Was this helpful?
How to bypass Basilisk captcha
Technical engineer
Introduction
Basilisk is a token-based bot protection system that uses cryptographic checks to verify users. Unlike classic captchas with image selection, Basilisk works in the background and returns a token that needs to be passed to the target website. When automating, it is important not only to get the token but also to correctly synchronize the environment (in particular, the User-Agent) with the one used when generating the solution.
In this guide, we will break down how to automate bypassing Basilisk using the 2Captcha API.
How to Find the Parameters for Solving
To submit a task for solving, you need to extract critical parameters from the page or network requests.
You will need the following values:
- websiteURL — the full address of the page where the captcha is loaded. Make sure you specify the exact URL visible in the browser address bar.
- websiteKey — the unique key of the captcha.
How to find them in practice:
Method 1: Through HTML code
- Open Developer Tools (F12) and go to the Elements tab.
- Find the captcha container with the data-sitekey attribute.
- Copy the value of the data-sitekey attribute — this is your websiteKey.
Method 2: Through network requests
- Open the Network tab in developer tools.
- Filter requests by keywords site_key or basilisk.
- Find the POST request to https://basiliskcaptcha.com/challenge/check-site.
- In the request payload, find the site_key field — this is your websiteKey.
API Parameters
The 2Captcha API supports two task types for Basilisk: using our internal proxies (BasiliskTaskProxyless) and using your own proxies (BasiliskTask). All parameters that need to be passed when creating a task are presented in the table below:
| Parameter | Required | Description |
|---|---|---|
| type | Yes | Task type. Specify BasiliskTaskProxyless or BasiliskTask |
| websiteURL | Yes | Full URL of the target web page |
| websiteKey | Yes | Unique captcha key obtained from the data-sitekey attribute or POST request |
| proxyType | No | Proxy type (http, socks4, socks5). Required for BasiliskTask type |
| proxyAddress | No | IP address or hostname of the proxy server |
| proxyPort | No | Proxy server port |
| proxyLogin | No | Login for proxy server authentication |
| proxyPassword | No | Password for proxy server authentication |
| userAgent | No | Browser User-Agent. It is recommended to pass the same one used in your script |
JSON Request Examples
A request to create a task (Proxyless):
json
{
"clientKey": "YOUR_API_KEY",
"task": {
"type": "BasiliskTaskProxyless",
"websiteURL": "https://example.com/page-with-basilisk",
"websiteKey": "b7890hre5cf2544b2759c19fb2600897"
}
}
A request using your own proxies:
json
{
"clientKey": "YOUR_API_KEY",
"task": {
"type": "BasiliskTask",
"websiteURL": "https://example.com/page-with-basilisk",
"websiteKey": "b7890hre5cf2544b2759c19fb2600897",
"proxyType": "http",
"proxyAddress": "1.2.3.4",
"proxyPort": 8080,
"proxyLogin": "user23",
"proxyPassword": "p4$w0rd"
}
}
A request to get the result is standard:
json
{
"clientKey": "YOUR_API_KEY",
"taskId": "TASK_ID_FROM_CREATE_TASK"
}
A successful response from the API will contain the token (captcha_response) and headers, including the User-Agent that was used during solving:
json
{
"errorId": 0,
"status": "ready",
"solution": {
"captcha_response": "5620301f30daf284b829fba66fa9b3d0",
"headers": {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/149.0.0.0 Safari/537.36"
}
},
"cost": "0.00299",
"createTime": 1692863536,
"endTime": 1692863556
}
Step-by-Step Implementation in Python
Getting the Solution and Preparing the Environment
The most important stage when working with Basilisk is correctly handling the response from the API. You need to extract the captcha_response to pass to the site and necessarily apply the User-Agent from the response headers.
python
import requests
from twocaptcha import TwoCaptcha
API_KEY = "YOUR_API_KEY"
solver = TwoCaptcha(API_KEY)
try:
result = solver.basilisk(
website_key='b7890hre5cf2544b2759c19fb2600897',
url='https://example.com/page-with-basilisk'
)
# Extract the captcha response and User-Agent from the solution
captcha_response = result['captcha_response']
required_user_agent = result['headers']['User-Agent']
print(f"Token received: {captcha_response}")
print(f"Required User-Agent: {required_user_agent}")
except Exception as e:
print(f"Error solving: {e}")
Injecting the Solution into the Target Website
After you receive the response, you need to correctly pass it to the target website. There are two critical rules here.
