What is the _px3 cookie and why does it expire so fast?

_px3 is the short-lived clearance cookie PerimeterX (now HUMAN) issues after the init.js script collects behavioral signals. The cookie typically expires in approximately 60 seconds — by design, so each protected action requires a fresh solve. Always attach the cookie immediately after the API returns it.

How do I solve a PerimeterX 403 _px3 error?

Submit a POST to https://api.meshprivacy.com/v1/tasks/submit with service: 'perimeterx_invisible', the page url, the app_id (PX12345678 from the page source), the script_url to init.js, your proxy_config and user_agent. Poll /v1/tasks/result/{task_id} for 3-8 seconds and use cookies._px3 immediately.

When do I use perimeterx_invisible vs perimeterx_hold?

perimeterx_invisible runs the silent behavioral flow on initial requests and returns a fresh _px3 cookie. perimeterx_hold solves the visible Press & Hold challenge that PerimeterX serves on suspicious sessions, requiring the captcha_url and existing _pxvid/uuid/pxhd cookies to continue the session.

Where do I find the PerimeterX app_id?

The app_id starts with PX followed by 8 alphanumeric characters (e.g. PX12345678). Find it in the page source by searching for window._pxAppId, the init.js script URL path (/PXAPPID/init.js), or the data-app-id attribute. It is unique per protected site.

How fast does MeshPrivacy generate _px3 cookies?

perimeterx_invisible: 3-8 seconds typical. perimeterx_hold for the Press & Hold challenge: 5-10 seconds. Upstream timeout is 120 seconds. We do not advertise sub-second numbers — the init.js sensor data computation requires real time on every solve.

How much does PerimeterX (HUMAN) solving cost?

Pricing is per-credit at 1 USD = 1,000 credits. Credit cost per request varies per service and may change — see meshprivacy.com/pricing for current rates. New accounts get 20 free credits with no credit card required.

Is HUMAN Bot Defender the same as PerimeterX?

Yes. HUMAN Security acquired PerimeterX in 2022 and rebranded the product as HUMAN Bot Defender. The cookie name (_px3), the script (init.js), the app_id format and the behavioral fingerprint flow are unchanged, so the perimeterx_invisible service handles both names.

Looking for an overview? See the PerimeterX product page

Resolving PerimeterX/HUMAN 403 Errors

PerimeterX (now HUMAN) uses behavioral analysis with "Press & Hold" challenges to detect bots. When requests lack valid _px3 tokens, servers return 403 errors. MeshPrivacy resolves these challenges by simulating valid behavioral patterns and generating short-lived tokens.

Error Codes

Code	Meaning	Resolution
403	Bot detected, access denied	Generate valid _px3 token via API
200	"Press & Hold" challenge page	Complete challenge via API

Token TTL: approximately 60 seconds. Tokens must be used quickly after generation.

Real-time API status: trust.meshprivacy.com

Cookies & Detection

Session Cookies

_px - Primary detection cookie

_px2 - Extended session data

_px3 - Challenge token (~60s)

_pxhd - Device fingerprint hash

_pxvid - Video frame analysis

Detection Methods

Canvas fingerprinting (2D)

WebGL parameters (GPU)

Audio context hashing

Mouse movement tracking

Click pattern analysis

Service Variants

PerimeterX/HUMAN ships two distinct service IDs in MeshPrivacy. Pick the one matching the challenge type the target serves.

`perimeterx_invisible`Primary

Invisible behavioral challenge. Collects fingerprint data and submits for verification without visible user interaction.

Field	Type	Required	Description
`url`	string	Yes	Target URL protected by PerimeterX/HUMAN
`app_id`	string	Yes	PX App ID (starts with PX)
`script_url`	string	Yes	PerimeterX script URL (init.js)
`proxy_config`	string	Yes	Proxy in `http://user:pass@ip:port` format
`user_agent`	string	No	Custom user agent

perimeterx-invisible.js

// Submit PerimeterX Invisible task
const response = await fetch('https://api.meshprivacy.com/v1/tasks/submit', {
  method: 'POST',
  headers: { 'Content-Type': 'application/json', 'X-API-Key': API_KEY },
  body: JSON.stringify({
    service: 'perimeterx_invisible',
    url: 'https://target-site.com/',                          // required
    app_id: 'PX12345678',                                     // required - starts with PX
    script_url: 'https://client.px-cloud.net/PX.../init.js',  // required - PerimeterX init.js
    proxy_config: 'http://user:pass@ip:port',                 // required
    user_agent: 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)...'// optional
  })
});
const { task_id } = await response.json();
const result = await fetch(`https://api.meshprivacy.com/v1/tasks/result/${task_id}`, {
  headers: { 'X-API-Key': API_KEY }
});
const { cookies } = await result.json();
// IMPORTANT: Use cookies._px3 immediately - expires in ~60 seconds

`perimeterx_hold`

"Press & Hold" interactive challenge. Simulates the hold-button interaction pattern required by HUMAN's challenge page.

Field	Type	Required	Description
`url`	string	Yes	Target URL
`app_id`	string	No	PX App ID (starts with PX)
`vid`	string	No	Visitor ID from `_pxvid` cookie
`uuid`	string	No	UUID from PerimeterX session
`pxhd`	string	No	`pxhd` cookie value
`captcha_url`	string	No	Captcha challenge URL
`proxy_config`	string	No
`user_agent`	string	No

perimeterx-hold.js

// Submit PerimeterX "Press & Hold" task
const response = await fetch('https://api.meshprivacy.com/v1/tasks/submit', {
  method: 'POST',
  headers: { 'Content-Type': 'application/json', 'X-API-Key': API_KEY },
  body: JSON.stringify({
    service: 'perimeterx_hold',
    url: 'https://target-site.com/',                          // required
    app_id: 'PX12345678',                                     // optional
    vid: '',                                                  // optional - _pxvid cookie
    uuid: '',                                                 // optional - PX session UUID
    pxhd: '',                                                 // optional - pxhd cookie
    captcha_url: '',                                          // optional - challenge URL
    proxy_config: 'http://user:pass@ip:port',                 // optional
    user_agent: 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)...'// optional
  })
});

FAQ

The _px3 token has a ~60 second TTL by design to prevent token sharing and replay attacks. Plan your request flow to use tokens immediately after generation.

Related Services

Akamai|DataDome|Incapsula|Kasada