Bypassing Distil protection

Recently we have implemented an API to bypass Distil protection.

Once you reach a page with Distil javascript included you can use our API to bypass the protection and avoid being blocked bu Distil.

The process of interaction with the API can be described in three steps:

  • Gathering the required data from target website
  • Sending the data to our API and getting the response data
  • Performing requests according to the response data

Gathering the required data

  • Hit a target url and find the distil javascript library URL.

    <script type="text/javascript" src="/pvvhnzyazwpzgkhv.js" defer>

    The library URL is not static, it is generated per session so you need to get it for each session.

  • Download the library and encode it to base64

    curl -o lib.js

    base64 lib.js

  • Calculate SHA1 checksum for the javascript library data

    shasum -a 1 lib.js

  • Compile the gathered data into a JSON object with using following format:

        "JsSha1": "af2d0557c23ff2d8f40ccf4bec57e480704634e9",
        "JsUri": "",
        "JsData": "IWZ1bmN0...b3cpCg=="

    JsSha1 is SHA1 checksum of the javascript library
    JsUri is the library URL
    JsData is base64 encoded library data

Sending the data to API

Make HTTP POST request to providing the following parameters along with the data prepared on previous step in JSON format:


Request parameters

Parameter Required Type Description
key Yes String Your API key
method Yes String Use distil value to indicate that you are bypassing Distil
data Yes JSON data JSON data prepared on prevous step
json No Integer Set to 1 if you want to receive the response as JSON. Otherwise server will send the response as plain text
pingback No String You can provide your pingback URL and response will be sent to this url in HTTP POST request (more info)
soft_id No Integer ID of software developer

Server will respond with the ID of your request or with an error code if your request was malformed.

If status value is equal to 1 then your request was correct and the ID is inside request parameter.

If your request was malformed then status will have 0 value and request will contain an error code. You can find the description of error codes below.

Response examples:

normal response:

If you do not provide json: 1 value in your request server will respond as plain text

Response examples:

normal response:




Getting the response data

To get the data needed to bypass Distil make HTTP GET request to using the request ID obtained on previous step

Request parameters

Parameter Required Type Description
key Yes String Your API key
action Yes String Use get to indicate that you are requesting a response
id Yes String The ID of your request obtained on previous step
json No Integer Set to 1 if you want to receive the response as JSON. Otherwise server will send the response as plain text

Request URL example:

Response example:


If you have not provided json=1 parameter then server will send the respond as plain text. Normal response is separated into two parts by a vertical bar |. The first part OK indicates that request was processed successfully. The seconds part contains a string with the response data that should be parsed as JSON.

If resquest was unsuccessfull then the response contains only one string with an error code.

Response examples:

normal response:




Performing requests on the target website

The response received from our API contains two fields: tasks and headers.

You should perform tasks from the tasks array. Each task is a HTTP request that should be sent to specified URI with the parameters and headers provided for task.

There are two types of tasks:

  • One-time POST request (interval = 0): it creates a session and it should be executed immediately after receiving the tasks array from API.

  • Recurring HEAD request (interval > 0): used to keep the session alive. Should be executed every X milliseconds after one-time POST request according to interval value.

Use the headers sent back, along with preserving any cookies that are sent back with the original request.

Headers provided in API response should be used for any request to the target website after first POST request excluding recurring tasks

While keeping the session alive you can perform any actions on the target website without being blocked by Distil. But after some time or a number of requests Distil can drop your session and you will be redirected to "BOT CHECK" page. In such case you need to use our API once again and get a new session.

Task parameters

Parameter Description
uri URI to send HTTP request
method HTTP request method
headers Headers that should be provided in the request
data Data that should be provided in the request
interval Interval to repeat the request

Error handling

When interacting with the API you can receive the same error codes as returned by our API for other methods.

But also there is a specific error code for Distil API: ERROR_BAD_DATA

This error code means that data value you provided is not valid. Common cases:

  • Invalid JSON object provided in data
  • Blank or invalid base64 data in JsData
  • Invalid SHA1 checksum provided in JsSha1

If you receive ERROR_BAD_DATA check your request data and try again.


The rate for this methods is the same as the rate for token-captchas: $2.99 per 1000 requests.