NuData bypass, nds-pmd generated.

A NuData bypass without a browser. Takion generates the nds-pmd behavioral payload NuData expects, so your login and checkout requests pass its fraud check and go through.

Last updated · Coverage tested against a live NuData target.

Getting blocked by NuData?

NuData does not show a captcha. It scores the behavior behind your request and expects a matching payload, usually sent as nds-pmd, on sensitive actions like login and payment. Takion generates that payload server-side, with no browser on your end, and returns it ready to attach under the field name the site expects. Drop it into your request and the fraud check clears.

How NuData works

NuData Security (now part of Mastercard) does not throw a captcha, it watches behavior. Its sensor script collects a stream of device, timing, and interaction signals and packs them into a payload, usually sent as nds-pmd, that the site posts alongside sensitive actions like login and payment. A missing or robotic payload flags the request as fraud and the action is refused.

Takion reads the NuData sensor script for your target, generates a valid nds-pmd payload server-side, and returns it ready to attach. One call, no browser, no behavior to fake. You drop the payload into the login or checkout request under the field name the site expects (input_name), and it clears the fraud check.

  • Challenges Takion covers
  • Behavioral biometrics scoring (device, timing, interaction)
  • The nds-pmd payload on login and payment
  • Per-site token name (input_name) variation
  • Sensor script rotations

What one call returns

One call to the NuData endpoint returns the exact behavioral payload the site expects, ready to attach to your login or checkout request.

nds-pmd

the behavioral payload the login or checkout request expects

input_name

the exact field name to send the payload under; it varies per site

curl -G https://nudata.takionapi.tech/generate \
  --data-urlencode "api_key=$TAKION_KEY" \
  --data-urlencode "url=https://nudata.ticketmaster.com/2.2/w/w-481390/sync/js/"
# → { "result": "<nds-pmd payload>", "input_name": "nds-pmd" }

Read the NuData docsSame key, every wall. Same JSON shape, every vendor.

How the NuData bypass works, end to end

No captcha, no browser. NuData watches behavior, so Takion builds the behavioral payload for you. Five moves from flagged to cleared.

  1. 1

    Grab the sensor script URL

    Find the NuData script the page loads, like https://nudata.ticketmaster.com/2.2/w/w-481390/sync/js/. That URL tells us which site settings and field name to build against.

  2. 2

    Open a session

    Send the url as a query param to /generate. The first login call opens a session and hands back a session_id. Reuse that session_id on follow-up calls to stay in the same session.

  3. 3

    Describe the actions

    Put the user actions to simulate in the JSON body, an input and a sign-in button by default. For a payment flow set checkout: true and we build a checkout payload instead.

  4. 4

    We generate it server-side

    Takion loads the site's NuData settings, computes the device, timing, and interaction signals, and packs them into a valid payload. No browser runs on your side.

  5. 5

    Attach and send

    The response carries result, the payload, and input_name, usually nds-pmd. Drop result into your own login or checkout request under input_name and it clears the fraud check.

The NuData request, decoded

One endpoint, a few knobs. url and session_id ride as query params, the rest goes in the JSON body:

url (query)
the NuData sensor script URL. Lets us load the site's settings and detect the exact field name it wants
session_id (query)
returned by the first login call. Send it back to continue the same session instead of starting cold
actions (body)
the user actions to simulate, like an input and a sign-in button. Defaults to a password input plus sign-in
checkout (body)
set true to build a checkout payload instead of a login one, using your click_targets. Costs two requests
cookies + proxy (body)
your client cookies and proxy for the init flow, so the session lines up with the request you actually send
result + input_name (response)
the payload value and the field name to send it under, usually nds-pmd, plus the session_id to reuse

Why request-based beats a browser for behavioral signals

The browser way to pass NuData is to actually behave. You boot a real Chrome, move a mouse along a human-looking path, type at human speed, and hope the sensor script scores it as real. It works until NuData tunes its model, and it costs you a browser farm plus seconds of faked typing per login.

Takion reads the sensor script and builds the behavioral payload directly. We know what signals NuData collects and what a clean session looks like, so we generate one without rendering a page or faking a single mouse move. A solve is an HTTP call, not a browser session. You send a URL, you get the payload back.

What flags a NuData session

NuData scores the whole session, not one field. These are what tip it from clean to fraud:

  • No payload. Send the login or checkout without nds-pmd and NuData reads it as automation instantly. The field has to be there.
  • The wrong field name. input_name varies per site. Send the payload under nds-pmd when the site expects something else and it never gets scored. Use the input_name we return.
  • Robotic or empty signals. A payload with no real device, timing, or interaction data scores as a bot. Generating it server-side is the point, ours carries the signals NuData expects.
  • A stale or reused payload. Payloads are tied to a session and an action. Replay one across many logins and NuData's rescoring catches the reuse. Generate a fresh one per flow.
  • A broken session. On a login flow the session_id ties your calls together. Drop it, or mix cookies and proxy between the init and the real request, and the session stops lining up.

The one rule for a clean login session

On a login flow, open the session once, reuse the session_id it returns, and keep the same cookies and proxy across the init and the real request. NuData scores the session as a whole. Keep every call pointing at one consistent session and the payload lands clean.

Some sites using NuData

NuData guards these sites. Takion clears it on each, so a ticketmaster bypass is the same one POST as any other wall.

Ticketmaster

all subdomains, checkout and login

NuData bypass FAQ

There is no captcha to solve. NuData is behavioral, so Takion generates the nds-pmd behavioral payload the site expects and returns it ready to attach to your login or payment request.
Into the field the site sends it under, usually nds-pmd. The name can vary per site, so Takion also returns the exact input_name to use.
Yes. Point Takion at the NuData sensor script for the flow (login or checkout) and it returns a valid nds-pmd payload for that action, across Ticketmaster subdomains.
It is the sensor script the page loads, for example https://nudata.ticketmaster.com/2.2/w/w-481390/sync/js/. You pass that URL to Takion and it generates the payload against it.
On a login flow, the first call to /generate opens a session and returns a session_id. Send that same session_id back as a query param on any follow-up call, so NuData sees one continuous session instead of a cold start. A single GET with no session_id uses the default login actions and is enough for many flows.
NuData's sensor script collects device, timing, and interaction signals and packs them into the nds-pmd payload. Takion reads that script, knows which signals it wants, and builds a valid payload server-side. There is no mouse to move and no page to render. You get the payload the behavioral check expects, generated from one API call.
Yes. Set checkout: true in the JSON body and Takion builds a checkout payload instead of a login one, driven by the click_targets you pass. A checkout payload costs two requests. Login stays the default when you leave checkout off.
NuData scores logins, checkouts, and payments, so it is a fraud gate, not a scraping wall. Takion is for actions you are authorized to take, like logging into your own accounts. We take these targets case by case, so contact us first and we will confirm we can clear your specific flow before you build against it. Our acceptable-use policy draws the line, and fraud is off it.

Every other wall

Start bypassing NuData today.

Start free, no card. One key clears every wall, and your first solve lands within the hour.