What is the aws-waf-token cookie?

aws-waf-token is the cookie AWS WAF sets after a visitor passes the JavaScript challenge or captcha rule action. The token is bound to the visitor's IP and user agent, valid for 5-10 minutes by default, and required on every request to the protected origin until it expires.

How do I generate an aws-waf-token via API?

Submit a POST to https://api.meshprivacy.com/v1/tasks/submit with service: 'aws' (the DB endpoint_id is 'aws', not 'aws_waf'), the target url, the script_url to the WAF challenge.js, your proxy_config and user_agent. Poll /v1/tasks/result/{task_id} for 3-8 seconds and attach cookies['aws-waf-token'] to downstream requests.

Why does AWS WAF return 405 instead of 403?

AWS WAF returns 405 Method Not Allowed when the WebACL rule is set to BLOCK on the matched method (often POST), and 403 Forbidden on CHALLENGE rules where the visitor lacks a valid aws-waf-token. 202 Accepted indicates the captcha rule served a challenge HTML to be solved. All three benefit from generating a fresh token.

Can I reuse the same aws-waf-token across multiple requests?

Yes — within the 5-10 minute validity window and from the same IP and user agent. AWS WAF rejects tokens reused from a different proxy or after expiry. Cache the cookie per session, refresh on the next 403/202, and rotate proactively before 5 minutes for safety.

How fast does MeshPrivacy generate aws-waf-token cookies?

Standard AWS WAF JavaScript challenge: 3-8 seconds typical. Captcha rule action: 5-10 seconds. Upstream timeout is 120 seconds. We do not advertise sub-second numbers — the AWS WAF challenge.js script requires real compute time on every solve.

How much does AWS WAF solving cost?

Pricing is per-credit at 1 USD = 1,000 credits. Credit cost per request varies per service and may change — see meshprivacy.com/pricing for current rates. New accounts get 20 free credits with no credit card required.

Does MeshPrivacy support AWS WAF captcha and challenge rules?

Yes. The single service: 'aws' endpoint handles both the JavaScript Challenge rule (silent solve, returns aws-waf-token) and the CAPTCHA rule (visual challenge in challenge.js, also returns aws-waf-token after solve). Pass the script_url from the challenge HTML and the same flow handles either rule type.

Looking for an overview? See the AWS WAF product page

Resolving AWS WAF 403 Errors

AWS WAF uses cryptographic puzzles to verify requests. When requests lack a valid aws-waf-token cookie, servers return 403 errors with an embedded JavaScript challenge. MeshPrivacy solves these puzzles server-side and returns valid tokens with 5-10 minute TTL.

Error Codes

Code	Meaning	Resolution
403	Challenge required or token invalid	Generate valid aws-waf-token via API
200	Challenge HTML with JavaScript puzzle	Solve embedded cryptographic challenge

Token TTL: 5-10 minutes depending on WAF configuration.

Real-time API status: trust.meshprivacy.com

Challenge Parameters

Parameters from Challenge Response

key - Encryption key for puzzle

iv - Initialization vector

context - Challenge context identifier

gokuProps - Configuration object

These parameters are encrypted with AES and require computational solving.

Cookie Format

aws-waf-token Cookie

URL-safe Base64 encoded
Contains encrypted challenge solution
Session-specific binding
Expiration timestamp included

Integration Example

aws-waf.js

// Submit AWS WAF task to MeshPrivacy
const response = await fetch('https://api.meshprivacy.com/v1/tasks/submit', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'X-API-Key': API_KEY
  },
  body: JSON.stringify({
    service: 'aws', // AWS WAF service identifier (DB endpoint_id is "aws", not "aws_waf")
    url: 'https://target-site.com/',
    script_url: 'https://target-site.com/aws-waf/challenge.js', // WAF challenge script
    proxy_config: 'http://user:pass@ip:port', // Your proxy
    user_agent: 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36...'
  })
});

const { task_id } = await response.json();

// Poll for result
const result = await fetch(`https://api.meshprivacy.com/v1/tasks/result/${task_id}`, {
  headers: { 'X-API-Key': API_KEY }
});

const { cookies } = await result.json();
// Use cookies['aws-waf-token'] - valid for 5-10 minutes

FAQ

AWS WAF requires solving an AES-encrypted computational puzzle. The challenge parameters (key, iv, context) are extracted from the response and used to compute the valid token.

Related Services

Cloudflare|Akamai|Incapsula|Kasada