Developer Documentation
Base URL: https://api.karonlabs.net
Quick Start
curl -X POST https://api.karonlabs.net/v1/fetch \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{"url": "https://example.com"}'
That's it. The API automatically bypasses common WAF protections including Cloudflare, Akamai, DataDome, hCaptcha, PerimeterX, Kasada, and AWS WAF — no manual cookie handling or scripting required.
Authentication
All endpoints except /v1/pricing and /health require a Bearer token:
Authorization: Bearer ku_live_xxxxxxxxxxxx
POST /v1/fetch
Fetch a URL and return raw HTML. Automatic access handling with response caching.
Parameters
| Name | Type | Default | Description |
|---|---|---|---|
| url | string REQUIRED | - | Target URL (max 8,192 chars) |
| proxy | string | auto | auto / direct / mobile |
| wait_selector | string | - | CSS selector to wait for before capturing |
| wait_timeout_ms | int | 10000 | Selector timeout (1,000 - 30,000 ms) |
| session_id | string | - | Share cookies across requests |
Response
{
"success": true,
"status_code": 200,
"url": "https://www.nike.com",
"body": "<!DOCTYPE html>...",
"body_len": 142857,
"timing": {
"total_ms": 62,
"full_access": false,
"cache_hit": true
},
"cost_credits": 1,
"headers": { "content-type": "text/html" }
}
"cost_credits": 0. You are never charged for failures.POST /v1/agent/browse
AI agent-friendly endpoint. Returns clean text, markdown, or html instead of raw page source.
Additional Parameters
| Name | Type | Default | Description |
|---|---|---|---|
| extract | string | text | text / markdown / html |
| selector | string | - | CSS selector to extract specific section |
| readability | bool | true | Apply Readability to extract main content. Set false for raw full-page output |
| auto_links | bool | false | Extract all links from the page |
Response
{
"success": true,
"url": "https://news.ycombinator.com",
"content": "# Hacker News\n\n1. Show HN: ...",
"content_len": 4521,
"extract_mode": "markdown",
"links": ["https://example.com/article1", "..."],
"timing": { "total_ms": 251, "cache_hit": true },
"cost_credits": 1
}
POST /v1/flaresolverr
Drop-in replacement for FlareSolverr v2 with broader WAF bypass coverage. Change the URL in Prowlarr/Sonarr/Radarr settings — nothing else.
{
"cmd": "request.get",
"url": "https://example.com",
"maxTimeout": 60000
}
Supported commands: request.get, request.post
GET /v1/credits
Check remaining credits and tier info.
{
"credits_remaining": 850,
"tier": "free",
"rate_limit": 20
}
GET /v1/pricing
Public endpoint. No authentication required. Returns current pricing info.
GET /health
Health check. Returns basic service status.
{
"status": "ok",
"version": "0.1.0"
}
Proxy Modes
| Mode | Behavior | Speed | Best For |
|---|---|---|---|
| auto | Automatically chooses the best available route | 60ms - 3.7s | Default. Most use cases |
| direct | Uses the direct route only | 37 - 60ms | Speed-critical, low-friction sites |
| mobile | Uses the managed compatibility route | 700 - 900ms | Sites that prefer compatibility over speed |
Error Codes
| Status | Error | Description |
|---|---|---|
| 400 | bad_request | Invalid URL or parameters |
| 400 | domain_blocked | Blocked domain (see AUP) |
| 401 | unauthorized | Missing or invalid API key |
| 403 | suspended | API key suspended |
| 413 | payload_too_large | Response exceeds 10MB |
| 429 | rate_limit_exceeded | Too many requests per minute |
| 429 | daily_limit_exceeded | Daily request quota reached (free: 200/day) |
| 429 | concurrent_limit | Too many concurrent requests — retry shortly |
| 429 | insufficient_credits | No credits remaining — contact [email protected] for more |
| 500 | access_failed | The access attempt could not be completed |
| 502 | bad_gateway | Upstream connection failed |
Rate Limits
Rate limits are per API key. Exceeding any limit returns HTTP 429.
| Tier | Per Minute | Per Day | Concurrent Requests |
|---|---|---|---|
| Free (beta) | 20/min | 200/day | Limited |
Concurrent Requests — concurrent request limits apply per tier. Cached responses are not affected by this limit.
Free during beta · Paid tiers coming Q3 2026 · Need more? Contact [email protected]
Restricted Domains
Requests to the following domains are blocked and return HTTP 400 with type: "domain_blocked". This policy protects against abuse and aligns with industry-standard acceptable use practices.
| Category | Domains | Reason |
|---|---|---|
| Ticket platforms | ticketmaster.com, eventbrite.com, stubhub.com, axs.com | Automated ticket purchasing is prohibited |
| Email services | outlook.com, outlook.live.com, yahoo.com, mail.yahoo.com | Login-gated data / account access |
| Financial | paypal.com, chase.com, bankofamerica.com, wellsfargo.com, binance.com, coinbase.com | Financial service abuse prevention |
| Streaming | netflix.com, disneyplus.com, spotify.com, twitch.tv | Login-gated content |
| Gaming | steampowered.com, playstation.com | Login-gated / purchase automation |
| Classifieds | craigslist.org, craigslist.com | Automated posting / spam prevention |
| Social (login) | linkedin.com | Login-gated profile data |
Subdomains are automatically included (e.g., blocking paypal.com also blocks www.paypal.com). This list may be updated without notice. If your legitimate use case requires access to a restricted domain, contact [email protected].
Tips
wait_selector for JavaScript-heavy SPAs that need time to render content.extract: "markdown" in /v1/agent/browse for the cleanest LLM-ready output.proxy: "direct" is ~10x faster than mobile, while auto balances speed and compatibility automatically.