What is HTTP 428 Precondition Required from Akamai?

428 is the status code Akamai returns when the SEC-CPT (Sensor-CPT) proof-of-work challenge must be solved before the protected operation proceeds. It usually appears on login, checkout, account-settings or other high-value endpoints. The response carries sec-cpt headers with the challenge payload that needs to be computed.

How is sec_cpt different from a normal Akamai _abck challenge?

_abck is the standard Akamai Bot Manager session cookie set by sensor.js for routine browsing. sec_cpt is the additional proof-of-work layer Akamai bolts onto critical operations — it returns 428, requires the visitor to solve a SHA-256 hash puzzle, and only then accepts the request. SEC-CPT runs on top of _abck, not instead of it.

How do I solve an Akamai 428 sec_cpt challenge via API?

Capture the challenge payload from the sec-cpt response headers. POST to https://api.meshprivacy.com/v1/tasks/submit with service: 'sec_cpt' and the challenge string (base64 or hex). Optionally pass challenge_data with nonce, difficulty, token, count, timestamp. Poll /v1/tasks/result/{task_id} for 5-15 seconds and resubmit with the returned sec_cpt_token.

How long does the sec_cpt token remain valid?

sec_cpt tokens expire in approximately 5 minutes. The token is single-use against the original 428-blocked request — solve, retry the request immediately, and re-solve the next time you hit a 428. Keep the same proxy IP and user agent throughout.

Why does the sec_cpt solve take longer than _abck?

SEC-CPT is a real cryptographic proof-of-work puzzle — the difficulty parameter controls how many SHA-256 iterations are required, often pushed to 16-20 leading zero bits on critical endpoints. MeshPrivacy computes the proof server-side in 5-15 seconds depending on difficulty. Upstream timeout is 120 seconds. We do not advertise sub-second numbers because the math is unavoidable.

How much does sec_cpt solving cost?

Pricing is per-credit at 1 USD = 1,000 credits. Credit cost per request varies per service and may change — see meshprivacy.com/pricing for current rates. New accounts get 20 free credits with no credit card required.

Do I still need a valid _abck cookie alongside sec_cpt?

Yes. SEC-CPT is layered on top of the standard Bot Manager flow, so the protected request must carry both a passing _abck cookie (marker ~-1~) and the fresh sec_cpt token. Solve _abck via /docs/akamai first, then solve sec_cpt for the 428 retry.

Looking for the broader Akamai _abck flow? See /docs/akamai. SecCPT is the proof-of-work step on top.

Resolving Akamai SecCPT 428 Challenges

Akamai SecCPT is the proof-of-work challenge served on high-security operations such as login or checkout. When triggered, the server returns HTTP 428 with a challenge payload (often base64 or hex) in the response. MeshPrivacy computes the proof and returns a valid sec_cpt token to retry the original request.

Service Schema

Field	Type	Required	Description
`challenge`	string	Yes	Challenge payload (base64/hex) from `sec-cpt` headers
`url`	string	No	Target URL
`script_url`	string	No	SecCPT script URL
`challenge_data`	object	No	JSON with `nonce`, `difficulty`, `token`, `count`, `timestamp`
`proxy_config`	string	No	Proxy in `http://user:pass@ip:port` format
`user_agent`	string	No	Custom user agent

Service ID: sec_cpt · Status: Stable

Where to find the challenge

When the server returns 428, look for headers prefixed with sec-cpt (e.g. sec-cpt-challenge) or a x-akamai-sitekey-style payload in the body. Pass the raw value as challenge. If the server returns parsed nonce/difficulty/token JSON instead, also pass it as challenge_data.

Integration Example

sec-cpt.js

// Submit Akamai SecCPT task to MeshPrivacy
const response = await fetch('https://api.meshprivacy.com/v1/tasks/submit', {
  method: 'POST',
  headers: { 'Content-Type': 'application/json', 'X-API-Key': API_KEY },
  body: JSON.stringify({
    service: 'sec_cpt',
    challenge: '<base64-or-hex-payload-from-sec-cpt-headers>',  // required
    url: 'https://target-site.com/',                            // optional
    script_url: 'https://target-site.com/akam/sec-cpt.js',      // optional
    challenge_data: {                                           // optional - challenge JSON
      nonce: '...',
      difficulty: 16,
      token: '...',
      count: 1,
      timestamp: 1715500000
    },
    proxy_config: 'http://user:pass@ip:port',                   // optional
    user_agent: 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)...'  // optional
  })
});
const { task_id } = await response.json();

const result = await fetch(`https://api.meshprivacy.com/v1/tasks/result/${task_id}`, {
  headers: { 'X-API-Key': API_KEY }
});
const { sec_cpt_token, cookies } = await result.json();
// Send sec_cpt_token in retry of the original request

FAQ

Approximately 5 minutes. The token must be replayed against the original request before expiry.

Related Services

Akamai _abck|SBSD|DataDome|PerimeterX