What is x-kpsdk-ct and how do I generate it?

x-kpsdk-ct is the Kasada client token header attached to every request to a Kasada-protected API. It is issued by the ips.js challenge script after evaluating client signals and computing a proof-of-work. POST to https://api.meshprivacy.com/v1/tasks/submit with service: 'kasada' to receive headers['x-kpsdk-ct'] and headers['x-kpsdk-cd'].

What is the difference between kasada and kasada_cd services?

service: 'kasada' performs the full ips.js solve and returns both x-kpsdk-ct and x-kpsdk-cd headers from scratch — use this for fresh sessions. service: 'kasada_cd' computes only the proof-of-work x-kpsdk-cd value when you already have valid client_token and session_token from a previous response — use this for token refresh.

Why am I still getting 429 with a valid x-kpsdk-ct token?

Kasada binds the token to the IP, user agent and api_domain it was solved for. Re-using a token from a different proxy, a different user agent, or against a different api_domain returns 429. Always solve with the exact api_domain and proxy you will retry from. Tokens also expire — refresh on the next 429.

What is Kasada proof-of-work and why does it take seconds to solve?

Kasada serves a SubtleCrypto-based hashing puzzle that the browser must compute before submitting. The compute cost is calibrated to take a real CPU 200ms-2 seconds per try and bursts to multiple seconds under load. MeshPrivacy executes this proof-of-work server-side, which is why solves take 3-8 seconds — there is no shortcut around the math.

How fast does MeshPrivacy generate Kasada tokens?

Standard Kasada x-kpsdk-ct: 3-8 seconds typical. kasada_cd refresh-only: 2-4 seconds. Higher-difficulty sites like Nike push toward 5-10 seconds. Upstream timeout is 120 seconds. We do not advertise sub-second numbers.

How much does Kasada solving cost?

Pricing is per-credit at 1 USD = 1,000 credits. Credit cost per request varies per service and may change — see meshprivacy.com/pricing for current rates. The kasada_cd refresh path costs less because it skips the full ips.js solve. New accounts get 20 free credits with no credit card required.

Which Kasada-protected sites does MeshPrivacy support?

MeshPrivacy generates valid Kasada tokens for any site running ips.js, including Nike, Hyatt, BetMGM, Canada Goose and many others. Pass the api_domain and script_domain in your submit payload — for kasada_cd, pass the site shorthand (e.g. site: 'nike').

Looking for an overview? See the Kasada product page

Resolving Kasada 429/403 Errors

Kasada protects websites using JavaScript challenges and computational proof-of-work. When requests lack valid x-kpsdk-ct tokens or fail PoW verification, servers return 429 or 403 errors. MeshPrivacy solves Kasada challenges by executing the proof-of-work computation server-side.

Error Codes

Code	Meaning	Resolution
429	Proof-of-work challenge required	Generate ct/cd tokens via API
403	Challenge validation failed or blocked	Request new tokens with fresh session
406	Challenge response invalid format	Verify token format and submission
400	Malformed challenge request	Check request structure

Real-time API status: trust.meshprivacy.com

Headers & Tokens

Required Headers

x-kpsdk-ct - Challenge token

x-kpsdk-cd - Proof-of-work result

x-kpsdk-v - Kasada version

x-kpsdk-r - Request identifier

Success Indicators

Valid ct token in response

Proper cd proof-of-work solution

JavaScript executed without errors

Headers match expected format

Service Variants

Kasada exposes two distinct service IDs in MeshPrivacy. Pick the one matching the challenge type returned by the target.

`kasada`Primary

Primary Kasada challenge token. Handles JavaScript challenge execution and returns a valid x-kpsdk-ct header.

Field	Type	Required	Description
`url`	string	Yes	Target URL protected by Kasada
`api_domain`	string	No	Protected API domain (e.g. api.example.com)
`script_domain`	string	No	Kasada script domain hosting `ips.js`/`fp.js`
`proxy_config`	string	No
`user_agent`	string	No

kasada.js

// Submit Kasada (ct) task
const response = await fetch('https://api.meshprivacy.com/v1/tasks/submit', {
  method: 'POST',
  headers: { 'Content-Type': 'application/json', 'X-API-Key': API_KEY },
  body: JSON.stringify({
    service: 'kasada',
    url: 'https://target-site.com/',                          // required
    api_domain: 'api.target-site.com',                        // optional - protected API domain
    script_domain: 'target-site.com',                         // optional - script-host domain
    proxy_config: 'http://user:pass@ip:port',                 // optional
    user_agent: 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)...'// optional
  })
});
const { task_id } = await response.json();
const result = await fetch(`https://api.meshprivacy.com/v1/tasks/result/${task_id}`, {
  headers: { 'X-API-Key': API_KEY }
});
const { headers } = await result.json();
// Use headers['x-kpsdk-ct'] in your requests

`kasada_cd`

Computational proof-of-work variant. Returns a valid x-kpsdk-cd header for sites where the standard kasada flow does not apply (typically domain-only, no full URL).

Field	Type	Required	Description
`site`	string	Yes	Target site domain without protocol (e.g. `nike`)
`client_token`	string	No	`x-kpsdk-ct` cookie value from initial page load
`session_token`	string	No	`x-kpsdk-st` cookie/header value
`feature_config`	string	No	Site-specific config from Kasada response
`proxy_config`	string	No
`user_agent`	string	No

kasada-cd.js

// Submit Kasada CD (proof-of-work) task
const response = await fetch('https://api.meshprivacy.com/v1/tasks/submit', {
  method: 'POST',
  headers: { 'Content-Type': 'application/json', 'X-API-Key': API_KEY },
  body: JSON.stringify({
    service: 'kasada_cd',
    site: 'nike',                                             // required - domain w/o protocol
    client_token: '<x-kpsdk-ct value>',                       // optional - from initial page load
    session_token: '<x-kpsdk-st value>',                      // optional
    feature_config: '<site-specific config>',                 // optional - from Kasada response
    proxy_config: 'http://user:pass@ip:port',                 // optional
    user_agent: 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)...'// optional
  })
});

FAQ

Kasada tokens have dynamic TTLs that vary by site configuration. Generally, tokens remain valid for the current session but may require refresh after several minutes of inactivity.

Related Services

Akamai|DataDome|PerimeterX|Cloudflare