Scraping Central is reader-supported. When you buy through links on our site, we may earn an affiliate commission.

Guide

How to Bypass Akamai Bot Protection When Scraping

Learn how to bypass Akamai Bot Manager anti-bot protection for web scraping. Covers sensor data, cookie generation, and practical bypass techniques.

Akamai Bot Manager is one of the most sophisticated anti-bot systems, protecting major retailers, airlines, and financial institutions. Here is how to handle it when scraping.

How Akamai Bot Manager Works

Akamai uses a multi-layered detection approach:

  1. Sensor Data Collection, A JavaScript file (_bm/sz endpoint) collects browser telemetry including mouse movements, keyboard events, and device info
  2. Cookie Validation, The _abck cookie must contain valid sensor data to pass verification
  3. TLS Fingerprinting, Akamai checks your TLS client hello against known browser signatures
  4. Behavioral Analysis, Request patterns, timing, and navigation flow are monitored

Method 1: ScraperAPI (Recommended)

The easiest way to bypass Akamai is to let ScraperAPI handle it entirely.

import requests

API_KEY = "YOUR_SCRAPERAPI_KEY"
target_url = "https://akamai-protected-site.com/products"

response = requests.get(
    "http://api.scraperapi.com",
    params={
        "api_key": API_KEY,
        "url": target_url,
        "render": "true"
    }
)
print(response.text)

ScraperAPI maintains browser profiles that generate valid Akamai sensor data automatically.

Method 2: ScrapingAnt

ScrapingAnt also handles Akamai-protected sites effectively.

import requests

response = requests.get(
    "https://api.scrapingant.com/v2/general",
    params={
        "url": "https://akamai-protected-site.com",
        "x-api-key": "YOUR_SCRAPINGANT_KEY",
        "browser": "true"
    }
)
print(response.text)

Method 3: Browser Automation with TLS Matching

If you need a self-hosted solution, you must match a real browser's TLS fingerprint and generate valid sensor data.

from curl_cffi import requests as cffi_requests

# curl_cffi impersonates real browser TLS fingerprints
session = cffi_requests.Session(impersonate="chrome136")

# First visit the page to get the Akamai challenge script
response = session.get("https://akamai-protected-site.com")

# The _abck cookie is set after JavaScript execution
# For full bypass, you need a real browser or API service

Why Self-Hosted Akamai Bypass Is Hard

Akamai's sensor data includes over 100 browser attributes. Generating valid sensor data requires:

  • Accurate browser environment emulation
  • Realistic mouse movement and timing data
  • Valid canvas and WebGL fingerprints
  • Proper TLS fingerprint matching

This is why using a managed service like ScraperAPI is the recommended approach for most projects. The engineering effort to maintain a custom Akamai bypass typically exceeds the cost of an API subscription.

Key Takeaways

  • Akamai relies heavily on JavaScript sensor data and TLS fingerprinting
  • Managed scraping APIs handle Akamai bypass automatically
  • Self-hosted solutions require TLS impersonation and full browser execution
  • Keep your bypass updated, as Akamai regularly updates detection methods