Skip to content

Cloudflare Bot Protection Blocking API Requests Despite Valid Session Cookies #33

New issue
New issue
Open
Open
Cloudflare Bot Protection Blocking API Requests Despite Valid Session Cookies#33
@akayhanlar

Description

@akayhanlar
akayhanlar
opened on Dec 2, 2025

Cloudflare Bot Protection Blocking API Requests

Problem Description

The unofficial-claude-api package is successfully retrieving session cookies from Firefox, but API requests are being blocked by Cloudflare bot protection. The API returns HTML challenge pages instead of JSON responses, even though valid session cookies are obtained.

Expected Behavior

After successfully retrieving session cookies from Firefox using get_session_data(), the send_message() method should be able to send messages to Claude API and receive JSON responses.

Actual Behavior

  1. Session cookies are successfully retrieved (1377 characters)
  2. Organization ID is successfully retrieved
  3. Client is created successfully
  4. However, when send_message() is called, Cloudflare bot protection intercepts the request
  5. API returns HTML challenge page (<!DOCTYPE html><html lang="en-US"><head><title>Just a moment...</title>...) instead of JSON
  6. JSON parsing fails with: Expecting property name enclosed in double quotes: line 1 column 2 (char 1)

Environment

  • Package Version: unofficial-claude-api==0.3.3
  • Python Version: Python 3.13
  • Operating System: macOS (darwin 25.1.0)
  • Firefox Version: Mozilla Firefox 145.0.2
  • Selenium/Geckodriver: geckodriver 0.36.0

Steps to Reproduce

  1. Login to Claude.ai manually in Firefox
  2. Create a chat and send a few messages (to establish normal user activity)
  3. Retrieve session data using get_session_data(): 
    from claude_api.session import get_session_data
from claude_api.client import ClaudeAPIClient

session = get_session_data()
client = ClaudeAPIClient(session)
  4. Attempt to send a message: 
    response = client.send_message(chat_id, "Test message")
  5. Observe that the response contains HTML instead of JSON

Code Snippet

from claude_api.session import get_session_data
from claude_api.client import ClaudeAPIClient

# Session retrieval works fine
session = get_session_data()
print(f"Session cookie length: {len(session.cookie)}")  # 1377 characters
print(f"Organization ID: {session.organization_id}")  # Successfully retrieved

# Client creation works
client = ClaudeAPIClient(session)

# This fails with Cloudflare protection
response = client.send_message(chat_id, "Test message")
# response.raw_answer contains HTML: <!DOCTYPE html>...Just a moment...

Error Logs

✅ Session cookie alındı (1377 karakter)
📋 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:1...
✅ Organization ID: 2000466b-7a1a-433e-a388-2687cd063ddb
✅ Unofficial Claude client başarıyla oluşturuldu.
📝 Unofficial Claude'a mesaj gönderiliyor...
⚠️ JSON parse hatası - Raw response (ilk 1000 karakter): <!DOCTYPE html><html lang="en-US"><head><title>Just a moment...</title><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">...

Investigation

The issue appears to be related to Cloudflare's bot detection system. Even though:

  • Valid session cookies are retrieved from Firefox
  • Organization ID is successfully obtained
  • User-Agent is properly set

The API requests are still being flagged as bot traffic. This suggests that Cloudflare may be detecting:

  • Missing or incorrect browser fingerprints
  • Suspicious request patterns
  • Missing browser context (localStorage, sessionStorage, etc.)
  • TLS fingerprint mismatches

Possible Solutions

  1. Improve Browser Fingerprinting: The curl_cffi library with impersonate="chrome110" might need updating to a newer Chrome version or better fingerprinting.

  2. Add Request Delays: Implement random delays between requests to mimic human behavior.

  3. Session Validation: Add a method to validate session cookies before making API calls.

  4. Better Error Handling: Provide clearer error messages when Cloudflare protection is detected.

  5. Alternative Approach: Consider using a headless browser (like Playwright) for API calls instead of direct HTTP requests.

Additional Context

  • The session cookies are valid (tested manually in Firefox)
  • The issue persists even after:
    • Completely closing and reopening Firefox
    • Logging out and logging back into Claude.ai
    • Creating new chats and sending messages manually
    • Waiting several minutes between attempts

Related Issues

This might be related to Cloudflare's recent updates to their bot protection system. Other users might be experiencing similar issues.

Request

Could you please:

  1. Investigate why Cloudflare is blocking requests even with valid session cookies
  2. Update the browser fingerprinting/impersonation to bypass Cloudflare protection
  3. Add better error handling for Cloudflare challenge pages
  4. Consider alternative approaches if direct HTTP requests continue to be blocked

Thank you for maintaining this package!

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions