How to Tell If a Website Uses hCaptcha
hCaptcha is a privacy-focused reCAPTCHA alternative. Detect it via the js.hcaptcha.com/1/api.js script, the h-captcha widget div with data-sitekey, the hcaptcha global and hcaptcha.com iframes.
hCaptcha is the best-known privacy-focused alternative to Google reCAPTCHA, protecting forms, logins and sign-ups from bots while avoiding Google's data collection. Because it loads from a distinctive host and renders a recognisable widget, detecting it is straightforward: look for the js.hcaptcha.com/1/api.js script and an h-captcha element with a data-sitekey. This guide covers every reliable signal, the widget architecture behind them, the other CAPTCHA services to distinguish it from, and what hCaptcha usage tells you about the site's security and privacy priorities.
What is hCaptcha?
hCaptcha is a CAPTCHA service that distinguishes humans from bots, typically by asking users to complete an image-classification challenge or by running an invisible risk assessment. Its positioning is what sets it apart: it markets itself as privacy-respecting and independent of Google, does not use the data for advertising, and operates a model that can pay website owners for the challenges their visitors solve. It gained major prominence when Cloudflare adopted it as the default for its managed challenges for a period, and it is widely used by sites that want bot protection without relying on Google reCAPTCHA.
For detection, the key context is that hCaptcha is a security control with a privacy angle. Finding it tells you the site protects against automated abuse — credential stuffing, spam sign-ups, scraping — and that it deliberately chose a non-Google CAPTCHA, often for privacy, GDPR or independence reasons (or because of a Cloudflare deployment). Because hCaptcha loads from its own domain and renders a clearly-marked widget, it is one of the easier security tools to confirm by inspecting a protected form.
How hCaptcha loads and renders
An hCaptcha install loads the API script from https://js.hcaptcha.com/1/api.js and renders into elements that carry the class h-captcha and a data-sitekey attribute (the public key identifying the site's hCaptcha configuration). The script finds these elements and injects the challenge, which runs inside an iframe served from hcaptcha.com (with assets from newassets.hcaptcha.com). At runtime it exposes the global window.hcaptcha object, with methods like hcaptcha.render, hcaptcha.execute and hcaptcha.getResponse.
hCaptcha can run in visible mode (the checkbox/challenge widget) or invisible mode (triggered programmatically on form submit). In both cases the api.js script, the data-sitekey, and the hcaptcha.com iframe are present. The data-sitekey is public — it is how the widget knows which configuration to load — so capturing it confirms hCaptcha and identifies the site key. Knowing this — the js.hcaptcha.com/1/api.js script, the h-captcha element with data-sitekey, the hcaptcha global, and the hcaptcha.com iframe — makes detection quick and certain.
How to tell if a website uses hCaptcha
Confirm at least one strong signal.
1. Check the Network tab. Filter for hcaptcha. The js.hcaptcha.com/1/api.js script and challenge assets from hcaptcha.com/newassets.hcaptcha.com confirm hCaptcha.
2. Inspect the widget. Find the CAPTCHA on a form and inspect it. An element with class h-captcha and a data-sitekey attribute, plus an hcaptcha.com iframe, is the definitive signal.
3. Use the console. Type hcaptcha and press Enter. A returned object with render/execute methods confirms the API is loaded.
4. View the source. Search for hcaptcha or h-captcha. The api.js script reference and the widget markup are usually visible.
