What is the _vcrcs cookie?

_vcrcs is the session cookie Vercel Firewall sets after a visitor passes the JavaScript challenge on a protected route. The cookie binds the session to the visitor's IP and user agent and is required on every subsequent request to the protected domain until it expires (typically 1-2 hours).

How do I solve a Vercel Firewall challenge programmatically?

Submit a POST to https://api.meshprivacy.com/v1/tasks/submit with service: 'vercel', the target Vercel-hosted url, optionally the script_url to challenge.js and the challenge_id from URL params or hidden inputs, your proxy_config and user_agent. Poll /v1/tasks/result/{task_id} for 3-8 seconds and attach cookies._vcrcs to downstream requests.

Where do I find the Vercel challenge_id?

When Vercel Firewall serves the challenge HTML, the challenge_id appears either in the URL query string (e.g. ?__vercel_challenge_token=...) or as a hidden form input on the challenge page. Pass it to MeshPrivacy as challenge_id when known — the solver runs faster with it, but can still complete without if you supply the original url.

Why does my _vcrcs cookie return 403 on the next request?

Vercel Firewall binds _vcrcs to the originating IP and user agent. Re-using the cookie from a different proxy, a different browser fingerprint, or after expiry returns 403. Always solve from the exact proxy and user agent you will retry from, and refresh the cookie when it expires.

How fast does MeshPrivacy generate _vcrcs cookies?

Vercel Firewall solves typically take 3-8 seconds. Upstream timeout is 120 seconds. We do not advertise sub-second numbers — Vercel's challenge.js script requires real compute time on every solve.

How much does Vercel Firewall solving cost?

Pricing is per-credit at 1 USD = 1,000 credits. Credit cost per request varies per service and may change — see meshprivacy.com/pricing for current rates. New accounts get 20 free credits with no credit card required.

Does Vercel Firewall protect Next.js apps differently than other routes?

No — Vercel Firewall sits at the edge in front of every Vercel-hosted route, regardless of whether the origin is Next.js, SvelteKit, Astro, or a static site. The challenge HTML and _vcrcs cookie are identical. The same service: 'vercel' endpoint handles all of them.

Resolving Vercel Firewall Challenges

Vercel Firewall gates protected URLs behind a JavaScript challenge that issues a _vcrcs session cookie on success. MeshPrivacy executes the challenge server-side and returns the cookie ready to attach to your downstream requests.

Service Schema

Field	Type	Required	Description
`url`	string	Yes	Vercel-hosted page showing the challenge
`script_url`	string	No	Vercel challenge script URL
`challenge_id`	string	No	Challenge ID from URL params or hidden inputs
`proxy_config`	string	No	Proxy in `http://user:pass@ip:port` format
`user_agent`	string	No	Custom user agent

Service ID: vercel · Status: Stable

Real-time API status: trust.meshprivacy.com

Cookies Returned

_vcrcs — Vercel firewall clearance cookie

Bind the cookie to the same proxy IP and user agent used for the solve.

Integration Example

vercel.js

// Submit Vercel Firewall task to MeshPrivacy
const response = await fetch('https://api.meshprivacy.com/v1/tasks/submit', {
  method: 'POST',
  headers: { 'Content-Type': 'application/json', 'X-API-Key': API_KEY },
  body: JSON.stringify({
    service: 'vercel',
    url: 'https://target-site.vercel.app/',                   // required
    script_url: 'https://vercel.com/_vercel/challenge.js',    // optional
    challenge_id: '<from URL params or hidden inputs>',       // optional
    proxy_config: 'http://user:pass@ip:port',                 // optional
    user_agent: 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)...'// optional
  })
});
const { task_id } = await response.json();

const result = await fetch(`https://api.meshprivacy.com/v1/tasks/result/${task_id}`, {
  headers: { 'X-API-Key': API_KEY }
});
const { cookies } = await result.json();
// Use the returned _vcrcs cookie in downstream requests

FAQ

Some Vercel deployments rotate the challenge ID per request and embed it in the URL or a hidden form field. Pass it explicitly only when the page exposes it.

Related Services

Cloudflare WAF|AWS WAF|Akamai|DataDome