What is a Kasada bypass?

A Kasada bypass is a technique or service that allows automated requests to pass through Kasada bot protection — including TLS fingerprinting, p.js virtual machine execution, the proof-of-work challenge, x-kpsdk-ct/cd/v header token generation, session warming, behavioral signals, and IP reputation scoring — without being blocked. ScrapeBadger executes the p.js VM in a genuine browser, generates all three x-kpsdk header tokens correctly, warms the session with humanlike behavior, and routes through residential IPs.

p.js is the Kasada client-side script — a highly obfuscated JavaScript file containing a custom virtual machine that interprets Kasada-specific bytecode. The bytecode encodes the proof-of-work challenge logic, fingerprint collection, and behavioral checks. The VM design makes p.js opaque to static analysis — you cannot read it as plain JavaScript and reverse-engineer it the way you can with vendor scripts that compile to readable JS. The VM bytecode is rotated frequently, which is why emulator-based bypass approaches break quickly. The only durable strategy is to execute p.js in a genuine browser environment.

What are the x-kpsdk-ct, x-kpsdk-cd, and x-kpsdk-v headers?

These are the three header tokens Kasada uses to authenticate requests. **x-kpsdk-ct** is the expensive proof-of-work token — generated once per session by completing the PoW challenge in p.js, valid for the session lifetime. **x-kpsdk-cd** is a cheap per-request token, freshly derived from x-kpsdk-ct on every protected request — replay or stale x-kpsdk-cd values are flagged immediately. **x-kpsdk-v** is the version pin that must match the p.js version that issued the tokens. All three must be present and valid on every protected request. ScrapeBadger handles all three automatically.

What is Kasada session warming?

Kasada implements session warming — new sessions from cold or low-reputation sources face escalated proof-of-work difficulty and stricter behavioral checks. Sessions that demonstrate humanlike interaction over a few page loads accumulate trust signals, and the PoW difficulty drops accordingly. ScrapeBadger handles session warming automatically: before the actual scrape request, ScrapeBadger performs realistic page navigation with humanlike mouse, scroll, and timing patterns on a residential IP — so by the time your target page is requested, the session is already trusted.

Does kpsdk-solver work for bypassing Kasada?

Open-source projects like kpsdk-solver attempt to emulate the p.js virtual machine in Python or Node so the proof-of-work challenge can be solved without a real browser. They work briefly — typically days to a few weeks — but break whenever Kasada rotates the p.js VM bytecode, which happens frequently. The maintenance burden is high: every Kasada update requires re-engineering the emulator. They also typically don't handle the per-request x-kpsdk-cd derivation correctly, leading to replay-detection blocks. ScrapeBadger uses real-browser execution instead — the bytecode rotation doesn't matter because the VM is interpreted by the browser itself. We absorb the maintenance burden so you don't have to.

How much does ScrapeBadger's Kasada bypass cost?

ScrapeBadger starts free with 1,000 credits — no credit card required. Pay-as-you-go packs start at $10 with credits that never expire. Subscription plans start at $49/month with lower per-credit rates and monthly rollover. You are only charged for successful responses — Kasada blocks, proof-of-work timeouts, x-kpsdk token failures, version mismatches, and behavioral failures are always free. The full Kasada bypass stack (p.js VM execution, all three header tokens, session warming, residential proxies, TLS impersonation) is included in your existing credit balance at no extra per-request charge.

🚀18 Google Scraper APIs just launched — SERP, Maps, Shopping, Scholar, Lens, Flights & moreExplore→

Anti-bot BypassKasada

Bypass Kasada p.js VM & x-kpsdk header tokens automatically

ScrapeBadger executes Kasada's p.js virtual machine in a genuine browser, completes the proof-of-work challenge, generates valid x-kpsdk-ct / x-kpsdk-cd / x-kpsdk-v header tokens, warms the session correctly, and routes through residential IPs — all without configuration.

Get 1,000 free credits Read the docs

FREE: Starting price
150+: Countries supported
0: Failed request charges
Auto: Escalation — zero config

What is Kasada

The proof-of-work bot platform with a custom JavaScript VM

Kasada is a newer entrant in the bot management space, but it has rapidly become one of the most technically sophisticated platforms — protecting major airlines, ticketing platforms, classifieds, and e-commerce sites. Where competitors like Cloudflare and Akamai focus on signal collection, Kasada's defining innovation is a client-side proof-of-work challenge built into a custom JavaScript virtual machine. Real browsers spend ~2ms solving the challenge; primitive bots either can't solve it at all or get progressively rate-limited as the difficulty escalates.

