The Shape API generates fresh F5/Shape anti-bot HTTP headers for a given target URL. Send a POST /v1/sign request with the target method, URL, and optional body, then forward the
returned headers along with your own request to the target site.
Authentication
Authenticate with a bearer token. Include Authorization: Bearer <your-api-key> on every request.
Endpoints
POST/v1/sign — generate Shape headers
GET/v1/whoami — inspect your key, plan limits, and
current usage
Request body
url — target URL the headers will be sent to (required)
method — HTTP method, e.g. GET or POST (default GET)
body — optional request body string for POST
Response
headers — map of Shape headers to forward to the target site
build — current Shape build identifier (header prefix)
user_agent — User-Agent the headers were signed for; you must use this UA when
calling the target
Rate limits
Three configurable axes per key: rps (per-second), daily (per UTC day), and total_max (lifetime cap). On
rejection the API returns 429 with an X-RateLimit-Reason header naming the exceeded axis.
Code examples
# pip install requestsimport requests
API_KEY = "YOUR_API_KEY"
TARGET = "https://carts.target.com/web_checkouts/v1/cart_items"
r = requests.post(
"https://shape.atlas.example.com/v1/sign",
headers={"Authorization": f"Bearer {API_KEY}"},
json={"method": "POST", "url": TARGET},
timeout=10,
)
r.raise_for_status()
data = r.json()
shape, build, ua = data["headers"], data["build"], data["user_agent"]
# Forward Shape headers + the matching User-Agent to the target.
forward = {
"User-Agent": ua,
"Content-Type": "application/json",
**{f"X-{build}-{k.split('-')[-1]}": v for k, v in shape.items()},
}
res = requests.post(TARGET, headers=forward, data='{"cart_item":{}}')
print(res.status_code, res.text[:200])