Cloudflare Challenge Solver

Give it a URL and a proxy. Get back the cf_clearance cookie plus the exact User-Agent and Client-Hint headers that earned it, ready to drop into any HTTP client.

💰 Pricing. $0.002 per successful solve. Failures are free. You pay only when a real clearance cookie is returned.

📡 Proxy usage. Around 500 KB per solve. The Actor cancels the page load the moment Cloudflare issues the cookie, so target page bodies, images, scripts, and analytics are never fetched. Residential bandwidth stays cheap.

What is it?

Cloudflare blocks scrapers with a "Just a moment..." challenge that runs JavaScript, checks the browser fingerprint, and issues a cf_clearance cookie when you pass. This Actor does that for you.

A real Chromium browser (Windows UA, honest Chrome TLS handshake) navigates your URL through the proxy you supply. The challenge runs, Turnstile gets clicked if present, Cloudflare hands out the cookie, and the Actor captures the exact UA and Client-Hint headers that went with it so you can replay them byte-identical from your own client.

Typical solve: 8 to 15 seconds. Actor memory: 128 MB.

Use cases

• Scrape CF-protected sites. Pair this with your crawler, refresh the clearance on a 403 or before the 30-minute expiry.
• Price and inventory monitoring on e-commerce that sits behind the anti-bot wall.
• Ticketing, drops, SNKRS-style flows: grab the clearance once, paste it into the HTTP client running your checkout.
• Cookie rotation. Prime a pool of valid sessions cheaply, failures do not bill.
• Research and data journalism: collect publicly accessible pages that happen to sit behind CF.

Key features

• 💰 Only pay for success. $0.002 per successful solve. Failures are free.
• 📡 Low bandwidth. Around 500 KB per solve. The target page body is never downloaded.
• ⚡ Fast. 8 to 15 seconds typical, p95 under 30 seconds.
• 🧩 Replay-ready headers. Cookie, UA, and client hints returned together. Works with curl_cffi and impersonate="chrome" out of the box.
• 🌐 Any proxy. HTTP, HTTPS, SOCKS5, SOCKS5h, with or without auth.
• 🔗 IP-bound. Cookie tied to your proxy's IP so it actually works from your scraper.

Input

{
  "url":     "https://cf-protected.example.com/",
  "proxy":   "http://user:pass@proxy.host:8080",
  "timeout": 60
}

Field	Type	Default	Description
url	string	required	Any Cloudflare-protected URL.
proxy	string	required	Proxy URL. http://, https://, socks5://, or socks5h://, optional user:pass@. The cookie will be bound to this proxy's IP, so use the same proxy IP in the scraper that consumes the cookie.
timeout	integer	60	Seconds to wait for the challenge to clear. 10 to 120. Most solves finish in 8 to 15 seconds, so keep this at 45 or above for headroom against CF escalations.

Output

The Actor writes one item to the default dataset per run.

Success

{
  "success": true,
  "cookies": {
    "cf_clearance": "Um7l_YtFbyWHndjVSXc2LRU4..."
  },
  "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/147.0.0.0 Safari/537.36",
  "headers": {
    "user-agent":          "Mozilla/5.0 (Windows NT 10.0; Win64; x64) ... Chrome/147.0.0.0 Safari/537.36",
    "accept-language":     "en-US,en;q=0.9",
    "sec-ch-ua":           "\"Chromium\";v=\"147\", \"Google Chrome\";v=\"147\", \"Not_A Brand\";v=\"24\"",
    "sec-ch-ua-mobile":    "?0",
    "sec-ch-ua-platform":  "\"Windows\""
  },
  "timeTakenS": 9.42
}

The headers object goes straight into your HTTP client's headers. Sending a different UA or missing client hints makes Cloudflare re-challenge.

Failure

{
  "success": false,
  "error": "TIMEOUT",
  "message": "challenge not solved within 60s",
  "timeTakenS": 60.1
}

Error code	Meaning
INVALID_INPUT	url missing, proxy malformed, or proxy points at a private or loopback address.
PROXY_ERROR	Upstream proxy refused the connection or failed authentication.
NO_CHALLENGE	The page loaded but CF didn't present a challenge. The site is unprotected or your IP is whitelisted.
TIMEOUT	CF didn't issue a clearance cookie within timeout seconds.
BROWSER_ERROR	Internal navigation failure.
FREE_TIER_LIMIT	Free Apify accounts are capped at 20 successful solves per 24 hours. Upgrade to a paid Apify plan to remove the cap.

Failed runs are free. No charge fires unless success is true.

