How to Obtain Datadome Cookies for the Too Good To Go API

The Too Good To Go API uses Datadome’s mobile SDK to block unauthorized access. If you’ve tried building automation or integrations against it, you’ve run into 403 Forbidden responses — even with a valid TGTG account. This post explains how to obtain and manage Datadome cookies by emulating the behavior of the Android SDK, turning those 403s into successful API calls.

Disclaimer: This article is for educational purposes only. Always respect Terms of Service when interacting with APIs. Use this knowledge responsibly.

Understanding the Problem

When you call the TGTG API without a valid Datadome cookie, every request returns HTTP 403. The TGTG mobile app uses Datadome’s Android SDK (version 3.0.4) to obtain these cookies automatically and invisibly.

The solution is to replicate that behavior in three steps:

1. Detect 403 responses from the TGTG API
2. Fetch a fresh Datadome cookie from the SDK endpoint
3. Retry the original request with the new cookie

Step 1: Making the Initial Request

A standard TGTG API call looks like this:

curl -X POST https://api.toogoodtogo.com/api/auth/v5/authByEmail \
-H "Content-Type: application/json" \
-d '{"device_type":"ANDROID","email":"[email protected]"}'

This returns an HTTP 403 Forbidden error. To fix it, you need a Datadome cookie. Once you have one, include it in the retry:

curl -X POST https://api.toogoodtogo.com/api/auth/v5/authByEmail \
-H "Content-Type: application/json" \
-H "Cookie: datadome=YOUR_COOKIE_VALUE" \
-d '{"device_type":"ANDROID","email":"[email protected]"}'

Step 2: Fetching a Datadome Cookie

To get a Datadome cookie, make a form POST to the Datadome SDK endpoint at https://api-sdk.datadome.co/sdk/. The endpoint expects device fingerprinting data that matches what the Android SDK sends:

curl -X POST https://api-sdk.datadome.co/sdk/ \
  -H "User-Agent: okhttp/5.1.0" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  --data-urlencode "cid=a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0u1v2w3x4y5z6a7b8c9d0e1f2" \
  --data-urlencode "ddk=1D42C2CA6131C526E09F294FE96F94" \
  --data-urlencode "request=https://api.toogoodtogo.com/api/auth/v5/authByEmail" \
  --data-urlencode "ua=TGTG/23.11.2 Dalvik/2.1.0 (Linux; U; Android 14; Pixel 7 Pro Build/UQ1A.240105.004)" \
  --data-urlencode "events=[%7B%22id%22:1,%22message%22:%22response validation%22,%22source%22:%22sdk%22,%22date%22:1699876543210%7D]" \
  --data-urlencode "inte=android-java-okhttp" \
  --data-urlencode "ddv=3.0.4" \
  --data-urlencode "ddvc=23.11.2" \
  --data-urlencode "os=Android" \
  --data-urlencode "osr=14" \
  --data-urlencode "osn=UPSIDE_DOWN_CAKE" \
  --data-urlencode "osv=34" \
  --data-urlencode "screen_x=1440" \
  --data-urlencode "screen_y=3120" \
  --data-urlencode "screen_d=3.5" \
  --data-urlencode 'camera={"auth":"true", "info":"{\"front\":\"2000x1500\",\"back\":\"5472x3648\"}"}' \
  --data-urlencode "mdl=Pixel 7 Pro" \
  --data-urlencode "prd=Pixel 7 Pro" \
  --data-urlencode "mnf=Google" \
  --data-urlencode "dev=cheetah" \
  --data-urlencode "hrd=GS201" \
  --data-urlencode "fgp=google/cheetah/cheetah:14/UQ1A.240105.004/10814564:user/release-keys" \
  --data-urlencode "tgs=release-keys" \
  --data-urlencode "d_ifv=9f8e7d6c5b4a3f2e1d0c9b8a7f6e5d4c"

Key Parameters

• cid: Client ID — 64 random hex characters
• ddk: Datadome Key (1D42C2CA6131C526E09F294FE96F94 from the TGTG app)
• request: The original TGTG API URL that returned 403
• ua: User-Agent string (TGTG/23.11.2 Dalvik/2.1.0 (Linux; U; Android 14; Pixel 7 Pro Build/UQ1A.240105.004))
• events: SDK events as URL-encoded JSON, with a timestamp
• ddv: Datadome SDK version (3.0.4)
• ddvc: TGTG app version (e.g., 23.11.2)
• d_ifv: Device identifier — 32 random hex characters

Step 3: Using the Cookie

The Datadome SDK endpoint returns a JSON response:

{
  "status": 0,
  "cookie": "datadome=AHrlqAAAAAMAb…truncated…==; Path=/; Secure; HttpOnly"
}

Extract the cookie value and include it in your TGTG API requests:

curl -X POST https://api.toogoodtogo.com/api/auth/v5/authByEmail \
-H "Content-Type: application/json" \
-H "Cookie: $cookie" \
-d '{"device_type":"ANDROID","email":"[email protected]"}'

That’s it. You now have a working Datadome cookie for authenticated TGTG API requests.

Important Considerations

This implementation is based on TGTG Android app analysis from November 2025 and Datadome SDK version 3.0.4. Both Datadome and TGTG update their systems regularly. What works today may require adjustments as versions change.

Questions or improvements? Reach out on Discord.

Production-Ready Implementation

A working implementation with automatic cookie refresh is available on GitHub:

DataDomeCookieManager.kt

For a complete no-code solution with automatic Datadome handling, notifications, and monitoring, see the TGTG Script on the Cereal Marketplace. For broader context on how bot protection bypassing works, see Bypassing Cloudflare with Browser Automation.