Imperva Incapsula
Bypass Incapsula with a single API call
Generate valid reese84 and ___utmvc cookies for Imperva Incapsula from one HTTP request. No headless browser, and no obfuscated payload of 200+ browser properties to reverse and rebuild every time they ship an update.
# send the site's sensor script, get a payload back $ curl -s https://incap.antibotapi.com/reese84 \ -H "x-api-key: $KEY" -H "content-type: application/json" \ -d @sensor.json { "payload": "0.AAAAB7f2…" } # submit to the site, get your reese84 cookie
The challenge
What Incapsula puts in your way
Incapsula guards logins, checkout and API endpoints with a stack of checks that all have to agree. The cookie is only half of it.
An obfuscated client-side sensor, now shipped as a custom bytecode JavaScript VM that changes shape on every update.
The rotating ___utmvc cookie, still live on many sites, sometimes running alongside reese84.
Your ClientHello and header order have to match the browser your user agent claims to be.
The sensor probes for the browser APIs and quirks a real Chrome exposes, and flags what a bot leaves out.
Why it's hard
Doing it by hand doesn't stay done
The sensor is heavily obfuscated and rebuilt often. To generate a payload yourself you would write a disassembler, a decompiler and a parser for their VM, then keep all three working every time Imperva ships a change. Run the real script instead and you are back to a full browser: slow, memory-hungry, and easy to fingerprint. We wrote up how reese84 actually works if you want the internals.
How it works
Four steps, one API call
Find the sensor
When a request comes back as the Pardon Our Interruption page, grab the reese84 script path the site injected.
Send it to us
POST the page URL, the script URL, the base64 script and your user agent to /reese84.
Submit the payload
Post the payload we return to the site's reese84 endpoint and get a token back.
Set the cookie
Drop the token in your jar and replay the original request. You're through.
curl -X POST https://incap.antibotapi.com/reese84 \ -H "x-api-key: YOUR_API_KEY" \ -H "content-type: application/json" \ -d '{ "page_url": "https://www.example.com/", "incapsula_url": "https://www.example.com/GEDIE-OF…/6913314970835659247?s=gLmE3ZfY", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) … Chrome/146.0.0.0 Safari/537.36", "script_b64": "<base64 of the sensor script>" }'
Two optional fields cover the rest: language for navigator.language, and pow for the sites that use proof of work. Full reference in the reese84 guide.
API vs browser automation
One HTTP call, not a browser farm
| DISASM API | Headless browser | |
|---|---|---|
| Per solve | One HTTP request | Full page load and script execution |
| Infrastructure | An HTTP client, nothing else | A browser fleet, RAM and CPU per worker |
| Maintenance | We track every Imperva update | You re-tune on every sensor change |
| Detection | Native sensor payload | Automation flags and fingerprint leaks |
| Scale | Bounded by your rate limit | Bounded by your server fleet |
Pricing
Pay for requests, not browsers
Monthly packages, or pay as you go. Every account starts with a free trial. Prices exclude VAT.
FAQ
Incapsula bypass questions
What is reese84?+
reese84 is Imperva Incapsula's client-side sensor. A protected page runs an obfuscated script that collects signals about your browser and posts them back; if Incapsula is satisfied it hands you a reese84 cookie that lets you through. Without a valid cookie you get the Pardon Our Interruption block page.
What is the difference between reese84 and ___utmvc?+
They are two generations of the same idea. ___utmvc is the older rotating cookie challenge; reese84 is the newer sensor, now shipped as a custom bytecode JavaScript VM. Many sites run one or the other, and some run both. Our API covers both from the same key.
Do I need a headless browser?+
No. You send the sensor script to our endpoint over plain HTTP and get back a payload to submit for a cookie. Nothing runs a browser on your side, so there is no browser fleet to host or fingerprint.
Why do I still get blocked even with a valid reese84 cookie?+
Usually the cookie is fine and the rest of the request gives you away. Incapsula also scores your TLS fingerprint, header order and IP. Send every request from a client that matches the user agent you gave us, keep your header order browser-like, and use good residential or mobile IPs on the hardest sites.
Does it work on every Incapsula site?+
It covers the reese84 sensor and the ___utmvc challenge, which is what the large majority of Incapsula-protected sites use. Some sites add a captcha step on top; if you hit one, talk to us and we will tell you where we stand.
Which programming languages are supported?+
Any language with an HTTP client. You call a plain HTTPS endpoint with a JSON body, so Python, Go, Node, C# or whatever you already use works. There is no SDK to install.
Is there a free trial?+
Yes. Every account starts with a free trial. After that you can pay as you go at £2.50 per 1,000 solves or move to a monthly package as your volume grows.
Ready to bypass Incapsula?
Create an account, generate a key, and send your first reese84 request in minutes.