AllNewImprovedFixed
Fixed

Auto no longer accepts challenge pages as success

If you passed a negative validate to /api/auto (like {data: {fail: ['"Due to legal reasons"']}}), a Cloudflare 'Just a moment' interstitial could slip through as a cached success because the fail-list didn't happen to match its text. Auto now rejects challenge pages before applying your validate rules, and it swaps the bad exit and re-solves instead of scoring it.

Fixed

Long foura_auto calls now complete through the hosted MCP

If you set a long timeout on foura_auto through the hosted MCP server, the request could time out at the edge before your call finished. That's fixed. Full-budget auto calls now run their 180-second budget end to end.

Fixed

Auto spreads concurrent load across multiple exits

If you've been hitting 429s when firing many concurrent Auto calls at one target, those calls used to funnel onto a single cached exit because the warm path picked the score-favourite and replayed once. Auto now opens additional sessions on demand and routes each call to the least-loaded exit, so a burst fans out across multiple proxy IDs instead of hammering one. Measured locally: a 100-call burst on a no-cookie portable host now spreads across the grown pool within seconds.

Fixed

Clean Cloudflare pages skip the browser solve

Cloudflare injects a passive script even on pages that pass cleanly, and Auto used to treat any reference to it as an active challenge and run a full browser solve anyway. Now only true interstitial markers (the 'just a moment' page and friends) trigger the browser path; a clean 200 comes back from the cheaper proxy rung. Auto also follows up to 5 redirects by default (configurable via followRedirects).

Fixed

Browser captures the real status after Cloudflare clears

When a Cloudflare-protected target served a real geo-block page (451) after the challenge passed, the Browser product was reporting it as a 200 because the watcher hardcoded the cleared status. The watcher now reads the actual post-clearance Document, so a 200 stays 200, a 451 surfaces as 451, and Auto rejects the wrong content and keeps searching for an exit that genuinely matches your validate rules.

Fixed

Cmd+K opens on non-Latin keyboards

The Cmd+K (Ctrl+K) shortcut now opens the command palette and search modal regardless of keyboard layout. We were matching the typed character (к on a Cyrillic layout), so anyone on a non-Latin layout got nothing. Now we match the physical key. Fixed across the main site, the blog, and the docs.

Fixed

Auto requests stop 504-ing on cold solves

A cold Auto solve can run several minutes (proxy grind plus a browser solve). Our HTTP edge was capping requests at 2 minutes and returning a plain HTML 504, so the longest solves looked like a gateway failure even when the orchestrator was still working. We extended the edge timeout past Auto's worst-case run and switched /api/ error pages to JSON, so any error from any layer reads as JSON your client can parse.

Fixed

Auto amortizes to 2 credits on repeat requests

Cookie-reusable sites (bet365 was the canary) were sticking on the expensive browser solve at 15 credits per request instead of dropping to the cheap 2-credit replay after the first solve. Two bugs: the latch fired on any transient transport error, and a successful browser replay never refreshed the session cookies. Fixed both. Repeat requests on a cookie-reusable site now cost 2 credits after the first solve, exactly as the pricing implies.

Fixed

Locked down cross-origin access on the API

We've tightened cross-origin access so only foura.ai can call the API with credentials. We also hardened an input filter on the metrics endpoint and dropped a development-only fallback secret. Existing integrations don't change.

Fixed

Custom validate rules count toward success

If you've set validate.status.accept on a request, the engine treats an accepted non-200 as a clean success. Activity was still labeling those as failures, which threw off your usage stats. Outcomes now follow your validate verdict, so a 403 you accepted shows up as success, not App Fail.

Fixed

Non-UTF-8 pages now decode cleanly

If you were scraping Cyrillic, Chinese, Japanese, or other non-UTF-8 pages through Single, the body used to come back as mojibake. We were force-decoding every response as UTF-8 before you saw the raw bytes. Now we read the charset from the response (Content-Type, then <meta charset>, then UTF-8 fallback) and decode it correctly. Thanks, Alexandar Kanchev (Sensika), for reporting this.

Fixed

Caught fake proxies that echo your request back

Some proxies in the wild don't actually forward your request. They echo it back as a plaintext server dump and try to harvest what's inside. We now spot that pattern before the response hits your code, so Single, Browser, and Proxy Finder all return an honest failure (or retry) instead of the garbage.

Fixed

Newly found proxies reach the pool faster

We fixed a slowdown that kept newly discovered proxies waiting before they got validated. Proxy Finder now checks them right away, so the pool stays fresher with more live, working proxies in rotation.

Fixed

Playground cookies follow RFC 6265 host-only rules

Host-only cookies were leaking to subdomains. We track the Domain attribute properly now and added an HO badge in the Parsed view for the (uncommon) host-only case. Raw view matches what the upstream sent: Domain=.example.com for domain cookies, no Domain= line for host-only.

Fixed

Playground form fields match the real API schema

The Browser endpoint accepts only eight inputs (url, userAgent, headers, cookies, proxy, timeout_ms, checkStatus, checkText). The playground had been showing extras like wait_selector and viewport that silently dropped on the wire. Every field is now schema-aligned: Browser forces GET, hides the body textarea, and the Raw tab shows the exact JSON that hits the API plus a curl reproducer.