Kasada is delivered as p.js — a highly obfuscated JavaScript file that contains a custom interpreter for a Kasada-specific bytecode. The bytecode includes the proof-of-work logic, fingerprint collection, and behavioral checks. The VM design means the challenge logic itself is opaque — you cannot read it as JavaScript and reverse-engineer it the way you can with Akamai's sensor data script. The VM bytecode is rotated frequently, and any approach based on emulating the VM in a non-browser environment breaks within days.

Successful execution generates three header tokens: x-kpsdk-ct (the expensive proof-of-work token, valid for the session), x-kpsdk-cd (a cheap per-request token derived from the session), and x-kpsdk-v (the version pin). All three must be present and valid on every protected request. Kasada also implements session warming — new sessions face higher difficulty until they accumulate trust signals. ScrapeBadger executes the VM in a real browser, generates all three tokens correctly, and warms sessions with humanlike behavior so the proof-of-work difficulty stays low.

Kasada · Token Pipeline

Page Load
  ↓
p.js loads = (obfuscated VM + bytecode)
  ↓  custom interpreter executes
  ↓
Proof-of-work = (~2ms in real browser)
  ↓  difficulty escalates for new sessions
  ↓
Fingerprint collection = (canvas, WebGL, navigator, behavioral)
  ↓
POST = /<random>/tl
  ↓  encrypted PoW + signals
  ↓
x-kpsdk-ct issued = (expensive session token)
  ↓
x-kpsdk-cd derived = (cheap per-request token)
  ↓
x-kpsdk-v = (version pin)

429 / 403 Block = ← invalid or stale tokens
200 OK = ← all three headers valid

Header	Role	Type
x-kpsdk-ct	Expensive proof-of-work session token (issued once per session)	Expensive
x-kpsdk-cd	Cheap per-request token derived from x-kpsdk-ct	Single-use
x-kpsdk-v	p.js version pin — must match the VM that issued the tokens	Version

Kasada detection layers

Six ways Kasada identifies your scraper

Kasada combines a proof-of-work VM, behavioral signals, and IP reputation. The VM in particular makes Kasada one of the hardest bot platforms to bypass without a real browser environment.

p.js Virtual Machine

p.js is a highly obfuscated JavaScript file containing a custom interpreter for Kasada-specific bytecode. The bytecode encodes the proof-of-work challenge, fingerprint collection, and behavioral checks. The VM design makes the logic opaque to static analysis — you can't read it as JavaScript and reverse-engineer it the way you can with sensor data scripts. The VM bytecode is rotated frequently, so any approach based on emulating the VM in a non-browser environment breaks quickly. Real browser execution is the only durable strategy.

PoW

Proof-of-Work Challenge

The p.js VM runs a client-side proof-of-work challenge — a cryptographic puzzle the browser must solve to obtain the x-kpsdk-ct header token. Real browsers spend ~2ms solving it. The difficulty escalates for new or untrusted sessions — a fresh datacenter IP can face challenges that take seconds or even time out, while a warmed residential session faces near-instant challenges. This makes scaling against Kasada with cold sessions extremely expensive in compute time.

TLS

TLS / JA3 Fingerprinting

Like every enterprise bot platform, Kasada inspects TLS ClientHello fingerprints. Cipher suite order, extension list, and protocol versions are matched against known browser profiles. Python's requests and httpx produce JA3 hashes matching no real browser and are rejected at the edge — before p.js even has a chance to load.

BFP

Browser Fingerprinting

The p.js VM collects canvas hashes, WebGL GPU vendor/renderer strings, navigator API values, screen properties, plugin lists, and audio context fingerprints — folded into the encrypted token payload. Inconsistencies between the claimed User-Agent and the actual hardware fingerprint (Linux Chrome UA but Windows fingerprint, headless browser GPU) flag the session as untrusted and escalate the proof-of-work difficulty.

IP Reputation & Session Warming

Kasada implements session warming — new sessions from cold or low-reputation IPs face escalating proof-of-work difficulty and stricter behavioral checks. Datacenter IPs are pre-flagged as high risk. Sessions warmed with humanlike interaction over a few page loads accumulate trust and face reduced friction. ScrapeBadger handles session warming automatically with realistic page navigation and humanised behavior on residential IPs, so the proof-of-work difficulty stays low.

