Akamai 传感器数据, 按需生成。
无需浏览器即可绕过 Akamai Bot Manager。Takion 生成有效的 sensor_data(v3 和 v4)并返回可通过的 _abck cookie,让你的请求通过 Bot Manager,直达数据。
最后更新 · 覆盖能力已针对一个实时的 Akamai Bot Manager 目标测试。
被 Akamai 拦住了?
Akamai Bot Manager 会拒绝非浏览器流量,除非你的请求带有有效的 _abck cookie——它通过 POST 一段被 Bot Manager 接受的 sensor_data(v3 或 v4)生成。Takion 在服务端生成该 payload,提交后返回处于已通过状态的 _abck 和 bm_sz cookie,你这边无需无头浏览器。把它们附加到你的请求上,Bot Manager 就会把你当作真实浏览器。
试用需要审核
为防止欺诈和滥用,试用不会自动开放。请先联系我们并说明你的使用场景。
Akamai 会给你设下哪些关卡
Akamai Bot Manager 会收集 sensor_data(一段庞大且混淆的遥测 payload,由它的 JavaScript 从鼠标移动、时序、设备和环境信号中构建而成),并将其 POST 到一个收集端点。响应会把 _abck cookie 从不可信状态翻转为有效状态。payload 出错,或提交顺序不对,_abck 就会一直无效,后续每个请求都会被限流或拦截。
Takion 会为 v3 和 v4 生成 sensor_data payload,提交后返回处于已通过状态的 _abck 和 bm_sz cookie。无需无头 Chrome,你这边也不必陷入没完没了的传感器生成苦差。一个 POST 返回的这套 cookie,会被 Bot Manager 当作真实浏览器对待。
- Takion 覆盖的挑战
- 传感器数据 v3 和 v4
- _abck cookie 验证(-1/有效状态的切换)
- bm_sz / ak_bmsc / bm_sv 会话 cookie
- SBSD 和 pixel 挑战
一次调用返回什么
一次调用即可返回处于已通过状态的 _abck 和 bm_sz cookie,以及 sensor_data payload,可直接重放到你的目标站点。
_abck处于有效、已通过挑战状态的 Bot Manager cookie
bm_sz与传感器配套的会话 cookie
sensor_data可直接 POST 的 v3/v4 遥测 payload
阅读 Akamai Bot Manager 文档同一个密钥,通吃每一堵墙。同一种 JSON 结构,适配每一个厂商。
How the Akamai bypass works, end to end
No browser, no sensor treadmill. Five moves from _abck -1 to data.
- 1
You hit the wall
Akamai serves the page with a raw _abck cookie ending in -1 and the sensor script. That -1 marker means untrusted. You grab that context.
- 2
You POST the context to Takion
Send the challenge context to akamai.takionapi.tech with your session proxy. One call, no SDK, no Chrome.
- 3
We generate the sensor_data
Takion builds the sensor_data payload for v3 or v4, keyed to your exact headers, and submits it to Akamai's collection endpoint.
- 4
Akamai flips _abck to valid
A correct payload clears the check. Takion hands back _abck and bm_sz in their passed state, no longer ending in -1.
- 5
You attach and you are in
Put the cookies on your own request, keep the same headers and proxy, and Bot Manager serves the data.
The Akamai cookie and sensor pieces, decoded
Bot Manager is a cookie set plus a telemetry payload. Here is what each piece does:
_abck- the primary Bot Manager cookie. Ends in -1 while untrusted, flips valid once a good sensor_data POST lands, and gets rescored on every request after
bm_sz- the session cookie set alongside _abck. Its hash seeds the character-substitution step of the v3 sensor encryption
ak_bmsc / bm_sv- extra session cookies Bot Manager pairs with the sensor. They travel with the session, and dropping them reads as a half-formed session
sensor_data- the large, obfuscated telemetry payload built from mouse, timing, device, and environment signals. This is what actually gets scored
sec-cpt- the proof-of-work interstitial some deployments add on top: a cryptographic challenge you have to solve before the page loads
Why request-based beats a headless browser here
The browser way to beat Akamai is a fleet of headless Chrome instances rendering the sensor script, faking mouse paths, and praying the fingerprint holds. It works until Akamai ships a new sensor build, then the whole farm goes dark until you re-patch it.
The sensor is not a captcha you can eyeball. v3 encrypts the payload with a two-step algorithm: it shuffles the elements with a PRNG seeded by a file hash pulled straight out of Akamai's live JavaScript, then substitutes every character with a second PRNG seeded by a hash off the bm_sz cookie. The first request uses a default cookie hash of 8888888, and every payload after keys off the bm_sz you got back. Get either seed wrong and _abck stays -1.
Takion reverses that logic and generates the payload directly. A solve is one HTTP round trip, not a page render. No Chrome farm, no Selenium to babysit, no retries when a container OOMs mid-sensor. You send the context, you get the cookies.
What flags an Akamai session
A valid _abck is necessary, not sufficient. Bot Manager keeps scoring after the flip, and these are what break a session:
- Header mismatch. The sensor_data is built against the exact headers of the request it was signed for. Replay it under a different or reordered header set and _abck rescores as untrusted.
- Stale cookie hash. The first sensor POST uses the default 8888888 hash; every payload after keys off the bm_sz you got back. Reuse an old bm_sz and the encryption seed is wrong.
- Wrong sensor version. A v3 payload sent to a v4 site (or the reverse) never validates. The build has to match what the target is running.
- Missing session cookies. Drop ak_bmsc or bm_sv and Bot Manager sees a half-formed session even with a valid _abck.
- Bad-reputation IPs. Flagged datacenter ranges get scored down before the sensor even matters. Clean residential or ISP proxies clear the reputation gate first.
The one rule that kills most 403s
The sensor_data is bound to the headers and cookies it was built against. Send the _abck, bm_sz, and header set Takion returns verbatim, and keep the session on one IP. Bot Manager scores consistency, so match the session it signed and _abck stays valid.
Akamai 绕过常见问题
- 支持。Takion 会为 v3 和当前的 v4 遥测格式生成有效的 sensor_data,并返回处于已通过状态的 _abck cookie 以及 bm_sz。每当 Akamai 发布新的传感器版本,我们都会在回归测试下重新实现它。
- 原始的 _abck 一开始处于不可信状态,只有在 Akamai 接受了一次正确的 sensor_data POST(且该 payload 是针对请求的确切请求头构建的)之后,它才会变为有效。Takion 会为你生成该 payload,并返回已处于有效状态的 cookie。
- 可以。同一个端点在标准传感器流程之外,也覆盖 Bot Manager 的 pixel 挑战和 SBSD。把你的请求指向目标,Takion 就会返回挑战所需的整套令牌。
所有其他防护墙
今天就上线你的 Akamai 绕过方案。
免费试用,之后一个密钥通吃每一堵墙。一小时内完成首次调用。