5. Read the data-sitekey. The data-sitekey identifies the hCaptcha configuration behind the site.
What the hCaptcha signals look like
<script src="https://js.hcaptcha.com/1/api.js" async defer></script>
<div class="h-captcha" data-sitekey="10000000-ffff-ffff-ffff-000000000001"></div>
window.hcaptcha = { render: ƒ, execute: ƒ, getResponse: ƒ, … }
<iframe src="https://newassets.hcaptcha.com/captcha/…"></iframe>
The combination of the js.hcaptcha.com/1/api.js script, the h-captcha element with data-sitekey, and the hcaptcha.com iframe is conclusive.
hCaptcha versus other CAPTCHAs — avoiding false positives
Match the host and class to keep CAPTCHA services distinct. hCaptcha uses js.hcaptcha.com and the h-captcha class; Google reCAPTCHA uses google.com/recaptcha (or recaptcha.net) and the g-recaptcha class with a grecaptcha global; Cloudflare Turnstile uses challenges.cloudflare.com/turnstile and the cf-turnstile class with a turnstile global; Friendly Captcha and others have their own hosts. The h-captcha class and the hcaptcha.com host are unique to hCaptcha. One nuance: because Cloudflare used hCaptcha for managed challenges, an hCaptcha challenge may appear as part of a Cloudflare security flow rather than a site-owner's explicit form protection — context (a Cloudflare interstitial versus a form widget) tells you which.
How reliable is each hCaptcha signal?
The js.hcaptcha.com/1/api.js script and the h-captcha element with data-sitekey are definitive, as is an hcaptcha.com/newassets.hcaptcha.com iframe. The window.hcaptcha global is equally strong. The data-sitekey reliably identifies the configuration. The weakest situation is invisible-mode hCaptcha that only triggers on form submit, so you may need to interact with the form to see the challenge — but the api.js script and the data-sitekey are present regardless. As a rule, the api.js host or the h-captcha element settles it.
What hCaptcha usage reveals about a site
Finding hCaptcha signals a site that protects against automated abuse while deliberately avoiding Google reCAPTCHA. The places it appears are informative: on sign-up and login forms it indicates protection against bot account creation and credential stuffing; on contact and comment forms it indicates spam prevention. The choice of hCaptcha over reCAPTCHA usually reflects a privacy preference, GDPR considerations, independence from Google, or a Cloudflare-based deployment. If you sell security, bot-management, privacy or fraud-prevention tooling, an hCaptcha site marks a security-and-privacy-conscious team. Its presence tells you the site has experienced or anticipates automated abuse and has taken a deliberate, privacy-aware step to counter it.
What finding hCaptcha means for sales, agencies and competitive research
For sales and prospecting, hCaptcha marks a security-and-privacy-conscious site — a fit for bot management, fraud prevention, privacy and security tooling. The forms it protects hint at the abuse the site faces (account fraud, spam, scraping).
For agencies and consultants, finding hCaptcha tells you the client cares about both security and privacy, so engagements can address bot protection holistically — WAF, rate limiting, account-security — while respecting the privacy stance that led them away from reCAPTCHA.
For competitive and market research, hCaptcha versus reCAPTCHA adoption reveals a site's privacy posture and its relationship with Google's ecosystem. Spotting hCaptcha suggests a deliberate, privacy-minded security choice, useful when benchmarking how seriously a competitor treats data protection.
hCaptcha in the wider security stack
hCaptcha sits in the bot-and-abuse-prevention layer and often accompanies other security measures. On forms it pairs with server-side validation and rate limiting; site-wide it may sit behind a CDN/WAF (Cloudflare especially, given the hCaptcha relationship) that provides broader bot management. Privacy-conscious sites running hCaptcha frequently also run privacy-respecting analytics and a consent-management platform, reinforcing the privacy theme. For an auditor, the valuable details are which forms hCaptcha protects, the data-sitekey, whether it is visible or invisible mode, and whether a CDN/WAF and privacy tools accompany it; together these reveal a security-and-privacy-conscious posture and the threats the site is defending against.
A quick hCaptcha confirmation walkthrough
Open the site and navigate to a form with a CAPTCHA (a sign-up, login or contact form). Open developer tools on the Network panel and filter for hcaptcha — the js.hcaptcha.com/1/api.js script and hcaptcha.com challenge assets confirm it. Inspect the widget for an h-captcha element with a data-sitekey, and confirm the challenge runs in an hcaptcha.com iframe. In the console, type hcaptcha to confirm the global. For invisible mode, submit the form to trigger the challenge. The api.js host or the h-captcha element confirms hCaptcha and the data-sitekey identifies the configuration.