BEH

Behavioral Signals

The VM also collects mouse movement, scroll, and keyboard signals as part of the encrypted token payload. Bots that solve the proof-of-work and pass fingerprint checks but show zero mouse variance or perfectly uniform timing are still flagged. Kasada's behavioral layer is less elaborate than PerimeterX's biometrics but still requires humanlike interaction patterns to score as a trusted session.

Specific signals Kasada uses to expose automation:

Missing x-kpsdk-ct header

No Security Token — p.js VM not executed at all

Stale x-kpsdk-cd

Per-request token reused or computed incorrectly — replay detected

x-kpsdk-v version mismatch

Version header doesn't match the p.js that issued the tokens

JA3/JA4 TLS mismatch

Python clients produce fingerprints matching no real browser

Cold session — no warming

Fresh session with no prior page navigation faces high PoW difficulty

Datacenter IP range

AWS/GCP/Azure pre-flagged — escalates PoW difficulty significantly

Headless browser GPU

WebGL renderer string reveals SwiftShader / no hardware acceleration

Zero behavioral variance

No mouse jitter, identical scroll timing — session never warms up

How ScrapeBadger bypasses Kasada

Real-browser p.js execution + correct token pipeline

Kasada's VM design rewards real-browser execution and punishes emulation. ScrapeBadger runs p.js in a genuine Chrome environment, generates all three header tokens correctly, and warms sessions with humanlike behavior.

TLS impersonation + p.js loading

Every request is sent with a JA3/JA4 TLS fingerprint matching a real browser. Once the edge gate passes, the p.js virtual machine is fetched and loaded in the Patchright stealth browser. Header order, Sec-Fetch-* metadata, and Accept-Encoding values all match the browser whose User-Agent is being sent.

p.js VM execution + proof-of-work

The Patchright stealth browser executes the p.js VM as a real Chrome session does — running the obfuscated bytecode interpreter, completing the proof-of-work challenge in ~2ms, and collecting genuine canvas/WebGL/navigator fingerprints. The VM POSTs the encrypted payload to Kasada's collector and receives the x-kpsdk-ct Security Token in response.

x-kpsdk-cd / x-kpsdk-v derivation per request

Every subsequent request includes all three Kasada header tokens. The expensive x-kpsdk-ct token is reused for the session lifetime. The cheap x-kpsdk-cd token is freshly derived per request from x-kpsdk-ct — replay or stale x-kpsdk-cd triggers immediate blocks. The x-kpsdk-v version pin is set to match the p.js version that issued the session. ScrapeBadger handles all three correctly without configuration.

Session warming on residential IPs

Kasada session warming is automatic — ScrapeBadger performs realistic page navigation with humanlike mouse, scroll, and timing patterns to accumulate trust signals before the actual scrape request. All traffic is routed through residential ISP IPs in 150+ countries. A warmed residential session faces near-instant proof-of-work and minimal behavioral friction; a cold datacenter session would face escalated difficulty or outright blocks.

Code examples

Scrape any Kasada-protected site in minutes

One API call. ScrapeBadger executes the p.js VM, generates all three x-kpsdk header tokens, warms the session, and routes residentially — automatically.

# pip install scrapebadger
from scrapebadger import ScrapeBadger

client = ScrapeBadger("sb_live_your_api_key")

# ScrapeBadger auto-detects Kasada, executes p.js VM,
# generates x-kpsdk-ct/cd/v header tokens, warms the session.
result = client.scrape(
    url="https://kasada-protected-site.com/products",
    country="us",         # route through US residential IP
    render_js=True,       # execute p.js VM
    bypass_kasada=True,   # full Kasada bypass stack
)

print(result.html)
print(result.status_code)             # 200
# Kasada header tokens used automatically:
print(result.headers['x-kpsdk-ct'])   # session PoW token
print(result.headers['x-kpsdk-cd'])   # per-request token
print(result.headers['x-kpsdk-v'])    # version pin

Full API reference: Parameters, bypass modes, session management, and country codes — docs.scrapebadger.com →

Comparison

ScrapeBadger vs DIY Kasada bypass methods

Why Kasada's p.js VM and per-request token derivation make DIY bypass especially fragile.

