Getting Started

If you're already familiar with Akamai Bot Manager, install one of our SDKs for easy integration, or head to the API Reference to implement directly.

Understanding Akamai Protection

Akamai Bot Manager protects websites by requiring clients to generate and submit sensor data that proves they're legitimate browsers. This protection includes:

  • A dynamically generated script endpoint embedded in protected pages

  • An _abck cookie validated when performing protected actions

  • Cookie validation on protected endpoints (login, add to cart, checkout, etc.)

The _abck cookie becomes valid after successfully posting sensor data. A cookie containing ~0~ indicates you can stop posting sensors, though not all sites use this indicator.

Solution Flow

1

Initial page request

Make a GET request to the protected page—typically the page users visit before the protected action (e.g., product page before add-to-cart).

Use a TLS client that mimics Chrome and matches exact header order. See TLS Fingerprinting.

2

Parse script endpoint

Extract the Akamai script endpoint from the HTML response. The script tag is typically near the end of the body:

example snippet
<script type="text/javascript" src="/aB3dE/fG7/hI/jK/LmNoPqRsTuVwXyZ" defer></script>

Important: This path is unique and dynamic—never hardcode it.

3

Fetch script content

GET the script content from the parsed endpoint. Save the entire response body for Sensor 3.0 sites.

Maintain:

  • Same TLS client

  • Appropriate referrer header

  • Consistent cookie jar

4

Parse script data (3.0 only)

Check sensor version—starts with 3; for 3.0 or 2; for 2.0.

For 3.0 sites, parse the script using your parsing endpoint. Example using curl:

Parse script (example)
curl -X POST https://www.roolink.io/api/v1/parse \
  -H "Content-Type: text/plain" \
  -H "x-api-key: your-api-key" \
  -d '<script-body>'

Save the response for sensor generation.

5

Generate sensor data

Example request to generate a sensor:

Generate sensor (example)
curl -X POST https://www.roolink.io/api/v1/sensor \
  -H "Content-Type: application/json" \
  -H "x-api-key: your-api-key" \
  -d '{
    "url": "https://example.com/protected-page",
    "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)...",
    "_abck": "current-abck-cookie",
    "bm_sz": "current-bmsz-cookie",
    "scriptData": { ... }
  }'
6

Submit sensor data

POST the sensor to the script endpoint:

Submit sensor (example)
POST https://example.com/aB3dE/fG7/hI/jK/LmNoPqRsTuVwXyZ
Content-Type: text/plain

<sensor-data>
7

Validate and repeat

Check if _abck cookie is valid:

  • Contains ~0~ → proceed to protected action

  • No ~0~ indicator → post exactly 3 sensors then proceed

  • Max 3 attempts—if still invalid, check TLS/headers

8

Perform protected action

With a valid _abck cookie, proceed with your action.

Note: Protected actions typically invalidate the cookie. Regenerate before subsequent actions.

Critical requirements

TLS client

You must use a TLS client that:

  • Supports modern cipher suites

  • Maintains exact header order

  • Handles HTTP/2 properly

  • Has a consistent fingerprint

Standard HTTP libraries will fail. See TLS Fingerprinting.

Header order

Akamai analyzes exact header order. Use Charles Proxy to capture the correct order.

Session consistency

Maintain throughout all requests:

  • Same User-Agent

  • Same TLS fingerprint

  • Same IP address

  • Proper cookie forwarding

Troubleshooting

Sensors not working

Check TLS fingerprint.

Immediate blocking

Fix header order.

Cookie invalidates fast

This is normal—regenerate before each action.

Can't find script

Check for SBSD challenge.

Next steps

PreviousSDKsNextSec Cpt

Last updated