# Bypass PerimeterX

 95% success on PerimeterX-protected targets. One API parameter.

##  `_px3` signed. Human Challenge cleared. Page delivered. 

- **Real browser fingerprints.** [TLS](https://scrapfly.io/web-scraping-tools/ja3-fingerprint), [HTTP/2](https://scrapfly.io/web-scraping-tools/http2-fingerprint), [Canvas](https://scrapfly.io/web-scraping-tools/canvas-fingerprint), and [WebGL](https://scrapfly.io/web-scraping-tools/webgl-fingerprint) all match real Chrome on every request.
- **Adaptive challenge solving.** [JavaScript execution](https://scrapfly.io/docs/scrape-api/javascript-rendering), CAPTCHAs, proof-of-work, handled without solver keys.
- **Session intelligence.** Unblocked browser sessions reused across requests so PerimeterX sees a single coherent visitor.
 
**One API parameter.** Add `asp=True`. See the [ASP docs](https://scrapfly.io/docs/scrape-api/anti-scraping-protection).

 [Get Free API Key](https://scrapfly.io/register) [Read ASP docs](https://scrapfly.io/docs/scrape-api/anti-scraping-protection) 

 1,000 free credits. No credit card required. 

 

   

 FINGERPRINT DATA  LIVE  

















 

 

 + 4,000 more datapoints... 

 

 4,000+

 Fingerprint Datapoints 

200M+

 Proxy IPs 

50+

 Anti-Bots 

 



 

 

 

 

 

---

 COVERAGE## Every PerimeterX Signal, Matched

Bit-for-bit fingerprint parity with real Chrome. Not monkey-patching, not surface-level, engineered at the protocol and C++ layers.

 

 ##### \_px3 Token Signed. Human Challenge Cleared.

PerimeterX (now HUMAN Security) chains `_px3`, `_pxvid`, `_pxhd`, and the `X-PX-Authorization` header. The Human Challenge press-and-hold isn't really about holding the button, it's the collector script emitting a signed telemetry payload before and during the interaction. Scrapium generates both sides automatically.

**95%**success on perimeterx

**\_px3**token signed + replayed

**press & hold**telemetry payload generated

**5,000+**protected sites coverage

 





 

 

 ##### TLS + Cookie Triple

PerimeterX validates TLS fingerprint, then cross-references the `_px3`/`_pxvid`/`_pxhd` cookie triple plus the `X-PX-Authorization` header. A mismatch in any one invalidates the whole chain.

[JA4 match](https://scrapfly.io/web-scraping-tools/ja3-fingerprint)

\_px3 cookie

\_pxvid tracking

\_pxhd header

X-PX-Authorization

Collector payload

 

 





 ##### Why DIY Bypasses Fail

Press-and-hold automation alone isn't enough, the collector payload has to verify too.

 | **curl-impersonate** | no collector payload |
|---|---|
| **px-bypass (OSS)** | abandoned |
| **Playwright + click** | telemetry mismatch |
| **Selenium + stealth** | fingerprint leaks |
| **Scrapfly** | 95%, tracked daily |

 





 

 ##### Owned by HUMAN

Acquired by HUMAN Security in 2022. Same \_px\* cookies, same collector script, deeper fingerprint baseline.

 **HUMAN** parent since 2022 

 





 ##### Device Fingerprint, C++ Patches

PerimeterX reads Canvas, WebGL, AudioContext, Navigator, WebRTC, and DRM device IDs. Scrapium patches every signal at Chromium source level, not via JS hooks.

[Canvas](https://scrapfly.io/web-scraping-tools/canvas-fingerprint)

[WebGL](https://scrapfly.io/web-scraping-tools/webgl-fingerprint)

[Audio](https://scrapfly.io/web-scraping-tools/audio-fingerprint)

WebRTC

Navigator

DRM device

 

 





 ##### E-commerce + Ticketing

Heavy in high-friction targets: ticketing, luxury retail, financial accounts.

- Ticketing
- Luxury retail
- Finance
 
 





 

 ##### PerimeterX Detection Stack, Every Layer Matched

PerimeterX chains TLS → collector payload → \_px3 token → Human Challenge → behavioral biometrics. All four must align.

 **TLS + HTTP/2**Chrome wire format at edge

 

 **Collector Payload**signed under Scrapium real Chrome

 

 **\_px3 Token + X-PX-Authorization**minted, cached, replayed coherently

 

 **Human Challenge**press-and-hold + telemetry both valid

 

 

 





 ##### Human Challenge, Both Sides

Press-and-hold plus a signed telemetry payload. Real human motion profiles, matched collector output.

- Press-and-hold timing realistic
- Behavioral biometrics coherent
- Collector payload signed valid
- JS puzzles solved inline
 
 





 

 

---

 PROOF## One Parameter. PerimeterX Cleared.

Add `asp=True`. Scrapfly detects PerimeterX and routes through the correct engine, Curlium for HTTP-layer targets, Scrapium for JS-heavy ones.

 

Set `asp=True` and Scrapfly handles PerimeterX automatically. Picks [Curlium](https://scrapfly.io/curlium) or [Scrapium](https://scrapfly.io/scrapium) per target.

