Castle bypass, request token generated.

A Castle bypass without a browser. Takion generates a valid x-castle-request-token in one call, so your login and checkout requests clear Castle's risk check and go through.

Last updated · Coverage tested against a live Castle target.

Getting blocked by Castle?

Castle protects logins, signups, and checkouts against account takeover and fraud. Every protected call has to carry a valid x-castle-request-token, minted from browser signals and the session's __cuid cookie. Takion generates that token server-side, with no browser on your end, and returns it ready to attach. Send it with your login or checkout request and Castle clears you.

Trial access is gated

Castle guards logins and checkouts, so a bypass can enable account takeover and payment fraud. Trial access is not automatic. Contact us first and tell us your use case.

How Castle works

Castle (castle.io) is an account-security layer: it scores logins, signups, and checkouts to stop account takeover, fake accounts, and abuse. It reads browser characteristics, behavior, and request patterns, and expects every protected call to carry a valid x-castle-request-token minted from those signals and the session's __cuid cookie.

Takion generates that token server-side from the page's site key (the pk_ value) and your __cuid, and returns it ready to send. One call, no browser. You attach the x-castle-request-token / castle_token to your login or checkout request, carry the __cuid alongside it, and the request clears.

  • Challenges Takion covers
  • Account-takeover and fake-account risk scoring
  • x-castle-request-token / castle_token on login and checkout
  • __cuid session binding
  • Browser-characteristic and behavior signals

What one call returns

One call to the Castle endpoint returns a valid x-castle-request-token and the __cuid it is bound to, ready to attach to your login or checkout request.

x-castle-request-token / castle_token

the request token you attach to the protected login or checkout call

__cuid

the session cookie the token is bound to (generated if you do not supply one)

curl -G https://castle.takionapi.tech/generate \
  --data-urlencode "api_key=$TAKION_KEY" \
  --data-urlencode "website=rockstar"          # or site_key=pk_... for any target
# → { "token": "<x-castle-request-token>", "__cuid": "<cuid>" }

Read the Castle docsSame key, every wall. Same JSON shape, every vendor.

How the Castle bypass works, end to end

No browser, no SDK on your side. Four moves from the login wall to a cleared request.

  1. 1

    You load the protected page

    Hit the login, signup, or checkout page and read the Castle script tag. It loads cdn.castle.io/v2/castle.js?pk_.... The value after the ? is the scriptID you pass along.

  2. 2

    You call /generate once

    Send the target to castle.takionapi.tech/generate: a website shortcut like twitter or rockstar, or the site_key you parsed. Add your __cuid if you already have one. One GET, no SDK.

  3. 3

    We mint the token server-side

    Takion builds the token Castle's JS would have produced from the script context and your session, then binds it to the __cuid. Nothing runs in a browser on your end.

  4. 4

    You attach and send

    Read token from the response, put it where the target expects it, carry the __cuid alongside, and Castle scores the request as a real session.

The pieces of a Castle solve, decoded

Four things move through one request. Here's what each one is:

x-castle-request-token / castle_token
the request token you attach to the protected call. Rockstar reads it as a header, X reads it as castle_token.
__cuid
the session cookie the token is bound to. Send yours, or Takion generates one and hands it back with the token.
site_key (pk_...)
Castle's public key, parsed from the page's castle.js script tag. It names the target when there's no shortcut.
website shortcut
a name like twitter or rockstar so you skip parsing the site key yourself. One of website or site_key is required.

Why request-based beats a browser here

The browser way to pass Castle is to load castle.js, let it fingerprint a real Chrome, drive the login form, and hope the behavior signals read clean. That's a headless browser per account, and account flows run at scale. Login, signup, checkout: you're firing thousands of these, not one.

Takion mints the token directly. No castle.js running, no browser to fingerprint, no mouse path to fake. One GET returns the token and the __cuid it's bound to, so a solve is an HTTP round trip instead of a full page render. Send your real User-Agent, Sec-Ch-Ua, and Accept-Language on the call and the token matches the request you actually make.

What flags a Castle request

A valid token is necessary, not sufficient. Castle scores the whole session, and these break it:

  • Token and __cuid split apart. The token is bound to the __cuid. Send them from the same session or Castle reads a mismatch.
  • Header drift. Generate the token against one User-Agent and send another and the signals disagree. Match the User-Agent, Sec-Ch-Ua, and Accept-Language on the generate call and the final request.
  • Reused token. The token is minted for one request. Generate a fresh one per login or checkout attempt, don't replay an old one.
  • Wrong placement. Rockstar wants the x-castle-request-token header, X wants castle_token. Put it where the target reads it or the call goes out without it.
  • Dirty IP or velocity. Castle also scores connection and request patterns. Hammer a login from one flagged IP and no token saves you.

The one rule that keeps you cleared

Generate the token against the exact User-Agent, Sec-Ch-Ua, and Accept-Language you'll send, and keep it with its __cuid on one session. Castle scores consistency across the whole login. Match the session it minted for and you pass.

Some sites using Castle

Castle guards these sites. Takion clears it on each, so a rockstar games bypass is the same one POST as any other wall.

Rockstar Games

Social Club login

Castle bypass FAQ

Yes. Takion generates a valid x-castle-request-token (called castle_token on some website) from the site key and your session, and returns it ready to attach to the protected login or checkout request, along with the __cuid it is bound to.
For most targets, yes, the pk_ site key from the page. For common sites we support a shortcut, e.g. website=twitter or website=rockstar, so you do not have to parse it yourself.
Pass your session's __cuid if you have one; if not, Takion generates one and returns it. Keep it on the session that sends the token.
Yes. Both run Castle on login. Takion returns the token for each (Rockstar sends it as the x-castle-request-token header, X sends it as $castle_token), and you carry the __cuid alongside.
One call returns both. /generate responds with { "token": ..., "__cuid": ... }. The token is your x-castle-request-token; the __cuid is the cookie it's bound to. Pass your own __cuid and you get the same one back, omit it and Takion generates one. Keep both on the session that sends the final request.
Both, plus checkouts. Castle scores account creation, login, and payment flows to stop fake accounts, account takeover, and payment fraud. The same x-castle-request-token clears all of them, and you generate it the same way whichever flow you're hitting.
One GET, usually well under a second. There's no browser to boot and no castle.js to run. You send the target and your session headers, you get the token back, you attach it. The slow part is your own request to the site, not the token.
Only for access you're authorized to make: your own accounts, flows you have permission to automate. Castle guards logins and checkouts, so account takeover and payment fraud are exactly what it stops and exactly what we won't help with. Trial access is gated for that reason, so tell us your use case first. Our acceptable-use policy draws the line.

Every other wall

Start bypassing Castle today.

Start free, no card. One key clears every wall, and your first solve lands within the hour.