Amazon WAF

Amazon WAF (AWS WAF) CAPTCHA is a bot mitigation challenge deployed on websites using Amazon Web Services’ Web Application Firewall. When triggered, the page loads a JavaScript challenge that requires solving before access is granted. The challenge parameters — including an initialization vector (iv), a context string, and optionally a challenge script URL — are embedded in the protected page’s HTML source.

Supported Types

Type	Proxy Required	Description
AmazonToken	Yes	Solves the AWS WAF challenge using your proxy. Use when the target site performs IP validation between the challenge solution and subsequent requests.
AmazonTokenProxyLess	No	Solves the AWS WAF challenge without a proxy. Recommended for most use cases.

Parameters

Parameter	Type	Required	Description
type	string	Yes	AmazonToken or AmazonTokenProxyLess
websiteURL	string	Yes	The URL of the page protected by AWS WAF
websiteKey	string	Yes	The site key found in the page source (the apiKey value in the WAF script configuration)
iv	string	Yes	The initialization vector extracted from the challenge page source
context	string	Yes	The context string extracted from the challenge page source
challengeScript	string	No	The full URL of the challenge JavaScript file. Found in the page source as a <script> tag loading from *.token.awswaf.com.

Tip

To find the iv, context, and websiteKey values, inspect the HTML source of the blocked page. Look for a <script> tag that sets window.gokuProps or similar configuration containing these fields.

Proxy Parameters

Required when using the AmazonToken type:

Parameter	Type	Required	Description
proxyType	string	Yes	http, socks4, or socks5
proxyAddress	string	Yes	Proxy IP or hostname
proxyPort	integer	Yes	Proxy port
proxyLogin	string	No	Proxy username
proxyPassword	string	No	Proxy password

Create Task Request

{
  "clientKey": "YOUR_API_KEY",
  "task": {
    "type": "AmazonTokenProxyLess",
    "websiteURL": "https://example.com/protected-page",
    "websiteKey": "AQIDAHjcYu/GjX+QlghicBg...",
    "iv": "CgAHazU5OA==",
    "context": "qoJBAi9jRw1uMKgGzqhm..."
  }
}

With proxy and optional challenge script:

{
  "clientKey": "YOUR_API_KEY",
  "task": {
    "type": "AmazonToken",
    "websiteURL": "https://example.com/protected-page",
    "websiteKey": "AQIDAHjcYu/GjX+QlghicBg...",
    "iv": "CgAHazU5OA==",
    "context": "qoJBAi9jRw1uMKgGzqhm...",
    "challengeScript": "https://41bcdd4fb3cb.token.awswaf.com/41bcdd4fb3cb/orchestration/captcha/v1/jsapi.js",
    "proxyType": "http",
    "proxyAddress": "1.2.3.4",
    "proxyPort": 8080,
    "proxyLogin": "user",
    "proxyPassword": "pass"
  }
}

Response

{
  "errorId": 0,
  "taskId": "550e8400-e29b-41d4-a716-446655440000",
  "status": "processing"
}

Solution Object

{
  "captcha_voucher": "eyJhbGciOiJIUzI1NiIs...",
  "existing_token": "aws-waf-token=0:eNoNy0E..."
}

Field	Type	Description
captcha_voucher	string	The CAPTCHA voucher token returned by AWS WAF upon successful challenge completion
existing_token	string	The aws-waf-token cookie value to set in your browser or HTTP client

How to Use

1. Extract the websiteKey, iv, and context values from the protected page source.
2. Submit the task and poll for the solution.
3. Set the aws-waf-token cookie using the existing_token value from the solution.
4. Include the captcha_voucher in subsequent requests as needed (some implementations submit it via a hidden form field or JavaScript callback).
5. Retry your original request with the cookie set.

Note

AWS WAF tokens expire quickly (typically within minutes). Solve and use the token promptly to avoid expiration-related failures.

Code Examples

Python

import requests
import time

API_KEY = "YOUR_API_KEY"

response = requests.post("https://api.ucaptcha.net/createTask", json={
    "clientKey": API_KEY,
    "task": {
        "type": "AmazonTokenProxyLess",
        "websiteURL": "https://example.com/protected-page",
        "websiteKey": "AQIDAHjcYu/GjX+QlghicBg...",
        "iv": "CgAHazU5OA==",
        "context": "qoJBAi9jRw1uMKgGzqhm..."
    }
})
task_id = response.json()["taskId"]

while True:
    result = requests.post("https://api.ucaptcha.net/getTaskResult", json={
        "clientKey": API_KEY,
        "taskId": task_id
    }).json()
    if result["status"] == "ready":
        solution = result["solution"]
        print("Voucher:", solution["captcha_voucher"])
        print("Token:", solution["existing_token"])

        # Set the aws-waf-token cookie and access the page
        session = requests.Session()
        session.cookies.set("aws-waf-token", solution["existing_token"].split("=", 1)[1], domain="example.com")
        page = session.get("https://example.com/protected-page")
        print("Status:", page.status_code)
        break
    elif result["status"] == "failed":
        print("Error:", result.get("errorDescription"))
        break
    time.sleep(5)

JavaScript

const API_KEY = "YOUR_API_KEY";

const { taskId } = await fetch("https://api.ucaptcha.net/createTask", {
  method: "POST",
  headers: { "Content-Type": "application/json" },
  body: JSON.stringify({
    clientKey: API_KEY,
    task: {
      type: "AmazonTokenProxyLess",
      websiteURL: "https://example.com/protected-page",
      websiteKey: "AQIDAHjcYu/GjX+QlghicBg...",
      iv: "CgAHazU5OA==",
      context: "qoJBAi9jRw1uMKgGzqhm..."
    }
  })
}).then(r => r.json());

while (true) {
  const result = await fetch("https://api.ucaptcha.net/getTaskResult", {
    method: "POST",
    headers: { "Content-Type": "application/json" },
    body: JSON.stringify({ clientKey: API_KEY, taskId })
  }).then(r => r.json());

  if (result.status === "ready") {
    console.log("Voucher:", result.solution.captcha_voucher);
    console.log("Token:", result.solution.existing_token);
    break;
  } else if (result.status === "failed") {
    console.error("Error:", result.errorDescription);
    break;
  }
  await new Promise(r => setTimeout(r, 5000));
}

cURL

# Create the task
curl -X POST https://api.ucaptcha.net/createTask \
  -H "Content-Type: application/json" \
  -d '{
    "clientKey": "YOUR_API_KEY",
    "task": {
      "type": "AmazonTokenProxyLess",
      "websiteURL": "https://example.com/protected-page",
      "websiteKey": "AQIDAHjcYu/GjX+QlghicBg...",
      "iv": "CgAHazU5OA==",
      "context": "qoJBAi9jRw1uMKgGzqhm..."
    }
  }'

# Poll for the result (replace TASK_ID with the returned taskId)
curl -X POST https://api.ucaptcha.net/getTaskResult \
  -H "Content-Type: application/json" \
  -d '{
    "clientKey": "YOUR_API_KEY",
    "taskId": "TASK_ID"
  }'

Provider Coverage

• 2Captcha
• CapSolver
• Anti-Captcha
• CapMonster
• RiskByPass

Aliases

The following backward-compatible type names are also accepted:

Alias	Maps To
AmazonTask	AmazonToken
AmazonTaskProxyless	AmazonTokenProxyLess
AntiAwsWafTask	AmazonToken
AntiAwsWafTaskProxyLess	AmazonTokenProxyLess