Castle.io Solver API | Twitter & X Castle Token Generator

Documentation

Available Endpoints

GET /health System status & metrics

POST /generate-token Generate castle token for X/Twitter

Request Parameters

Parameter	Type	Required	Description
`cuid`	string	No	UUID v4 format (32 hex chars without dashes). Auto-generated if not provided. ? Set as `__cuid` cookie.
`userAgent`	string	Yes	Browser UA. Chrome 140+ recommended.
`country`	string	No	ISO Country Code (e.g. US, GB). Default: US
`browser`	string	No	Browser type: `chrome`, `brave`, `edge`, `opera`. Auto-detected from `sec-ch-ua` if not provided, or random if not available.
`version`	string	No	Browser version (e.g. "131"). Auto-detected from `sec-ch-ua` or parsed from userAgent.
`sec-ch-ua`	string	No	Client Hints header value. Can be passed in body or as HTTP header. Used to auto-detect browser and version.
`public_key`	string	No	Castle public key. Default: `pk_AvRa79bHyJSYSQHnRpcVtzyxetSvFerx` (Twitter/X)
`domain`	string	No	Target domain for token. Default: `x.com`. Change for other Castle-protected sites.

Generate CUID

const cuid = crypto.randomUUID().replace(/-/g, '');

import uuid
cuid = uuid.uuid4().hex

import ("crypto/rand", "fmt")

b := make([]byte, 16)
rand.Read(b)
b[6] = (b[6] & 0x0f) | 0x40  // version 4
b[8] = (b[8] & 0x3f) | 0x80  // variant
cuid := fmt.Sprintf("%x", b)

$b = random_bytes(16);
$b[6] = chr((ord($b[6]) & 0x0f) | 0x40);
$b[8] = chr((ord($b[8]) & 0x3f) | 0x80);
$cuid = bin2hex($b);

Example Request / Response

curl -X POST https://castle.botwitter.com/generate-token \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -d '{ 
    "cuid": "550e8400e29b41d4a716446655440000",
    "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)...",
    "country": "US",
    "sec-ch-ua": "\"Chromium\";v=\"131\", \"Google Chrome\";v=\"131\"",
    "public_key": "pk_AvRa79bHyJSYSQHnRpcVtzyxetSvFerx",
    "domain": "x.com"
  }'

// Response:
{ 
  "success": true, 
  "token": "eyJhbG...", 
  "cuid": "550e8400e29b41d4a716446655440000",
  "cuidGenerated": false,
  "domain": "x.com",
  "headers": {
    "sec-ch-ua": "\"Chromium\";v=\"131\", \"Google Chrome\";v=\"131\"",
    "sec-ch-ua-mobile": "?0",
    "sec-ch-ua-platform": "\"Windows\""
  }
}

// Generate random cuid
const cuid = [...Array(32)].map(() => 
  Math.floor(Math.random() * 16).toString(16)).join('');

const response = await fetch('https://castle.botwitter.com/generate-token', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Authorization': 'Bearer YOUR_API_KEY'
  },
  body: JSON.stringify({ 
    cuid, 
    userAgent: navigator.userAgent, 
    country: 'US',
    'sec-ch-ua': navigator.userAgentData?.brands?.map(b => `"${b.brand}";v="${b.version}"`).join(', ')
  })
});
const data = await response.json();

// Response: { success: true, token: "...", headers: { "sec-ch-ua": "...", ... } }

import secrets, requests

cuid = secrets.token_hex(16)
sec_ch_ua = '"Chromium";v="131", "Google Chrome";v="131"'

response = requests.post(
    'https://castle.botwitter.com/generate-token',
    headers={'Authorization': 'Bearer YOUR_API_KEY'},
    json={
        'cuid': cuid, 
        'userAgent': 'Mozilla/5.0...', 
        'country': 'US',
        'sec-ch-ua': sec_ch_ua
    }
)
data = response.json()

# Response: {"success": True, "token": "...", "headers": {"sec-ch-ua": "...", ...}}

import ("crypto/rand", "fmt", "net/http", "bytes")

b := make([]byte, 16)
rand.Read(b)
cuid := fmt.Sprintf("%x", b)
secChUa := `"Chromium";v="131", "Google Chrome";v="131"`

body := fmt.Sprintf(`{"cuid":"%s","userAgent":"Mozilla/5.0...","country":"US","sec-ch-ua":"%s"}`, cuid, secChUa)
req, _ := http.NewRequest("POST", "https://castle.botwitter.com/generate-token", bytes.NewBuffer([]byte(body)))
req.Header.Set("Authorization", "Bearer YOUR_API_KEY")
req.Header.Set("Content-Type", "application/json")

// Response: {"success": true, "token": "...", "headers": {"sec-ch-ua": "...", ...}}

$cuid = bin2hex(random_bytes(16));
$secChUa = '"Chromium";v="131", "Google Chrome";v="131"';

$response = file_get_contents('https://castle.botwitter.com/generate-token', false, stream_context_create([
    'http' => [
        'method' => 'POST',
        'header' => "Authorization: Bearer YOUR_API_KEY\r\nContent-Type: application/json",
        'content' => json_encode([
            'cuid' => $cuid, 
            'userAgent' => 'Mozilla/5.0...', 
            'country' => 'US',
            'sec-ch-ua' => $secChUa
        ])
    ]
]));
$data = json_decode($response, true);

// Response: ["success" => true, "token" => "...", "headers" => ["sec-ch-ua" => "...", ...]]

Response Headers

The API returns Client Hints headers that you should use with Twitter/X requests:

Header	Example Value	Description
`sec-ch-ua`	`"Chromium";v="131", "Google Chrome";v="131"`	User-Agent Client Hints - Browser brands and versions
`sec-ch-ua-mobile`	`?0`	Mobile device indicator (?0 = desktop, ?1 = mobile)
`sec-ch-ua-platform`	`"Windows"`	Operating system platform

Castle.io Solver

Transparent Pricing

Documentation

Available Endpoints

Request Parameters

Generate CUID

Example Request / Response

Response Headers

Get Support

Transparent Pricing

Documentation

Available Endpoints

Request Parameters

Generate CUID

Example Request / Response

Response Headers

Get Support

Complete Purchase