TSPD (F5 Shape Security)

TSPD (Trusted Session Protection for Data) is a bot detection system developed by F5 Networks (formerly Shape Security). It protects high-value web applications — particularly in banking, airlines, and e-commerce — by analyzing browser fingerprints, behavioral signals, and network characteristics. When TSPD detects a suspicious request, it requires a verification token to proceed. The uCaptcha API solves TSPD challenges and returns a verification token.

Note

TSPD uses a single task type. There is no separate proxyless variant — proxy parameters are optional and can be included directly in the task if needed.

Supported Types

Type	Proxy	Description
TspdToken	Optional	Solve TSPD challenges (proxy parameters accepted but not required)

Parameters

Parameter	Type	Required	Description
type	string	Yes	Must be TspdToken
websiteURL	string	Yes	URL of the page protected by TSPD
websiteKey	string	Yes	TSPD site key or identifier

Proxy Parameters

Optional. Include these parameters if you want the task solved through your proxy.

Parameter	Type	Required	Description
proxyType	string	Yes	http, socks4, or socks5
proxyAddress	string	Yes	Proxy IP or hostname
proxyPort	integer	Yes	Proxy port
proxyLogin	string	No	Proxy username
proxyPassword	string	No	Proxy password

Create Task

Request

{
  "clientKey": "YOUR_API_KEY",
  "task": {
    "type": "TspdToken",
    "websiteURL": "https://example.com/secure",
    "websiteKey": "tspd_key_abc123def456"
  }
}

Response

{
  "errorId": 0,
  "taskId": "abc-123-def"
}

Solution Object

{
  "token": "tspd_session_eyJhbGciOiJ...verification_payload"
}

Field	Type	Description
token	string	The TSPD verification token to submit with the request

How to Use

Once you receive the token value from the solution:

1. Cookie injection — Set the TSPD token as the appropriate cookie (commonly _abck or a site-specific cookie name) in your HTTP client before making requests to the protected endpoint.
2. Request header — Some implementations require the token to be passed in a custom request header. Check the target site’s TSPD integration for the exact header name.

Caution

TSPD tokens are session-bound and time-sensitive. Use the token immediately after receiving it, and ensure your requests maintain the same session context (IP, User-Agent, cookies) used during task creation.

Code Examples

Python

import requests
import time

API_KEY = "YOUR_API_KEY"

# Create task
response = requests.post("https://api.ucaptcha.net/createTask", json={
    "clientKey": API_KEY,
    "task": {
        "type": "TspdToken",
        "websiteURL": "https://example.com/secure",
        "websiteKey": "tspd_key_abc123def456"
    }
})
task_id = response.json()["taskId"]

# Poll for result
while True:
    result = requests.post("https://api.ucaptcha.net/getTaskResult", json={
        "clientKey": API_KEY,
        "taskId": task_id
    }).json()

    if result["status"] == "ready":
        token = result["solution"]["token"]
        print("Token:", token)
        break
    elif result["status"] == "failed":
        print("Error:", result.get("errorDescription"))
        break

    time.sleep(5)

JavaScript

const API_KEY = "YOUR_API_KEY";

const { taskId } = await fetch("https://api.ucaptcha.net/createTask", {
  method: "POST",
  headers: { "Content-Type": "application/json" },
  body: JSON.stringify({
    clientKey: API_KEY,
    task: {
      type: "TspdToken",
      websiteURL: "https://example.com/secure",
      websiteKey: "tspd_key_abc123def456"
    }
  })
}).then(r => r.json());

while (true) {
  const result = await fetch("https://api.ucaptcha.net/getTaskResult", {
    method: "POST",
    headers: { "Content-Type": "application/json" },
    body: JSON.stringify({ clientKey: API_KEY, taskId })
  }).then(r => r.json());

  if (result.status === "ready") {
    console.log("Token:", result.solution.token);
    break;
  } else if (result.status === "failed") {
    console.error("Error:", result.errorDescription);
    break;
  }

  await new Promise(r => setTimeout(r, 5000));
}

cURL

# Create task
curl -X POST https://api.ucaptcha.net/createTask \
  -H "Content-Type: application/json" \
  -d '{
    "clientKey": "YOUR_API_KEY",
    "task": {
      "type": "TspdToken",
      "websiteURL": "https://example.com/secure",
      "websiteKey": "tspd_key_abc123def456"
    }
  }'

# Poll for result (replace TASK_ID with the taskId from above)
curl -X POST https://api.ucaptcha.net/getTaskResult \
  -H "Content-Type: application/json" \
  -d '{
    "clientKey": "YOUR_API_KEY",
    "taskId": "TASK_ID"
  }'

Provider Coverage

• CapMonster
• RiskByPass

Aliases

The following legacy type names are also accepted for backward compatibility:

• TspdTask
• ShapeTspdToken
• CustomTask:tspd