     Python TypeScript Go Rust HTTP / cURL  

      

 ```
from scrapfly import ScrapeConfig, ScrapflyClient, ScrapeApiResponse
client = ScrapflyClient(key="API KEY")

api_response: ScrapeApiResponse = client.scrape(
    ScrapeConfig(
        url='https://httpbin.dev/html',
        # bypass anti-scraping protection
        asp=True
    )
)
print(api_response.result)
```

 ```
import { 
    ScrapflyClient, ScrapeConfig 
} from 'jsr:@scrapfly/scrapfly-sdk';

const client = new ScrapflyClient({ key: "API KEY" });
let api_result = await client.scrape(
    new ScrapeConfig({
        url: 'https://httpbin.dev/html',
        // bypass anti-scraping protection
        asp: true,
    })
);
console.log(api_result.result);
```

 ```
package main

import (
	"fmt"
	"github.com/scrapfly/go-scrapfly"
)

func main() {
	client, _ := scrapfly.New("API KEY")
	result, _ := client.Scrape(&scrapfly.ScrapeConfig{
		URL: "https://httpbin.dev/html",
		// bypass anti-scraping protection
		ASP: true,
	})
	fmt.Println(result.Result.Content)
}
```

 ```
use scrapfly_sdk::{Client, ScrapeConfig};

#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
    let client = Client::builder().api_key("API KEY").build()?;

    let cfg = ScrapeConfig::builder("https://httpbin.dev/html")
        // bypass anti-scraping protection
        .asp(true)
        .build()?;

    let result = client.scrape(&cfg).await?;
    println!("{}", result.result.content);
    Ok(())
}
```

 ```
http https://api.scrapfly.io/scrape \
key==$SCRAPFLY_KEY \
url==https://httpbin.dev/html \
asp==true
```

 

 

 // RESPONSE    json  

 ```
{
  "result": {
    "status_code": 200,
    "success": true,
    "url": "https://httpbin.dev/html",
    "content": "<html>...</html>",
    "content_format": "raw",
    "content_type": "text/html; charset=utf-8",
    "response_headers": {
      "content-type": "text/html; charset=utf-8",
      "server": "cloudflare"
    },
    "cookies": [],
    "duration": 1842,
    "log_url": "https://scrapfly.io/dashboard/monitoring/log/01J...",
    "asp_cost": 30
  },
  "context": {
    "asp": true,
    "proxy": {
      "country": "us",
      "type": "datacenter"
    }
  }
}
```

 

 

 

 [ Python SDK docs → ](https://scrapfly.io/docs/sdk/python) [ TypeScript SDK docs → ](https://scrapfly.io/docs/sdk/typescript) [ Go SDK docs → ](https://scrapfly.io/docs/sdk/golang) [ Rust SDK docs → ](https://scrapfly.io/docs/sdk/rust) [ HTTP API docs → ](https://scrapfly.io/docs) 

 

 

 [ Get Free API Key ](https://scrapfly.io/register) [ Read the Bypass Guide → ](https://scrapfly.io/blog/posts/how-to-bypass-perimeterx-human-anti-scraping) 

 

---

  FAQ## Frequently Asked Questions

 

  ### Can I test on my specific PerimeterX targets?

 Yes. The free plan includes 1,000 API credits with no credit card required. Enable `asp=True` and test your exact targets before committing. Scrapfly achieves 95% success on PerimeterX-protected sites; failed requests are not charged.

 

   ### How much does ASP cost?

 ASP starts at 30+ credits per request, scaling with target complexity. You pay for what a specific target needs, not a flat premium. See [pricing](https://scrapfly.io/pricing).

 

   ### What is the PerimeterX Human Challenge?

 Press-and-hold CAPTCHA paired with behavioral biometric validation. Holding the button is the easy part; the hard part is the collector script emitting a valid telemetry payload before and during the interaction. Scrapium generates both sides automatically. DIY guide: [bypassing PerimeterX](https://scrapfly.io/blog/posts/how-to-bypass-perimeterx-human-anti-scraping).

 

   ### Is PerimeterX now HUMAN Security?

 Yes. PerimeterX was acquired by HUMAN Security in 2022. The product is still commonly referred to as PerimeterX and still ships the \_px3 / \_pxvid / \_pxhd cookie triple plus the X-PX-Authorization token.

 

  

 

  ---

 // SEE ALSO### Bypass every other major anti-bot vendor too.

ASP handles every major anti-bot stack with the same flag. Switch targets, keep the parameter.

 [Cloudflare](https://scrapfly.io/bypass/cloudflare) 

 [Akamai](https://scrapfly.io/bypass/akamai) 

 [DataDome](https://scrapfly.io/bypass/datadome) 

 [Kasada](https://scrapfly.io/bypass/kasada) 

 [Incapsula](https://scrapfly.io/bypass/incapsula) 

 [F5](https://scrapfly.io/bypass/f5) 

 [AWS WAF](https://scrapfly.io/bypass/aws-waf) 

 

 

 [Get Free API Key](https://scrapfly.io/register) [View all anti-bot bypasses](https://scrapfly.io/bypass)