How long do Akamai cookies last?

The _abck cookie is session-based and typically valid for the browser session. sec_cpt tokens expire in approximately 5 minutes. bm_sz session cookies last about 1 hour, depending on the target site's Akamai configuration.

What causes Akamai 428 errors specifically?

HTTP 428 (Precondition Required) indicates the SEC-CPT challenge must be solved before proceeding. This occurs on high-security endpoints like login, checkout, or account-settings pages. The SEC-CPT challenge is a cryptographic proof-of-work puzzle. MeshPrivacy resolves it server-side and returns a valid sec_cpt cookie containing the marker ~3~.

Do I need to maintain TLS fingerprints when using MeshPrivacy?

No. MeshPrivacy handles TLS fingerprinting automatically through the tls_forward parameter. Requests using the returned cookies should use a standard HTTP client without special TLS configuration. For high-difficulty Akamai targets, consider also using a residential or mobile proxy.

How does Akamai _abck cookie validation work?

Akamai's sensor.js script collects mouse movements, screen properties, navigator fingerprint, WebGL info and timing data, encrypts the payload, and posts it to Akamai's challenge endpoint. The server validates the sensor payload and sets a valid _abck cookie if it passes (containing the marker ~-1~) or a degraded cookie otherwise (containing ~0~). MeshPrivacy generates a valid sensor payload server-side, returning a passing _abck.

How fast does MeshPrivacy generate Akamai cookies?

Standard akamai _abck endpoint: 3–8 seconds typical. SEC-CPT 428 hard challenge: 5–15 seconds depending on difficulty. sbsd score-based variant: 3–8 seconds. Upstream timeout is 120 seconds. We do not advertise sub-second numbers — Akamai sensor data generation takes real compute time.

How much does Akamai bypass cost on MeshPrivacy?

Pricing is per-credit at 1 USD = 1,000 credits. Credit cost per request varies per service and may change — see meshprivacy.com/pricing for current rates. New accounts get 20 free credits with no credit card required.

Which Akamai variants does MeshPrivacy support?

Three variants: (1) akamai — standard Bot Manager protection using _abck cookies; (2) sec_cpt — Akamai's cryptographic 428 challenge for critical operations; (3) sbsd — score-based detection variant with 0–100 behavioral scoring. All three share the same submit/poll API contract.

Looking for an overview? See the Akamai product page

Resolving Akamai 403/428 Errors

Akamai Bot Manager protects websites using sensor data collection and cryptographic challenges. When requests lack valid _abck cookies or fail SEC-CPT verification, servers return 403 or 428 errors. MeshPrivacy generates valid session tokens by executing Akamai's challenge logic server-side.

Error Codes

Code	Meaning	Resolution
403	Invalid or missing `_abck` cookie	Generate valid sensor data via API
429	Rate limit + failed sensor validation	Reduce request frequency, validate cookies
428	SEC-CPT precondition required	Solve SEC-CPT challenge first

Real-time API status: trust.meshprivacy.com

Cookies & Headers

Session Cookies

_abck - Primary bot detection token

bm_sz - Session tracking cookie

sec_cpt - SEC-CPT challenge token

bm_sc - Behavior score cookie

_bm_sv - Sensor version tracking

Success Indicators

Valid _abck with sensor data

sec_cpt contains ~3~

Proper bm_sz format present

Consistent header ordering

Service Variants

akamai Primary

Standard Akamai Bot Manager protection using _abck cookies. Handles sensor data collection and submission.

sec_cpt (428 Challenge)

Akamai's cryptographic or behavioral challenge for critical operations. Returns 428 status requiring proof-of-work or sensor submission.

sbsd / bm_sc

Score-based detection variant. Uses behavioral scoring to determine access. Score ranges from 0-100 with higher values indicating human-like behavior.

Integration Example

akamai.js

// Submit Akamai task to MeshPrivacy
const response = await fetch('https://api.meshprivacy.com/v1/tasks/submit', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'X-API-Key': API_KEY
  },
  body: JSON.stringify({
    service: 'akamai',
    url: 'https://target-site.com/',
    proxy_config: 'http://user:pass@ip:port', // Your proxy
    sensor_url: 'https://target-site.com/akamai/sensor.js', // Akamai script URL
    fingerprint: '', // Optional - leave empty for auto-detection
    user_agent: 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36...'
  })
});

const { task_id } = await response.json();

// Poll for result
const result = await fetch(`https://api.meshprivacy.com/v1/tasks/result/${task_id}`, {
  headers: { 'X-API-Key': API_KEY }
});

const { cookies } = await result.json();
// cookies._abck, cookies.bm_sz now valid for requests

FAQ

The _abck cookie is session-based and typically valid for the browser session. sec_cpt tokens expire in approximately 5 minutes.

Related Services

Kasada|DataDome|PerimeterX|Cloudflare