Looking for an overview? See the Kasada product page

Resolving Kasada 429/403 Errors

Kasada protects websites using JavaScript challenges and computational proof-of-work. When requests lack valid x-kpsdk-ct tokens or fail PoW verification, servers return 429 or 403 errors. MeshPrivacy solves Kasada challenges by executing the proof-of-work computation server-side.

Error Codes

Code	Meaning	Resolution
429	Proof-of-work challenge required	Generate ct/cd tokens via API
403	Challenge validation failed or blocked	Request new tokens with fresh session
406	Challenge response invalid format	Verify token format and submission
400	Malformed challenge request	Check request structure

Headers & Tokens

Required Headers

x-kpsdk-ct - Challenge token

x-kpsdk-cd - Proof-of-work result

x-kpsdk-v - Kasada version

x-kpsdk-r - Request identifier

Success Indicators

Valid ct token in response

Proper cd proof-of-work solution

JavaScript executed without errors

Headers match expected format

Service Variants

kasada (ct) Primary

Primary Kasada challenge token. Handles JavaScript challenge execution and returns valid x-kpsdk-ct header.

kasada_cd (Proof-of-Work)

Computational proof-of-work challenge. Extracts script from 429 response, computes solution, and returns valid x-kpsdk-cd header.

Integration Example

// Submit Kasada task to MeshPrivacy
const response = await fetch('https://api.meshprivacy.com/v1/tasks/submit', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'X-API-Key': API_KEY
  },
  body: JSON.stringify({
    service: 'kasada',
    url: 'https://target-site.com/',
    proxy_config: 'http://user:pass@ip:port', // Your proxy
    api_domain: 'api.target-site.com', // Kasada API endpoint domain
    script_domain: 'target-site.com', // Domain serving Kasada script
    user_agent: 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36...'
  })
});

const { task_id } = await response.json();

// Poll for result
const result = await fetch(`https://api.meshprivacy.com/v1/tasks/result/${task_id}`, {
  headers: { 'X-API-Key': API_KEY }
});

const { headers } = await result.json();
// Use headers['x-kpsdk-ct'] and headers['x-kpsdk-cd'] in your requests

FAQ

How long do Kasada tokens last?

Kasada tokens have dynamic TTLs that vary by site configuration. Generally, tokens remain valid for the current session but may require refresh after several minutes of inactivity.

What triggers a 429 vs 403?

429 indicates a proof-of-work challenge is required (first-time or expired tokens). 403 indicates the challenge validation failed or the request was blocked due to detected automation.

How does proof-of-work difficulty work?

Kasada adjusts PoW difficulty dynamically based on machine type and request patterns. MeshPrivacy handles this automatically, computing solutions regardless of difficulty level.

Related Services

Akamai|DataDome|PerimeterX|Cloudflare