How to bypass CaptchaFox
Introduction
CaptchaFox is a modern type of behavioral captcha that fundamentally differs from traditional verification methods. Instead of asking users to select traffic lights, enter text from an image, or click a checkbox, the system does not use graphical challenges or text input. Instead, it analyzes interaction patterns such as mouse movements, click timing, and action smoothness, making the service particularly resistant to standard bypass methods.
How does CaptchaFox work?
The system tracks and evaluates:
- Cursor trajectory — smoothness, acceleration, micro-jitters
- Timing metrics — delays between actions, time from page load to first click
- Behavioral patterns — how the user scrolls, clicks, and interacts with forms
- Technical signals — browser headers, Canvas parameters, WebGL, fonts
- Network context — IP reputation, geolocation, data consistency
If the system detects signs of automation (e.g., instant actions, lack of "human noise" in mouse movements, mismatched headers), it blocks access or presents a more complex challenge.
Why won't a regular script work?
Attempting to bypass CaptchaFox with a simple HTTP request or a headless browser without behavior emulation is doomed to fail. The captcha "understands" that the request comes from a script, not a human. That's why two components are critical for working with CaptchaFox:
- Proxy — with a "clean" reputation, matching the geolocation of the target site
- Real User-Agent — matching the browser version, OS, and device architecture
Step-by-Step strategy to bypass CaptchaFox
How to find the websiteKey: three reliable methods
Method 1: Page source code
- Open the page →
Ctrl+U - Search (
Ctrl+F) for:captchafox,sk_,data-key,CaptchaFox.init - Example of what you're looking for:
orhtml
<div id="captchafox-container" data-key="sk_xtNxpk6fCdFbxh1_xJeGflSdCE9tn99G"></div>javascriptwindow.CaptchaFox.init({ key: "sk_xtNxpk6fCdFbxh1_xJeGflSdCE9tn99G", ... });
Method 2: Network requests (DevTools → Network)
- Open DevTools (
F12) → Network tab - Refresh the page or perform the action that triggers the captcha
- In the filter, enter:
captchafox,uicdn,challenge,init - Find a request to
captchafox.comoruicdn.com - In the request parameters (Query String) or in the response body, look for the
keyorwebsiteKeyfield.
Method 3: JavaScript Console
Sometimes the captcha configuration is available globally:
javascript
// Try running in the console:
console.log(window.CaptchaFoxConfig);
console.log(window.__CFVUE?.captcha?.key);
console.log(document.querySelector('[data-key]')?.dataset.key);Important: The websiteKey can be dynamic and change when the page updates or the session refreshes. If the task fails to solve — refresh the key.
The most reliable method is Option 2.
Step 1: Submitting the solve task
Endpoint: POST https://api.2captcha.com/createTask
Task structure (CaptchaFoxTask)
json
{
"clientKey": "YOUR_API_KEY",
"task": {
"type": "CaptchaFoxTask",
"websiteURL": "https://example.com/protected-page",
"websiteKey": "sk_xtNxpk6fCdFbxh1_xJeGflSdCE9tn99G",
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 ...",
"proxyType": "http",
"proxyAddress": "1.2.3.4",
"proxyPort": 8080,
"proxyLogin": "optional_user",
"proxyPassword": "optional_pass",
"apiServer": "https://cdn.captchafox.com/"
}
}Key fields explained
| Field | Purpose |
|---|---|
| type | Tells the API which solver to use |
| websiteURL | The worker loads the page in a real browser |
| websiteKey | Identifies the specific captcha instance |
| userAgent | Defines the browser's "identity" |
| proxy | Ensures the correct network context |
| apiServer | Specifies where to load captcha scripts from |
About apiServer: By default,
https://cdn.captchafox.com/is used. However, some sites load CaptchaFox from alternative sources, for example:
https://s.uicdn.com/mampkg/@mamdev/core.frontend.libs.captchafox/
In this case, the token will have theMAM_prefix. If you receive a token in the wrong format — find in the page source where the captcha script is loaded from, and specify that base URL inapiServer.
