绕过 Castle, 生成 request token。
无需浏览器即可绕过 Castle。Takion 一次调用即可生成有效的 x-castle-request-token,让你的登录和结账请求通过 Castle 的风险检测顺利放行。
最后更新 · 覆盖能力已针对一个实时的 Castle 目标测试。
被 Castle 拦住了?
Castle 保护登录、注册和结账,抵御账户盗用和欺诈。每个受保护的调用都必须带有一个有效的 x-castle-request-token,它由浏览器信号和会话的 __cuid cookie 生成。Takion 在服务端生成该令牌,你这边无需浏览器,返回后可直接附加。把它随登录或结账请求一起发送,Castle 就会放行。
试用需要审核
Castle 守护登录和结账,因此绕过它可能助长账户盗用和支付欺诈。试用不会自动开放。请先联系我们并说明你的使用场景。
Castle 的工作原理
Castle(castle.io)是一层账户安全防护:它会对登录、注册和结账打分,以阻止账户盗用、虚假账户和滥用。它读取浏览器特征、行为和请求模式,并要求每个受保护的调用都带有一个由这些信号和会话的 __cuid cookie 生成的有效 x-castle-request-token。
Takion 会在服务端根据页面的 site key(即 pk_ 值)和你的 __cuid 生成该令牌,并返回可直接发送的结果。一次调用,无需浏览器。你把 x-castle-request-token / castle_token 附加到登录或结账请求,并随附 __cuid,请求即可通过。
- Takion 覆盖的挑战
- 账户盗用与虚假账户风险评分
- 登录和结账环节的 x-castle-request-token / castle_token
- __cuid 会话绑定
- 浏览器特征与行为信号
一次调用返回什么
向 Castle 端点发送一次调用,即可返回有效的 x-castle-request-token 及其绑定的 __cuid,可直接附加到你的登录或结账请求。
x-castle-request-token / castle_token附加到受保护的登录或结账调用上的 request token
__cuid该令牌所绑定的会话 cookie(若你未提供,则自动生成)
curl -G https://castle.takionapi.tech/generate \
--data-urlencode "api_key=$TAKION_KEY" \
--data-urlencode "website=rockstar" # or site_key=pk_... for any target
# → { "token": "<x-castle-request-token>", "__cuid": "<cuid>" }阅读 Castle 文档同一个密钥,通吃每一堵墙。同一种 JSON 结构,适配每一个厂商。
How the Castle bypass works, end to end
No browser, no SDK on your side. Four moves from the login wall to a cleared request.
- 1
You load the protected page
Hit the login, signup, or checkout page and read the Castle script tag. It loads
cdn.castle.io/v2/castle.js?pk_.... The value after the?is the scriptID you pass along. - 2
You call /generate once
Send the target to
castle.takionapi.tech/generate: awebsiteshortcut liketwitterorrockstar, or thesite_keyyou parsed. Add your__cuidif you already have one. One GET, no SDK. - 3
We mint the token server-side
Takion builds the token Castle's JS would have produced from the script context and your session, then binds it to the
__cuid. Nothing runs in a browser on your end. - 4
You attach and send
Read
tokenfrom the response, put it where the target expects it, carry the__cuidalongside, and Castle scores the request as a real session.
The pieces of a Castle solve, decoded
Four things move through one request. Here's what each one is:
x-castle-request-token / castle_token- the request token you attach to the protected call. Rockstar reads it as a header, X reads it as
castle_token. __cuid- the session cookie the token is bound to. Send yours, or Takion generates one and hands it back with the token.
site_key (pk_...)- Castle's public key, parsed from the page's
castle.jsscript tag. It names the target when there's no shortcut. website shortcut- a name like
twitterorrockstarso you skip parsing the site key yourself. One ofwebsiteorsite_keyis required.
Why request-based beats a browser here
The browser way to pass Castle is to load castle.js, let it fingerprint a real Chrome, drive the login form, and hope the behavior signals read clean. That's a headless browser per account, and account flows run at scale. Login, signup, checkout: you're firing thousands of these, not one.
Takion mints the token directly. No castle.js running, no browser to fingerprint, no mouse path to fake. One GET returns the token and the __cuid it's bound to, so a solve is an HTTP round trip instead of a full page render. Send your real User-Agent, Sec-Ch-Ua, and Accept-Language on the call and the token matches the request you actually make.
What flags a Castle request
A valid token is necessary, not sufficient. Castle scores the whole session, and these break it:
- Token and __cuid split apart. The token is bound to the
__cuid. Send them from the same session or Castle reads a mismatch. - Header drift. Generate the token against one User-Agent and send another and the signals disagree. Match the
User-Agent,Sec-Ch-Ua, andAccept-Languageon the generate call and the final request. - Reused token. The token is minted for one request. Generate a fresh one per login or checkout attempt, don't replay an old one.
- Wrong placement. Rockstar wants the
x-castle-request-tokenheader, X wantscastle_token. Put it where the target reads it or the call goes out without it. - Dirty IP or velocity. Castle also scores connection and request patterns. Hammer a login from one flagged IP and no token saves you.
The one rule that keeps you cleared
Generate the token against the exact User-Agent, Sec-Ch-Ua, and Accept-Language you'll send, and keep it with its __cuid on one session. Castle scores consistency across the whole login. Match the session it minted for and you pass.
部分使用 Castle 的网站
Castle 守护着这些网站。Takion 在每一个上都能通过,所以绕过 rockstar games 和绕过任何其他防护墙一样,都是同一次 POST。
Castle 绕过常见问题
- 会。Takion 会根据 site key 和你的会话生成有效的 x-castle-request-token(在某些网站上称为 castle_token),并连同它所绑定的 __cuid 一起返回,可直接附加到受保护的登录或结账请求。
- 大多数目标都需要,即页面里的 pk_ site key。对于常见站点,我们提供了快捷方式,例如 website=twitter 或 website=rockstar,这样你就不必自己去解析它。
- 如果你有会话的 __cuid,就传进来;如果没有,Takion 会生成一个并返回。请让它保留在发送该令牌的那个会话上。
- 有效。两者的登录都使用 Castle。Takion 会分别返回对应的令牌(Rockstar 以 x-castle-request-token 请求头发送,X 以 $castle_token 发送),你随附 __cuid 即可。
所有其他防护墙
今天就上线你的 Castle 绕过方案。
免费试用,之后一个密钥通吃每一堵墙。一小时内完成首次调用。