1. Passing the captcha_response
The captcha_response value needs to be passed to the target website as the Basilisk response. Depending on how the widget is integrated on the page, this is done in one of two ways:
Through a hidden field (if a form is used):
python
# Find the hidden field and insert the token
driver.execute_script(f"""
let tokenInput = document.querySelector('input[name="captcha_response"]'); // The field name may vary
if (tokenInput) {{
tokenInput.value = '{captcha_response}';
}}
""")
Through a POST request (if you send data directly via requests):
python
payload = {
'username': 'my_user',
'password': 'my_password',
'captcha_response': captcha_response # Pass the token in the request body
}
2. Synchronizing the User-Agent
If the solution from the API includes headers.User-Agent, you must use exactly the same User-Agent in the final request to the site. Basilisk ties the cryptographic proof to a specific User-Agent. If you submit the form with a different User-Agent, the server will notice and reject the token.
python
# Create a session and set the User-Agent from the API response
session = requests.Session()
session.headers.update({
'User-Agent': required_user_agent,
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8'
})
# Send the final request with the token and the correct User-Agent
response = session.post('https://example.com/login', data=payload)
print("Response status:", response.status_code)
If you are using Selenium or Playwright, you will need to restart the browser or update the profile with the User-Agent that came in the API response before submitting the form.
Important Nuances and Best Practices
Basilisk is highly sensitive to network fingerprints. If you solve the captcha from one IP address and submit the form from another, the protection will instantly notice.
Always use high-quality residential proxies if the target website strictly checks IP addresses. To do this, use the BasiliskTask type and pass the proxy parameters directly to the API. The proxy used for solving and the proxy used for the final request must be identical.
Do not delay submitting the form. Basilisk tokens have a limited lifespan. As soon as you receive the captcha_response, immediately inject it and submit the form using the correct User-Agent.
Solution Accuracy Reports
If the website rejects the received token, be sure to report it. This helps the service improve its algorithms and refunds your funds for the failed attempt. You can submit a report through the dashboard or directly via the API.
Sending Reports via HTTP Requests
The 2Captcha API provides two endpoints for submitting reports.
Report for an incorrect solution (reportIncorrect)
Used when the website rejects the token. Funds for the task will be refunded to your balance.
JSON request:
json
{
"clientKey": "YOUR_API_KEY",
"taskId": "TASK_ID_FROM_CREATE_TASK"
}
Report for a correct solution (reportCorrect)
Used when the website accepts the token without errors. This helps the service maintain high recognition quality.
JSON request:
json
{
"clientKey": "YOUR_API_KEY",
"taskId": "TASK_ID_FROM_CREATE_TASK"
}
Troubleshooting Common Issues
If the API returns an ERROR_CAPTCHA_UNSOLVABLE error, you most likely copied the websiteKey incorrectly or specified the wrong page URL. Check the source code again.
If the site accepts the token but then still blocks you or asks you to pass the captcha again, the problem is almost certainly the User-Agent or IP address. Make sure you are using the exact User-Agent that came in the headers.User-Agent field of the API response, and that the final request goes through the same proxy as the solution.
Useful Links
- Basilisk API Documentation: https://2captcha.com/api-docs/basilisk-captcha
- Sending reports via API: https://2captcha.com/api-docs/report-correct and https://2captcha.com/api-docs/report-incorrect
- Detailed guide on submitting reports: https://2captcha.com/h/how-to-submit-reports
- Upload statistics and dashboard reporting: https://2captcha.com/statistics/uploads
- Support Center: https://2captcha.com/support/tickets/new
- Code examples on GitHub: https://github.com/2captcha
Conclusion
Bypassing Basilisk via 2Captcha requires attention to environment details. The process boils down to extracting the websiteKey from the data-sitekey attribute or network request, sending them to the API, receiving the captcha_response, and necessarily applying the User-Agent from the response for the final request. The main thing to remember is the strict binding of the token to the User-Agent: environment synchronization is the key to successfully passing the protection.