Successful response
json
{
"errorId": 0,
"taskId": 987654321,
"status": "processing"
}Save the
taskId— you'll use it to retrieve the result.
Step 2: Retrieving the token
Endpoint: POST https://api.2captcha.com/getTaskResult
json
{
"clientKey": "a1b2c3d4e5f6g7h8",
"taskId": 987654321
}Response with the solution
json
{
"errorId": 0,
"status": "ready",
"solution": {
"token": "7828075fb55ecbd9146745ee6f2bec475b88076d36e23050f1fb28359ffca15d"
},
"cost": "0.00145",
"createTime": 1695214711,
"endTime": 1695214720,
"solveCount": 1
}What to do with the token?
The received token is cryptographic proof that "a human passed the verification". Now you need to submit it correctly to the target website.
How to find where to insert the token?
- Open the target website in a browser with DevTools → Network enabled
- Perform the action that should pass the captcha (form submission, purchase, registration)
- Find the request sent after successful verification
- Check which field carries the token:
- Form parameter:
cf_token,captcha_response,captchafox_token - Header:
X-Captcha-Token,CF-Token - JSON body:
{"captcha": {"token": "..."}}
- Form parameter:
Example of using the token in a request:
python
import requests
token = "7828075fb55ecbd9146745ee6f2bec475b88076d36e23050f1fb28359ffca15d"
response = requests.post(
"https://example.com/api/submit",
headers={
"User-Agent": "Mozilla/5.0 ...", # Same as used for solving!
"X-Captcha-Token": token # Or another header name
},
data={
"field1": "value1",
"cf_token": token # Or another field name
},
proxies={
"http": "http://user:pass@1.2.3.4:8080", # Same proxy!
"https": "http://user:pass@1.2.3.4:8080"
}
)Critically important: The request with the token must be sent through the same proxy and with the same User-Agent as the captcha-solving task. Otherwise, the website will detect the mismatch and reject the token.
Also make sure to include the required headers and any other necessary parameters in your request.
Complete Working Example in Python
python
import requests
import time
from typing import Dict, Optional
class CaptchaFoxSolver:
"""Class for bypassing CaptchaFox via ruCaptcha API"""
def __init__(self, api_key: str):
self.api_key = api_key
self.create_url = "https://api.2captcha.com/createTask"
self.result_url = "https://api.2captcha.com/getTaskResult"
def create_task(self, website_url: str, website_key: str,
user_agent: str, proxy: Dict) -> Optional[str]:
"""Creates a captcha solve task"""
payload = {
"clientKey": self.api_key,
"task": {
"type": "CaptchaFoxTask",
"websiteURL": website_url,
"websiteKey": website_key,
"userAgent": user_agent,
"proxyType": proxy["type"],
"proxyAddress": proxy["address"],
"proxyPort": proxy["port"],
}
}
# Add proxy authentication if provided
if proxy.get("login") and proxy.get("password"):
payload["task"]["proxyLogin"] = proxy["login"]
payload["task"]["proxyPassword"] = proxy["password"]
# Custom API server if needed
if proxy.get("api_server"):
payload["task"]["apiServer"] = proxy["api_server"]
response = requests.post(self.create_url, json=payload, timeout=30)
result = response.json()
if result.get("errorId") != 0:
raise RuntimeError(f"Task creation error: {result}")
return result.get("taskId")
def get_result(self, task_id: str, timeout: int = 120) -> str:
"""Retrieves the solution token by polling the API"""
start_time = time.time()
while time.time() - start_time < timeout:
time.sleep(5) # Polling interval
response = requests.post(
self.result_url,
json={"clientKey": self.api_key, "taskId": task_id},
timeout=30
)
result = response.json()
if result.get("errorId") != 0:
raise RuntimeError(f"Result retrieval error: {result}")
if result["status"] == "ready":
return result["solution"]["token"]
# Still processing — keep waiting
continue
raise TimeoutError(f"Timeout ({timeout}s) exceeded for task {task_id}")
def solve(self, website_url: str, website_key: str,
user_agent: str, proxy: Dict) -> str:
"""Full cycle: create task → wait → return token"""
task_id = self.create_task(website_url, website_key, user_agent, proxy)
print(f"✅ Task created: {task_id}")
token = self.get_result(task_id)
print(f"✅ Token received: {token[:20]}...")
