DataDome
Bypass DataDome with a single API call
Solve the interstitial, slider CAPTCHA and tags.js device checks and take back a valid datadome cookie from one HTTP request. No headless browser, and no bytecode VM to reverse every time they ship an update.
# send the challenge page, get a payload back $ curl -s https://dd.antibotapi.com/interstitial \ -H "x-api-key: $KEY" -H "content-type: application/json" \ -d @challenge.json { "payload": "…", "headers": { … } } # submit to DataDome for a datadome cookie
The challenge
What DataDome puts in your way
DataDome scores every request at the edge against 200+ signals, then serves one of three challenges, sometimes several at once.
Passive device and behaviour data in two steps, CH then LE. No block page, but skip it and your trust score is lowered.
The automatic device-check page. Runs a custom bytecode VM and WASM into an encrypted payload.
Slide the piece to complete the puzzle. Adds mouse-movement signals to prove a human dragged it.
On top of the challenge, every request is fingerprinted, TLS (JA3/JA4), HTTP/2 order and client hints, all cross-checked against your user agent and IP. A correct payload from the wrong client is still a block.
Why it's hard
Reversing it doesn't stay done
The challenge script ships obfuscated: proxied functions, encrypted strings, mixed boolean arithmetic, control-flow flattening, and now a custom stack-based bytecode VM. You would map every signal, forge the payload with the right encoding, then keep it working as DataDome rotates the script. Run the real thing instead and you are back to a browser farm: hundreds of megabytes of RAM per solve, automation leaks, and a rebuild on every update. We wrote up how DataDome works and the bytecode VM in detail.
How it works
Four steps, one API call
A 403 references ct.captcha-delivery.com and carries a dd object pointing at the device-check page.
Build the device-check URL, fetch it, and base64-encode the page it returns.
POST the URL and encoded page to /interstitial. We return the payload plus the client hints to send.
Post the payload to DataDome, take the datadome cookie, and replay your original request.
curl -X POST https://dd.antibotapi.com/interstitial \ -H "x-api-key: YOUR_API_KEY" \ -H "content-type: application/json" \ -d '{ "device_check_link": "https://geo.captcha-delivery.com/interstitial/?initialCid=…", "device_check_page": "<base64 of the challenge page>", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) … Chrome/146.0.0.0 Safari/537.36", "ip_address": "<your proxy IP>" }'
The slider CAPTCHA (/captcha) and tags.js (/tags, CH then LE) follow the same shape from the same key. Full reference in the DataDome docs.
API vs browser automation
One HTTP call, not a browser farm
| DISASM API | Headless browser | |
|---|---|---|
| Per solve | One HTTP request, ~50-100 ms | Full page load, VM and WASM execution |
| Model | Synchronous, solved in the response | Render, wait, retry |
| Infrastructure | An HTTP client, nothing else | A browser fleet, RAM and CPU per worker |
| Maintenance | We track every DataDome update | You re-tune on every rotation |
| Detection | Native payload, no automation leaks | webdriver, CDP traces, fingerprint gaps |
Pricing
Pay for requests, not browsers
Monthly packages, or pay as you go. Every account starts with a free trial. Prices exclude VAT.
FAQ
DataDome bypass questions
How does DataDome know I'm a bot?+
It scores every request at the edge against 200+ signals: TLS fingerprint (JA3/JA4), HTTP/2 frame and header order, client hints (Sec-CH-UA), the datadome cookie from earlier device checks, and IP reputation plus behaviour. A request only passes when every layer tells the same story.
What is the difference between the interstitial and the CAPTCHA?+
The interstitial is the automatic "verifying your device" page: no user action, it runs a custom bytecode VM and WASM and bundles the result into an encrypted payload. The CAPTCHA is the slider you drag to complete a puzzle, which also collects mouse-movement signals. A site can serve either or both.
What is tags.js and do I need it?+
tags.js submits passive device and behaviour signals in two steps (CH then LE) and tops up your session trust score. There is no block page, but high-security actions like add-to-cart often fail without it. We solve it on the /tags endpoint.
Do I need a headless browser?+
No. You send the challenge to our endpoint over plain HTTP and get back a payload to submit for a cookie. Nothing runs DataDome's JavaScript on your side, so there is no browser fleet to host or fingerprint.
How fast is a DataDome solve?+
Typically 50 to 100 ms, and it is synchronous: you POST the challenge and the solved payload comes back in the same response. No task IDs and no polling, unlike browser-farm captcha services that take seconds.
Why do I still get blocked with a valid datadome cookie?+
Usually the cookie is fine and the client sending it is not. Match Chrome's TLS fingerprint, send the client hints we return and honour Accept-CH, keep Accept-Language consistent with your IP, and move through the site like a real user.
Which programming languages are supported?+
Any language with an HTTP client. You call a plain HTTPS endpoint with a JSON body, so Python, Go, Node, C# or whatever you already use works. There is no SDK to install.
Is there a free trial?+
Yes. Every account starts with a free trial. After that you can pay as you go at £2.50 per 1,000 solves or move to a monthly package as your volume grows.
Ready to bypass DataDome?
Create an account, generate a key, and solve your first interstitial in minutes.