Struggling to scrape data from websites guarded by Castle Antibot? You’re definitely not alone. With Castle’s bot detection growing more advanced by the day, traditional scraping tactics just won’t cut it anymore. But here’s the good news: bypassing Castle’s protection is not only possible—it’s repeatable once you understand how it works.
After countless hours reverse-engineering Castle’s system, I’ve built a workflow that consistently gets around their defenses. With it, I managed to lift my successful scraping rate from a frustrating 15% to over 95%.
In this guide, I’ll walk you through exactly how to generate valid Castle tokens and use them to make authenticated requests—all with code examples you can plug into your own projects.
What is Castle Antibot?
Castle is not your run-of-the-mill bot blocker. It’s a full-fledged antibot platform that defends websites from scraping, credential stuffing, and automated abuse. Think of it as a behavioral firewall: it tracks how users interact with a page, fingerprints their browser environment, and then validates every request through a token.
At the heart of this system is the x-castle-request-token. Without it, your requests are dead in the water. This token isn’t static—it’s generated in real-time through JavaScript and incorporates fingerprinting data that mimics a human user.
Step 1: Identify Castle implementation
Before you start cracking the system, make sure Castle is actually in place. Here’s a straightforward way to check for it:
import requests
from bs4 import BeautifulSoup
def check_for_castle(url):
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
}
response = requests.get(url, headers=headers)
soup = BeautifulSoup(response.text, 'html.parser')
# Look for Castle script tags
castle_scripts = soup.find_all('script', src=lambda x: x and 'cdn.castle.io' in x)
if castle_scripts:
print("Castle Antibot detected!")
return True
else:
print("No Castle Antibot found on this site.")
return False
# Example usage
check_for_castle('https://example-protected-site.com')When Castle is active, you'll usually spot one or more scripts loading from cdn.castle.io in the site’s HTML. If they’re there, Castle is watching.
Step 2: Extract the necessary parameters
By now, you know you’re dealing with Castle. The next move? Extract two pieces of critical data:
- The
scriptID—usually embedded in the Castle script URL - The
__cuidcookie—if it’s set, it needs to be preserved
Here’s a simple function that grabs both:
import re
import requests
from bs4 import BeautifulSoup
def extract_castle_params(url):
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36",
"Accept-Language": "en-US,en;q=0.9",
"Sec-Ch-Ua": '"Not.A/Brand";v="8", "Chromium";v="114", "Google Chrome";v="114"'
}
session = requests.Session()
response = session.get(url, headers=headers)
# Extract scriptID using regex
script_pattern = r'<script\s+src=["\'].*?cdn\.castle\.io/v2/castle\.js\?([^"\']+)["\'].*?>'
script_match = re.search(script_pattern, response.text)
if not script_match:
print("Could not find Castle script ID!")
return None, None
script_id = script_match.group(1)
# Get __cuid cookie if it exists
cuid = session.cookies.get('__cuid')
return script_id, cuid
# Example usage
script_id, cuid = extract_castle_params('https://example-protected-site.com')
print(f"Script ID: {script_id}")
print(f"CUID: {cuid}")The scriptID is what links your request to the Castle configuration for that specific site. And the __cuid cookie (if present) helps maintain continuity across sessions.
Step 3: Generate the Castle token
Here’s where the real work begins. You’ve got your scriptID and maybe a __cuid—now you need a valid x-castle-request-token. There are two ways to do this in 2025:
Method 1: Use a third-party token generation service
This is by far the fastest and most reliable option. Some services are designed specifically for this task and can generate valid tokens using just your extracted parameters.
import requests
def generate_castle_token(script_id, cuid=None):
api_url = "https://castle.takionapi.tech/generate"
params = {
"scriptID": script_id
}
headers = {
"x-api-key": "YOUR_API_KEY",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36",
"Sec-Ch-Ua": '"Not.A/Brand";v="8", "Chromium";v="114", "Google Chrome";v="114"',
"Accept-Language": "en-US,en;q=0.9"
}
if cuid:
params["__cuid"] = cuid
response = requests.get(api_url, params=params, headers=headers)
if response.status_code == 200:
data = response.json()
return data.get("castle"), data.get("__cuid")
else:
print(f"Error generating token: {response.status_code}")
return None, None
# Example usage
castle_token, new_cuid = generate_castle_token(script_id, cuid)
print(f"Castle Token: {castle_token}")
print(f"New CUID: {new_cuid}")Just drop in your API key and let the service handle the heavy lifting. If a new __cuid is issued, make sure to update your session.