return token
# ==================== USAGE EXAMPLE ====================
if __name__ == "__main__":
# Initialize the solver
solver = CaptchaFoxSolver(api_key="your_api_key_here")
# Target site configuration
config = {
"website_url": "https://example.com/checkout",
"website_key": "sk_xtNxpk6fCdFbxh1_xJeGflSdCE9tn99G",
"user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36",
"proxy": {
"type": "http",
"address": "185.12.34.56",
"port": 8080,
"login": "proxy_user", # optional
"password": "proxy_pass", # optional
# "api_server": "https://s.uicdn.com/mampkg/@mamdev/..." # if needed
}
}
try:
# Solve the captcha
token = solver.solve(
website_url=config["website_url"],
website_key=config["website_key"],
user_agent=config["user_agent"],
proxy=config["proxy"]
)
# Use the token in the target request
response = requests.post(
url="https://example.com/api/submit",
headers={
"User-Agent": config["user_agent"],
"X-Captcha-Token": token
},
data={"order_id": "12345", "cf_token": token},
proxies={
"http": f"http://{config['proxy']['login']}:{config['proxy']['password']}@{config['proxy']['address']}:{config['proxy']['port']}",
"https": f"http://{config['proxy']['login']}:{config['proxy']['password']}@{config['proxy']['address']}:{config['proxy']['port']}"
}
)
print(f"🎯 Site response: {response.status_code}")
print(response.text)
except Exception as e:
print(f"❌ Error: {e}")Troubleshooting: What to do if it doesn't work
Token received, but the site rejects it
This is the trickiest scenario: the task is solved, you have the token, but the site won't accept it.
Possible causes:
-
Context mismatch
The request with the token was sent from a different IP or User-Agent.
Solution: Use the same proxy and the same User-Agent as when creating the task. -
Token expired
CaptchaFox tokens live for 2–5 minutes.
Solution: Send the request with the token immediately after receiving it. -
Wrong field/header
The site expects the token in one place, but you're sending it elsewhere.
Solution: Use DevTools → Network to see where the site accepts the token during manual solving.
Useful links
- Official CaptchaFox documentation
- Support service — create a ticket with your
taskIdif something isn't working
Frequently Asked Questions
Q: Can I bypass CaptchaFox without third-party services?
A: Theoretically — yes, but it would require deep browser, behavior, and network environment emulation. In practice, it's simpler and more reliable to use a specialized service.
Q: What if there are multiple captchas on the page?
A: Use the websiteKey of the captcha that blocks the action you need. It's usually tied to a specific form or button.
Q: How do I know if I need the apiServer parameter?
A: By default, don't specify it. If the token comes in the wrong format (the site expects MAM_... but you get a standard one) — find in the page source where the captchafox.js script is loaded from, and specify that base URL in apiServer.
Q: Can I use one proxy for different sites?
A: Technically — yes. But for maximum success rates, choose proxies matching the geolocation and theme of the target resource.
Conclusion
CaptchaFox is not an “unbreakable” protection, but rather a more advanced system that evaluates behavior and context. In most cases, issues arise not because of the captcha itself, but due to mismatched parameters such as proxy, User-Agent, or the way the token is used.
If you follow the basic rules, use real browser data, maintain a consistent environment, and handle the token correctly, the solution will be stable and predictable.
If errors occur, it is better not to guess. Analyzing a specific request and contacting support with detailed information will almost always help quickly identify and resolve the issue.