Bypass PerimeterX
95% success on PerimeterX-protected targets. One API parameter.
_px3 signed. Human Challenge cleared. Page delivered.
- Real browser fingerprints. TLS, HTTP/2, Canvas, and WebGL all match real Chrome on every request.
- Adaptive challenge solving. JavaScript execution, CAPTCHAs, proof-of-work — handled without solver keys.
- Session intelligence. Unblocked browser sessions reused across requests so PerimeterX sees a single coherent visitor.
One API parameter. Add asp=True. See the ASP docs.
Every PerimeterX Signal, Matched
Bit-for-bit fingerprint parity with real Chrome. Not monkey-patching, not surface-level — engineered at the protocol and C++ layers.
_px3 Token Signed. Human Challenge Cleared.
PerimeterX (now HUMAN Security) chains _px3, _pxvid, _pxhd, and the X-PX-Authorization header. The Human Challenge press-and-hold isn't really about holding the button — it's the collector script emitting a signed telemetry payload before and during the interaction. Scrapium generates both sides automatically.
TLS + Cookie Triple
PerimeterX validates TLS fingerprint, then cross-references the _px3/_pxvid/_pxhd cookie triple plus the X-PX-Authorization header. A mismatch in any one invalidates the whole chain.
Why DIY Bypasses Fail
Press-and-hold automation alone isn't enough — the collector payload has to verify too.
| curl-impersonate | no collector payload |
| px-bypass (OSS) | abandoned |
| Playwright + click | telemetry mismatch |
| Selenium + stealth | fingerprint leaks |
| Scrapfly | 95%, tracked daily |
Owned by HUMAN
Acquired by HUMAN Security in 2022. Same _px* cookies, same collector script, deeper fingerprint baseline.
E-commerce + Ticketing
Heavy in high-friction targets: ticketing, luxury retail, financial accounts.
- Ticketing
- Luxury retail
- Finance
PerimeterX Detection Stack — Every Layer Matched
PerimeterX chains TLS → collector payload → _px3 token → Human Challenge → behavioral biometrics. All four must align.
Human Challenge — Both Sides
Press-and-hold plus a signed telemetry payload. Real human motion profiles, matched collector output.
- Press-and-hold timing realistic
- Behavioral biometrics coherent
- Collector payload signed valid
- JS puzzles solved inline
One Parameter. PerimeterX Cleared.
Add asp=True. Scrapfly detects PerimeterX and routes through the correct engine — Curlium for HTTP-layer targets, Scrapium for JS-heavy ones.
Set asp=True and Scrapfly handles PerimeterX automatically. Picks Curlium or Scrapium per target.
from scrapfly import ScrapeConfig, ScrapflyClient, ScrapeApiResponse
client = ScrapflyClient(key="API KEY")
api_response: ScrapeApiResponse = client.scrape(
ScrapeConfig(
url='https://httpbin.dev/html',
# bypass anti-scraping protection
asp=True
)
)
print(api_response.result)import {
ScrapflyClient, ScrapeConfig
} from 'jsr:@scrapfly/scrapfly-sdk';
const client = new ScrapflyClient({ key: "API KEY" });
let api_result = await client.scrape(
new ScrapeConfig({
url: 'https://httpbin.dev/html',
// bypass anti-scraping protection
asp: true,
})
);
console.log(api_result.result);package main
import (
"fmt"
"github.com/scrapfly/go-scrapfly"
)
func main() {
client, _ := scrapfly.New("API KEY")
result, _ := client.Scrape(&scrapfly.ScrapeConfig{
URL: "https://httpbin.dev/html",
// bypass anti-scraping protection
ASP: true,
})
fmt.Println(result.Result.Content)
}use scrapfly_sdk::{Client, ScrapeConfig};
#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
let client = Client::builder().api_key("API KEY").build()?;
let cfg = ScrapeConfig::builder("https://httpbin.dev/html")
// bypass anti-scraping protection
.asp(true)
.build()?;
let result = client.scrape(&cfg).await?;
println!("{}", result.result.content);
Ok(())
}http https://api.scrapfly.io/scrape \
key==$SCRAPFLY_KEY \
url==https://httpbin.dev/html \
asp==true{
"result": {
"status_code": 200,
"success": true,
"url": "https://httpbin.dev/html",
"content": "<!DOCTYPE html><html>...</html>",
"content_format": "raw",
"content_type": "text/html; charset=utf-8",
"response_headers": {
"content-type": "text/html; charset=utf-8",
"server": "cloudflare"
},
"cookies": [],
"duration": 1842,
"log_url": "https://scrapfly.io/dashboard/monitoring/log/01J...",
"asp_cost": 30
},
"context": {
"asp": true,
"proxy": {
"country": "us",
"type": "datacenter"
}
}
}Frequently Asked Questions
Can I test on my specific PerimeterX targets?
Yes. The free plan includes 1,000 API credits with no credit card required. Enable asp=True and test your exact targets before committing. Scrapfly achieves 95% success on PerimeterX-protected sites; failed requests are not charged.
How much does ASP cost?
ASP starts at 30+ credits per request, scaling with target complexity. You pay for what a specific target needs, not a flat premium. See pricing.
What is the PerimeterX Human Challenge?
Press-and-hold CAPTCHA paired with behavioral biometric validation. Holding the button is the easy part; the hard part is the collector script emitting a valid telemetry payload before and during the interaction. Scrapium generates both sides automatically. DIY guide: bypassing PerimeterX.
Is PerimeterX now HUMAN Security?
Yes. PerimeterX was acquired by HUMAN Security in 2022. The product is still commonly referred to as PerimeterX and still ships the _px3 / _pxvid / _pxhd cookie triple plus the X-PX-Authorization token.
Bypass every other major anti-bot vendor too.
ASP handles every major anti-bot stack with the same flag. Switch targets, keep the parameter.