PerimeterX bypass, hold captcha included.

A PerimeterX (now HUMAN) bypass without a browser. Takion returns valid _px3 / _px2 cookies (and any other related one) and clears the press-and-hold pxhc captcha in one POST, so your requests get through, or the x-px-authorization header if you are hitting a mobile app.

Last updated · Coverage tested against a live PerimeterX / HUMAN target.

Getting blocked by PerimeterX?

PerimeterX (now HUMAN) rejects non-browser traffic until your request carries a valid _px3 / _px2 cookie set, and clears the press-and-hold (pxhc) captcha when it is served. On mobile SDK targets the same trust is carried in the x-px-authorization header instead. Takion generates them and returns them in a single POST, with no headless browser and no gesture to simulate on your side, so your request gets through. One key covers every supported wall; you bring your own proxy for the data request.

Trial access is gated

A PerimeterX bypass can be abused for fraud, so trial access is not automatic. If you want to evaluate it, contact us first and tell us your use case.

How PerimeterX works

PerimeterX (now HUMAN Security) builds a risk score from a device fingerprint and a deep telemetry analysis of your behavior, gathered during a press-and-hold captcha or ordinary page interactions through a series of encrypted posts. Its challenges rotate constantly, which is what makes it hard to keep up with by hand.

Takion generates and posts PerimeterX all the data it needs to whitelist your session, clears the press-and-hold captcha when it is served, and returns the _px3 / _px2 cookies in their passed state with any other required token. One POST, no browser, no gesture to simulate on your side. The cookies come back ready to replay.

Mobile apps that use the PerimeterX SDK work the same way: the tokens come back as an x-px-* header set instead of cookies. Same pattern, different values and computation. We handle both.

  • Challenges Takion covers
  • Press-and-hold captcha (pxhc)
  • _px3 / _px2 risk cookies
  • x-px-authorization mobile challenge

What one call returns

One POST to the PerimeterX endpoint returns the exact tokens the wall expects, ready to replay against your target.

_px3 / _px2 (and any other related one)

the primary risk cookie in its passed state

x-px-authorization

the header set mobile SDK targets expect

curl -X POST https://px{web/hc/mobile}.takionapi.tech/generate \
  -H "Authorization: Bearer $TAKION_KEY" \
  -H "Content-Type: application/json" \
  -d '{ "url": "<the url of the page you aim to visit>", "proxy": "<your session proxy>", "extra": "<challenge or website details>" }'

Read the PerimeterX / HUMAN docsSame key, every wall. Same JSON shape, every vendor.

How the PerimeterX bypass works, end to end

No browser, no gesture to fake. Five moves from blocked to data.

  1. 1

    Point Takion at the target

    Grab the PerimeterX app id (_pxAppId) and the page URL of the site you are hitting. That is all Takion needs to know which wall it is minting for.

  2. 2

    You POST it to Takion

    Send the app id, page URL, your session proxy, and the user-agent you will replay to the web endpoint. One call, no SDK to embed.

  3. 3

    We mint the session server-side

    Takion runs the encrypted collector posts PerimeterX expects, builds the device signals its risk engine scores, and clears the press-and-hold captcha if the site serves one. No browser, no page render.

  4. 4

    You get _px3 back, passed

    The response carries the _px3 cookie in its passed state plus an x-px-session-id you can feed to the optional /tls helper to keep the session hot.

  5. 5

    You replay and you are in

    Attach _px3 to your own request, send it through the same proxy with the same user-agent, and PerimeterX sees a trusted session and serves the data.

The PerimeterX surfaces, decoded

One vendor, three shapes. Takion covers each on its own endpoint:

_px3 / _px2
the primary risk cookies PerimeterX sets on the web, returned in their passed state
Press-and-hold (pxhc)
the "press & hold to confirm you are human" block page, solved async and resolved back to a _px3
x-px-authorization
the header the iOS / Android SDK carries the same trust in, with x-px-original-token and x-px-context on some apps
x-px-session-id
Takion's session id, feed it to /tls to send more session-bound requests without re-minting
_pxAppId
the target's PerimeterX app id you hand Takion so it mints against the right deployment

Why request-based beats a headless browser here

The browser way to beat PerimeterX is a fleet of headless instances that render the page, fake a mouse path, and hold down the press-and-hold button for the right duration while the SDK streams encrypted telemetry back to *.perimeterx.net. It works until PerimeterX rotates the challenge, which it does constantly, and then every one of your instances is patching in real time.

Takion skips the browser entirely. We reverse the collector protocol and generate the payload directly, so a web solve is one HTTP round trip and a mobile solve is a header set you merge into your request. No emulator farm, no gesture timing to tune, no container to babysit when the challenge changes overnight. You send JSON, you get the token.

What flags a PerimeterX session

A valid _px3 is necessary, not sufficient. PerimeterX rescoring watches for these the moment you replay:

  • IP mismatch. The cookie is bound to the IP it was minted under. Solve behind the proxy you will actually send from.
  • User-agent drift. PerimeterX ties the session to the user-agent it was built against. Replay the exact one Takion was given, do not swap it.
  • fast_mode on a hard target. The quick solve trades a slightly weaker PX score for speed. On aggressive deployments, drop it and let the full solve run.
  • Cookie reuse across sessions. One _px3 is one session on one IP. Rotate the IP or burn the session, and re-mint.
  • Bad-reputation proxies. Flagged datacenter ranges score poorly before any challenge. Clean residential or ISP proxies clear the reputation gate first.

The one rule that kills most 403s

Mint under the same proxy and user-agent you replay from, and send the token Takion hands back verbatim. PerimeterX's whole model is consistency scoring across the session. Match the fingerprint it trusted and you stay cleared.

Some sites using PerimeterX

PerimeterX / HUMAN guards these sites. Takion clears it on each, so a zillow bypass is the same one POST as any other wall.

PerimeterX bypass FAQ

Yes. Takion solves the press-and-hold hold-captcha and returns the pxhc token together with valid _px3 / _px2 cookies, so you never render the button or simulate the gesture yourself.
Yes, we support and solve the init (normal webpage px generation).
Yes, just contact us to whitelist your app/website.
Almost always a consistency break. The _px3 cookie is bound to the IP, user-agent, and proxy it was minted under. Replay it from a different IP, a different user-agent, or a proxy PerimeterX never saw and its rescoring flags the mismatch. Solve under the proxy you will actually use, replay the exact user-agent Takion was given, and keep the session on one IP.
The trust lives in a different place. On the web PerimeterX carries it in the _px3 / _px2 cookies, so Takion returns those. On an iOS or Android app running the PerimeterX SDK the same trust rides in an x-px-authorization header set (with x-px-original-token and x-px-context on some apps), so Takion returns headers instead of cookies. You name the target, we return the right shape. Same key, both surfaces.
The hold captcha (pxhc) is asynchronous, so it runs slightly differently: you queue a solve, get a task id, and poll until it comes back solved with the _px3 cookie. A plain web session is a single POST and returns in seconds. Both skip the browser entirely, so neither renders the button or simulates the gesture on your side.
Takion is built for accessing data you are authorized to access: your own accounts, public data, sites you have permission to automate. A PerimeterX bypass can be abused for fraud, so trial access is gated and you contact us first with your use case. What you do with a cleared session is on you, and our acceptable-use policy draws the line.

Every other wall

Start bypassing PerimeterX today.

Start free, no card. One key clears every wall, and your first solve lands within the hour.