Method	ScrapeBadger	requests / httpx	curl-cffi	kpsdk-solver (open source)	Patchright (self-hosted)
Bypasses TLS / JA3 fingerprinting	Yes — auto	No	Yes	Partial	Partial
Executes p.js virtual machine	Yes — genuine browser execution	No — no JS engine	No — no JS engine	Yes — but emulated	Yes
Generates valid x-kpsdk-ct token	Yes — auto	No	No	Sometimes	Sometimes
Per-request x-kpsdk-cd derivation	Yes — fresh every call	No	No	Often stale — replay flagged	Manual setup
Survives p.js VM rotation	Yes — execution-level	Already broken	Already broken	Breaks within days	Yes
Session warming included	Yes — auto	No	No	No	Manual setup
Residential proxies included	Yes — 150+ countries	No	No — extra cost	No — extra cost	No — extra cost
Breaks when Kasada updates	Never — we maintain it	Already broken	TLS only — partial	Within days	Regularly

Open-source `kpsdk-solver` projects emulate the p.js VM in Python or Node — they work briefly but break within days when Kasada rotates the VM bytecode. Real-browser execution is the only durable strategy. ScrapeBadger maintains the integration; you don't.

Why ScrapeBadger

A Kasada bypass that survives p.js rotation

Kasada rotates the p.js VM bytecode frequently. Reverse-engineering and emulator approaches break within days. Execution-level bypass with session warming is the only durable strategy.

Real-browser p.js execution — survives VM rotation

p.js is a custom JavaScript VM with rotated bytecode — emulator approaches like kpsdk-solver work briefly but break within days as Kasada updates the bytecode and the proof-of-work logic. ScrapeBadger executes the VM in a genuine browser environment, so it keeps working through every rotation without any maintenance on your end. We absorb the maintenance cost; you get a stable bypass.

Correct token pipeline — x-kpsdk-ct, cd, v

All three Kasada header tokens are handled correctly. x-kpsdk-ct is the expensive per-session proof-of-work token. x-kpsdk-cd is the cheap per-request token, derived fresh every request from x-kpsdk-ct — replay or stale values are immediately flagged. x-kpsdk-v pins the p.js version. Most DIY bypass tools handle one or two but not all three correctly. ScrapeBadger handles all three.

Session warming — keeps PoW difficulty low

Kasada's proof-of-work difficulty escalates for cold or untrusted sessions. A fresh datacenter IP can face challenges that take seconds or time out outright. ScrapeBadger automatically warms sessions with realistic page navigation and humanlike behavior on residential IPs — so by the time the actual scrape request runs, the session has trust signals and the PoW difficulty stays low. This is the difference between a 200ms scrape and a 30s timeout.

Pay only for successful results

Failed requests — Kasada blocks, proof-of-work timeouts, stale token rejections, version mismatches, or behavioral failures — are never charged. Credits deduct only when ScrapeBadger returns a successful, real-content response. Against Kasada's escalating-difficulty PoW model, where some failure rate is inherent on cold sessions, not paying for failures is meaningful at scale.

Pricing

Simple, transparent pricing

Start free with 1,000 credits. Pay-as-you-go credits never expire. Subscription plans available at lower per-credit rates.

PAYG

Start anytime — credits never expire

$10/start

Pay as you go

$0.15 per 1,000 credits

Access to all scrapers
Credits never expire
No monthly commitment
Priority support

Get Started

Basic

Best for small teams and steady workloads

$49/mo

Monthly subscription

$0.08 per 1,000 credits

Access to all scrapers
BASIC tier
Credits roll over 1 month
Priority support

Growth

For growing projects — save vs PAYG

$149/mo

Monthly subscription

$0.07 per 1,000 credits

Access to all scrapers
PRO tier
Credits roll over 1 month
Priority support

Pro

For professionals and high-volume usage

$249/mo

Monthly subscription

$0.06 per 1,000 credits

Access to all scrapers
PRO tier
Credits roll over 1 month
Priority support

Business

Maximum scale at the lowest per-credit rate

$499/mo

Monthly subscription

$0.05 per 1,000 credits

Access to all scrapers
ENTERPRISE tier
Credits roll over 1 month
Priority support

Enterprise & Custom

Need higher volume or a custom plan?

Custom credit volumes, dedicated infrastructure, SLA guarantees, invoice billing, and a dedicated account manager.

Custom credit volumeDedicated account managerSLA guaranteeInvoice billing

Contact sales

1,000 free credits — no credit card required. 14-day money-back guarantee. Start free →

FAQ

Kasada bypass — common questions

Start bypassing Kasada today

1,000 free credits, no credit card required. p.js VM, x-kpsdk-ct/cd/v tokens, session warming, residential proxies — handled automatically in one API call.

Get 1,000 free credits

No subscription · Credits never expire · 14-day money-back guarantee