A quick hCaptcha detection checklist
- Filter the Network tab for
hcaptcha; thejs.hcaptcha.com/1/api.jsscript is conclusive. - Inspect the widget for an
h-captchaelement with adata-sitekey. - Confirm the challenge iframe is served from
hcaptcha.com/newassets.hcaptcha.com. - Type
hcaptchain the console to confirm the global. - Read the
data-sitekeyto identify the configuration. - Distinguish hCaptcha (
h-captcha) from reCAPTCHA (g-recaptcha) and Turnstile (cf-turnstile).
Detecting hCaptcha at scale
Checking one site is quick, but mapping CAPTCHA adoption across many domains — to understand security and privacy postures in a market — calls for automation. StackOptic detects hCaptcha and thousands of other technologies from a real browser, reading scripts, DOM markers and iframes. Because the CAPTCHA a site chooses is a small but revealing privacy signal, a market-wide scan that separates hCaptcha from reCAPTCHA adoption effectively segments a sector by how much its sites prioritise privacy and independence from Google — useful context whether you sell privacy tooling, benchmark competitors, or assess an industry's data-protection maturity. For related reading, see our guide to telling if a website uses Google reCAPTCHA and the full hCaptcha technology profile.
Frequently asked questions
What is the fastest way to tell if a site uses hCaptcha?
Look for the CAPTCHA widget on a form, then open the Network tab and filter for 'hcaptcha'. You will see js.hcaptcha.com/1/api.js load and challenge assets from hcaptcha.com/newassets.hcaptcha.com. In the source, an element with class h-captcha and a data-sitekey attribute is the definitive signal.
What is the h-captcha div and data-sitekey?
hCaptcha renders into an element with the class h-captcha that carries a data-sitekey attribute identifying the site's hCaptcha configuration. The api.js script finds these elements and injects the challenge iframe. Finding an h-captcha element with a data-sitekey is a strong, characteristic hCaptcha signal.
How is hCaptcha different from reCAPTCHA?
Both are CAPTCHA services that protect forms from bots, but hCaptcha markets itself as privacy-focused and independent of Google, and it pays site owners for solved challenges. Detection differs by host and class: hCaptcha uses js.hcaptcha.com and the h-captcha class, while reCAPTCHA uses google.com/recaptcha and the g-recaptcha class.
Why might a site choose hCaptcha over reCAPTCHA?
Common reasons are privacy (avoiding Google's data collection), independence from Google, GDPR considerations, and the revenue-share model. Cloudflare also adopted hCaptcha for its managed challenges for a period. So hCaptcha often signals a privacy-conscious choice or a Cloudflare-related deployment.
What does it mean if a site uses hCaptcha?
hCaptcha indicates a site protecting forms, logins or sign-ups from bots and automated abuse, while deliberately choosing a privacy-focused alternative to Google reCAPTCHA. Its presence signals attention to both security and privacy, common on privacy-conscious sites and some Cloudflare-protected ones.
Analyse any website with StackOptic
Get the full technology stack, performance, security and SEO report in seconds — free.
Analyse a websiteRelated articles
How to Tell If a Website Uses Heap
Heap (Heap Analytics) autocaptures product events. Detect it via the cdn.heapanalytics.com script, the global heap object, heapanalytics.com beacons and _hp2 cookies.
How to Tell If a Website Uses Foundation
Foundation (by Zurb) is a responsive front-end framework. Detect it via its grid classes (row/columns, grid-x/cell), data-* component attributes and the foundation.css/js files.
How to Tell If a Website Uses Crisp
Crisp is a developer-friendly, affordable live-chat and messaging tool. Detect it via the client.crisp.chat/l.js script, the window.$crisp object and the CRISP_WEBSITE_ID value.