacy.com/v1/tasks/submit', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'X-API-Key': API_KEY
  },
  body: JSON.stringify({
    service: 'akamai',
    url: 'https://target-site.com/',
    proxy_config: 'http://user:pass@ip:port', // Your proxy
    sensor_url: 'https://target-site.com/akamai/sensor.js', // Akamai script URL
    fingerprint: '', // Optional - leave empty for auto-detection
    user_agent: 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36...'
  })
});

const { task_id } = await response.json();

// Poll for result
const result = await fetch(`https://api.meshprivacy.com/v1/tasks/result/${task_id}`, {
  headers: { 'X-API-Key': API_KEY }
});

const { cookies } = await result.json();
// cookies._abck, cookies.bm_sz now valid for requests

FAQ

How long do Akamai cookies last?

The _abck cookie is session-based and typically valid for the browser session. sec_cpt tokens expire in approximately 5 minutes.

What causes 428 errors specifically?

428 (Precondition Required) indicates the SEC-CPT challenge must be solved before proceeding. This occurs on high-security endpoints like login or checkout pages.

Do I need to maintain TLS fingerprints?

MeshPrivacy handles TLS fingerprinting automatically. Your requests using the returned cookies should use a standard HTTP client without special TLS configuration.

Related Services

Kasada|DataDome|PerimeterX|Cloudflare