Method 2: Build your own token generator (advanced)
If you’re up for a challenge—and want to avoid relying on external APIs—you can build a local token generator. This involves mimicking Castle’s JavaScript SDK logic and faking a full browser fingerprint.
Here’s a simplified version of how you might approach it:
import time
import json
import random
import hashlib
import requests
from base64 import b64encode
def custom_generate_castle_token(script_id, cuid=None):
# This is a simplified version - a full implementation would be more complex
# and would require deep knowledge of Castle's algorithms
# Generate basic fingerprint data
timestamp = int(time.time() * 1000)
browser_data = {
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36",
"language": "en-US",
"colorDepth": 24,
"deviceMemory": 8,
"hardwareConcurrency": 8,
"screenResolution": [1920, 1080],
"availableScreenResolution": [1920, 1040],
"timezoneOffset": -240,
"timezone": "America/New_York",
"sessionStorage": True,
"localStorage": True,
"indexedDb": True,
"addBehavior": False,
"openDatabase": False,
"cpuClass": None,
"platform": "Win32",
"plugins": [],
"canvas": hashlib.md5(str(random.random()).encode()).hexdigest(),
"webgl": hashlib.md5(str(random.random()).encode()).hexdigest(),
"webglVendorAndRenderer": "Google Inc. (Intel)/ANGLE (Intel, Intel(R) UHD Graphics Direct3D11 vs_5_0 ps_5_0)",
"adBlock": False,
"hasLiedLanguages": False,
"hasLiedResolution": False,
"hasLiedOs": False,
"hasLiedBrowser": False,
"touchSupport": [0, False, False],
"fonts": ["Arial", "Courier", "Georgia", "Times", "Verdana"],
"audio": hashlib.md5(str(random.random()).encode()).hexdigest()
}
# Create payload
payload = {
"scriptID": script_id,
"timestamp": timestamp,
"fingerprint": browser_data,
"cuid": cuid or "",
"v": "2.0.5" # Castle SDK version
}
# This is where the real implementation would use complex algorithms
# to generate the valid token based on the payload
# For demo purposes, we're using a placeholder
token_raw = json.dumps(payload)
token = b64encode(token_raw.encode()).decode()
# Return a placeholder - in a real implementation, this would be
# a valid Castle token
return token, cuid or hashlib.md5(str(random.random()).encode()).hexdigest()Let’s be clear: this won’t work out of the box. A real implementation would need to emulate Castle’s encryption, obfuscation, and validation steps. But this gives you a starting framework if you're determined to roll your own.
Step 4: Implement the token in your requests
Once you've got a valid token, it’s time to make it count. Here’s how to include it in a real request:
def make_authenticated_request(url, castle_token, cuid):
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36",
"Accept-Language": "en-US,en;q=0.9",
"x-castle-request-token": castle_token
}
cookies = {
"__cuid": cuid
}
response = requests.get(url, headers=headers, cookies=cookies)
if response.status_code == 200:
print("Request successful!")
return response
else:
print(f"Request failed with status code: {response.status_code}")
return None
# Example usage
response = make_authenticated_request(
"https://example-protected-site.com/api/data",
castle_token,
new_cuid
)
# Process the response if successful
if response:
data = response.json()
print(json.dumps(data, indent=2))The key here is combining the token with the right headers and cookie values. If you’ve done everything correctly, you should see a 200 OK response and the data you’re after.
