How to Obtain Datadome Cookies for the Too Good To Go API

The Too Good To Go (TGTG) API uses Datadome’s mobile SDK protection to prevent unauthorized access. If you’ve tried building automation tools or integrations with their API, you’ve likely hit a wall of 403 Forbidden responses. This article explains how to obtain and manage Datadome cookies by emulating the Android SDK’s behavior - turning those 403s into successful API calls.

⚠️ Disclaimer: This article is for educational purposes only. Always respect Terms of Service when interacting with APIs. Use this knowledge responsibly.

Understanding the Problem

When making requests to the TGTG API without a valid Datadome cookie, you’ll receive HTTP 403 (Forbidden) responses. The TGTG mobile app uses Datadome’s Android SDK (version 3.0.4) to automatically obtain these cookies behind the scenes. Our goal is to replicate this behavior programmatically, and we’ll do it in three simple steps:

1. Detect 403 responses from the TGTG API
2. Fetch a new cookie from the Datadome SDK endpoint
3. Retry the request with the new cookie

When a 403 occurs, we fetch a fresh Datadome cookie by emulating the Android SDK’s request, then retry the original API call.

Step 1: Making the Initial Request

When you first try making requests to the TGTG API, you’ll likely see this:

curl -X POST https://api.toogoodtogo.com/api/auth/v5/authByEmail \
-H "Content-Type: application/json" \
-d '{"device_type":"ANDROID","email":"[email protected]"}'

The response will be an HTTP 403 Forbidden error. When this happens, you need to fetch a new Datadome cookie and retry with it:

curl -X POST https://api.toogoodtogo.com/api/auth/v5/authByEmail \
-H "Content-Type: application/json" \
-H "Cookie: datadome=YOUR_COOKIE_VALUE" \
-d '{"device_type":"ANDROID","email":"[email protected]"}'

Step 2: Fetching a Datadome Cookie

To fetch a Datadome cookie, you need to make a request to the Datadome SDK endpoint at https://api-sdk.datadome.co/sdk/. This endpoint expects a form POST with device fingerprinting data that emulates what the Android SDK sends:

curl -X POST https://api-sdk.datadome.co/sdk/ \
  -H "User-Agent: okhttp/5.1.0" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  --data-urlencode "cid=a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0u1v2w3x4y5z6a7b8c9d0e1f2" \
  --data-urlencode "ddk=1D42C2CA6131C526E09F294FE96F94" \
  --data-urlencode "request=https://api.toogoodtogo.com/api/auth/v5/authByEmail" \
  --data-urlencode "ua=TGTG/23.11.2 Dalvik/2.1.0 (Linux; U; Android 14; Pixel 7 Pro Build/UQ1A.240105.004)" \
  --data-urlencode "events=[%7B%22id%22:1,%22message%22:%22response validation%22,%22source%22:%22sdk%22,%22date%22:1699876543210%7D]" \
  --data-urlencode "inte=android-java-okhttp" \
  --data-urlencode "ddv=3.0.4" \
  --data-urlencode "ddvc=23.11.2" \
  --data-urlencode "os=Android" \
  --data-urlencode "osr=14" \
  --data-urlencode "osn=UPSIDE_DOWN_CAKE" \
  --data-urlencode "osv=34" \
  --data-urlencode "screen_x=1440" \
  --data-urlencode "screen_y=3120" \
  --data-urlencode "screen_d=3.5" \
  --data-urlencode 'camera={"auth":"true", "info":"{\"front\":\"2000x1500\",\"back\":\"5472x3648\"}"}' \
  --data-urlencode "mdl=Pixel 7 Pro" \
  --data-urlencode "prd=Pixel 7 Pro" \
  --data-urlencode "mnf=Google" \
  --data-urlencode "dev=cheetah" \
  --data-urlencode "hrd=GS201" \
  --data-urlencode "fgp=google/cheetah/cheetah:14/UQ1A.240105.004/10814564:user/release-keys" \
  --data-urlencode "tgs=release-keys" \
  --data-urlencode "d_ifv=9f8e7d6c5b4a3f2e1d0c9b8a7f6e5d4c"

Explanation of the Most Important Parameters

• cid: Client ID (64 random hex characters)
• ddk: Datadome Key (1D42C2CA6131C526E09F294FE96F94 from TGTG app)
• request: Original URL (The TGTG API endpoint that returned 403)
• ua: User Agent (TGTG/23.11.2 Dalvik/2.1.0 (Linux; U; Android 14; Pixel 7 Pro Build/UQ1A.240105.004))
• events: SDK events (URL-encoded JSON with timestamp)
• ddv: Datadome SDK version (3.0.4)
• ddvc: App version (Current TGTG version, e.g., 23.11.2)
• d_ifv: Device identifier (32 random hex characters)

Step 3: Using the Cookie

Once you make the request to the Datadome SDK endpoint, it returns a JSON response that looks like this:

{
   "status": 0,
   "cookie": "datadome=AHrlqAAAAAMAb…truncated…==; Path=/; Secure; HttpOnly"
}

Now use this cookie in your TGTG API requests:

curl -X POST https://api.toogoodtogo.com/api/auth/v5/authByEmail \
-H "Content-Type: application/json" \
-H "Cookie: $cookie" \
-d '{"device_type":"ANDROID","email":"[email protected]"}'

And that’s it! You now have a working Datadome cookie that’ll let you make authenticated requests to the TGTG API.

Important Considerations

This approach requires ongoing maintenance as Datadome and TGTG update their systems. This implementation is based on TGTG Android app analysis from November 2025 and Datadome SDK version 3.0.4. Things change quickly in the world of bot detection - what works today may not work tomorrow.

Have questions or improvements? Each out to us on Discord. I’d love to hear about your experiences implementing this.

Ready-to-Use Implementation Available

A working production-ready implementation with automatic cookie refresh can be found on GitHub:

DataDomeCookieManager.kt

For a complete no-code solution, check out the Too Good To Go monitoring script on marketplace.cereal-automation.com

This script provides a complete monitoring solution with automatic Datadome handling, notifications, and more. Learn more about the Cereal Automation platform at cereal-automation.com.