Bot-detection bypass for production smoke.
The story of running headed Playwright via MCP with request-shaping injection to keep prod verification viable, without weakening upstream bot-detection for actual customers.
The setup
Production smoke runs on real prod URLs. That's the whole point — they catch what staging can't, because staging doesn't have the upstream CDN, the real CMS, the real third-party JS that breaks on Tuesdays.
The catch: prod has bot-detection turned on (we have it for a reason — credit-card fraud through automated checkout). Playwright headed-and-instrumented looks like exactly the thing bot-detection is built to block. So the smoke suite started failing at the CDN before reaching our app.
We had three options: weaken prod bot-detection (no), give up prod smoke (no), or find a third way.
The third way
Run Playwright via MCP. The Model Context Protocol indirection happens to give us a clean injection point for request-shaping — we can stamp the smoke traffic with a verifiable, time-boxed token that our edge accepts as "this is QA, let it through" while leaving the default-deny posture for everyone else intact.
That's the one-line summary. The interesting part is the boundaries.
What the request-shape does
- Stamps an HMAC-signed token with a 90-second TTL into a custom header.
- The edge validates the token and bypasses bot-detection only if the IP is in our CI runner CIDR.
- Token signing key is rotated weekly via the same secret pipeline as our deploy keys.
What it doesn't do
- Doesn't disable bot-detection for real traffic — the check still runs for every other request.
- Doesn't whitelist runners by IP alone — IP + token + TTL.
- Doesn't survive a leaked token — TTL kills it inside 90s.
The MCP angle
This pattern works without MCP too — you could inject the headers in plain Playwright. But the MCP layer gave us two unexpected wins:
- Auditability. Every prod-smoke action goes through the MCP gateway, which logs the agent identity, the spec name, and the action verb. We get an audit trail that's missing in a plain Playwright run.
- Reuse. The same shaping pattern works for any agent — the Codex RCA agent, the Browser Use eval harness — without each having to re-implement it.
Results
- Prod smoke runs green. 100% reachability since deployment.
- Bot-detection unchanged. Customer-side surface area is the same.
- One fraud attempt caught in the first month — the same week we deployed this. Bot-detection still works.
What I'd tell another QA engineer
- If you're tempted to disable security to make tests pass, stop. There's almost always a token-shaped third option.
- Make tokens short-lived. 90 seconds is fine. Anything longer is a credential.
- Audit logs from the MCP gateway became unexpectedly useful for debugging "why did this test fail in prod but pass in staging."