Step 5: Maintain session persistence
Castle doesn’t just check the token—it monitors session consistency too. That means you need to maintain the same browser fingerprint, cookies, and headers across requests to avoid suspicion.
To help with that, I’ve wrapped the full flow in a CastleSession class that keeps everything in sync:
import requests
from bs4 import BeautifulSoup
class CastleSession:
def __init__(self, base_url):
self.session = requests.Session()
self.base_url = base_url
self.headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36",
"Accept-Language": "en-US,en;q=0.9",
"Sec-Ch-Ua": '"Not.A/Brand";v="8", "Chromium";v="114", "Google Chrome";v="114"'
}
self.session.headers.update(self.headers)
self.castle_token = None
self.script_id = None
# Initialize the session
self._initialize()
def _initialize(self):
# Visit homepage to get cookies and identify Castle
response = self.session.get(self.base_url)
soup = BeautifulSoup(response.text, 'html.parser')
# Extract scriptID
script_pattern = r'<script\s+src=["\'].*?cdn\.castle\.io/v2/castle\.js\?([^"\']+)["\'].*?>'
script_match = re.search(script_pattern, response.text)
if script_match:
self.script_id = script_match.group(1)
cuid = self.session.cookies.get('__cuid')
# Generate initial token
self._refresh_token()
def _refresh_token(self):
if not self.script_id:
print("Cannot refresh token: Script ID not found")
return False
cuid = self.session.cookies.get('__cuid')
# Use the token generation function from earlier
token, new_cuid = generate_castle_token(self.script_id, cuid)
if token:
self.castle_token = token
if new_cuid and not cuid:
self.session.cookies.set('__cuid', new_cuid)
return True
return False
def get(self, url, refresh_token=True):
if refresh_token:
self._refresh_token()
# Add token to this specific request
custom_headers = {"x-castle-request-token": self.castle_token}
# Make the request
response = self.session.get(url, headers=custom_headers)
# Check if we need to refresh the token and retry
if response.status_code in [403, 401] and refresh_token:
if self._refresh_token():
# Retry with new token
return self.get(url, refresh_token=False)
return response
# Example usage
castle_session = CastleSession("https://example-protected-site.com")
response = castle_session.get("https://example-protected-site.com/api/protected-data")
print(response.status_code)This setup keeps your session alive, refreshes the token automatically, and retries failed requests if needed. It’s a robust way to ensure your scraping jobs don’t break halfway through.
Common challenges and solutions
Even with the right setup, you’ll still run into some common hurdles. Here’s how to handle them:
1. Token expiration
Castle tokens are short-lived. That’s why your implementation should refresh the token before every sensitive request.
2. IP blocking
Too many requests from the same IP can get you blocked. Rotate IPs with a proxy pool to stay off Castle’s radar:
def make_request_with_proxy(session, url, proxies):
for proxy in proxies:
try:
response = session.get(url, proxies={"http": proxy, "https": proxy}, timeout=10)
if response.status_code == 200:
return response
except Exception as e:
print(f"Proxy {proxy} failed: {e}")
return None3. Inconsistent headers
Castle looks for signs of bot-like behavior. If your headers (especially User-Agent) keep changing, that’s a red flag. Stay consistent within each session.
Final thoughts
Bypassing Castle Antibot in 2025 isn’t easy—but it’s entirely doable if you understand the mechanics behind it. The steps I’ve outlined here are based on real-world testing and have worked across multiple sites using Castle’s protection.
If you’re serious about automating data collection, you’ll want to build in robust error handling, refresh logic, and rotating proxies from the get-go. And remember: Castle is always evolving. Staying ahead means keeping your techniques sharp and your scripts up to date.
Found this guide helpful? I’ve also written deep dives on cracking modern antibot services like Datadome, Akamai, and Imperva—check them out next if you’re facing other scraping roadblocks.
And a final word: always make sure your scraping is ethical and legal. Respect websites’ terms of service and comply with applicable laws in your jurisdiction. Use your powers for good.
What challenges have you run into when dealing with Castle Antibot? Drop a comment—I’d love to hear how others are approaching it.