How to use the cookies

Replay with the same proxy IP, the same User-Agent, the same client hints, and a Chrome-shaped TLS fingerprint. Python's built-in requests uses a Python TLS signature that Cloudflare will re-challenge even with a valid cookie. Use curl_cffi with impersonate="chrome":

from curl_cffi import requests

result = ...  # the dataset item from the Actor

resp = requests.get(
    "https://cf-protected.example.com/data",
    impersonate="chrome",           # Chrome-shaped TLS + HTTP/2 fingerprint
    cookies=result["cookies"],
    headers=result["headers"],      # UA + client hints that earned the cookie
    proxies={"http":  "http://user:pass@proxy.host:8080",
             "https": "http://user:pass@proxy.host:8080"},
)

$pip install curl_cffi

One cf_clearance is usually good for 30 minutes on the same IP. Refresh when you get a 403 or a fresh "Just a moment..." page.

Integrations

REST API

One call, waits for the result, returns just the dataset items:

curl -X POST \
  "https://api.apify.com/v2/acts/crawlex~cf-solver/run-sync-get-dataset-items?token=$APIFY_TOKEN&timeout=120" \
  -H "Content-Type: application/json" \
  -d '{
    "url":     "https://cf-protected.example.com/",
    "proxy":   "http://user:pass@proxy.host:8080",
    "timeout": 60
  }'

Python, apify-client

from apify_client import ApifyClient

client = ApifyClient(token="YOUR_APIFY_TOKEN")

run = client.actor("crawlex/cf-solver").call(run_input={
    "url":     "https://cf-protected.example.com/",
    "proxy":   "http://user:pass@proxy.host:8080",
    "timeout": 60,
})

[item] = client.dataset(run["defaultDatasetId"]).list_items().items
print(item["cookies"]["cf_clearance"])
print(item["headers"])

JavaScript, apify-client

import { ApifyClient } from "apify-client";

const client = new ApifyClient({ token: "YOUR_APIFY_TOKEN" });

const run = await client.actor("crawlex/cf-solver").call({
  url:     "https://cf-protected.example.com/",
  proxy:   "http://user:pass@proxy.host:8080",
  timeout: 60,
});

const { items: [item] } = await client.dataset(run.defaultDatasetId).listItems();
console.log(item.cookies.cf_clearance);
console.log(item.headers);

Pricing

$0.002 per successful solve. Failures are free. No monthly fee, no subscription. At 1,000 successful solves, total $2.00. Because proxy usage is around 500 KB per solve, residential proxy costs stay small compared to any full-page-load scraper.

Limits

• Free Apify accounts: 20 successful solves per rolling 24 hours. Failures don't count. Paid Apify accounts are uncapped. If you hit the cap you'll see FREE_TIER_LIMIT in the error field; upgrade your Apify plan to lift it.
• One URL per run. If you need many, trigger many runs in parallel. The Apify API and the REST example above handle that.
• Interactive Turnstile (the "Verify you are human" checkbox) and passive "Just a moment..." challenges are both supported.
• Multi-step walls that require login, email verification, or CAPTCHAs beyond Turnstile are out of scope.
• Cookie lifetime is about 30 minutes on the same IP. Rotate when you see a 403.

FAQ

How do I use it? Send the URL you want to scrape and the proxy you plan to use. You get back the cf_clearance cookie plus the exact User-Agent and Client-Hint headers that go with it. Drop all three into your HTTP client and your requests to the protected site start working.

Why around 500 KB of proxy bandwidth? The Actor only fetches what Cloudflare needs to issue a cookie. Once the cookie arrives, it stops. The target page's body, images, scripts, and analytics are never pulled through your proxy, so there's nothing left to pay for.

Why do I need to use the same proxy IP afterwards? Cloudflare binds cf_clearance to the IP that earned it. Switch IPs and CF re-challenges on the first request. Use the same proxy, or at minimum the same IP, for both the solve and your follow-up scraping.

Why return headers instead of just the cookie? Cloudflare checks that the UA, Client Hints, and TLS fingerprint on every replay match what earned the cookie. Miss one and CF challenges you again. The headers object contains exactly what your HTTP client should send.

What happens if my solve fails? You get a dataset item with success: false and an error code. No charge fires. Retry with a different proxy, a longer timeout, or check that the URL is actually CF-protected.

What if my proxy is slow? CF challenges involve several small round-trips. A slow proxy pushes the solve time up. Keep timeout at 45 seconds or above when using residential proxies. Datacenter or fast residential proxies give the quickest solves.

Can I use this programmatically? Yes. See the REST, Python, and JS examples above. The Apify API supports runs, webhooks, schedules, and integrations with Zapier, Make, Airbyte, and Google Sheets.

Is this legal? Solving a challenge in front of publicly accessible data is within the same scraping legality many commercial scrapers operate under. Always respect the target site's Terms of Service and the law in your jurisdiction.

Feedback

Hit a bug or want a feature? Open an issue on the Actor's Issues tab.